Oracle America,Iinc. - GAO Protest - DOD JEDI - Network Segmentation - Cybersecurity Keystone
1 like197 views
Oracle America, Inc. has submitted a pre-award protest against the Department of Defense's decision to award a single $10 billion contract for its Joint Enterprise Defense Infrastructure (JEDI) cloud, arguing that a multi-vendor approach would better serve DoD's diverse technology needs. The document discusses the inadequacy of traditional cybersecurity measures in light of evolving threats and suggests that network segmentation could improve security. Additionally, Defense Secretary James Mattis emphasizes the need for vigilance among DoD employees to protect sensitive data.
![GAO Bid Protest Docket
Protestor: Oracle America, Inc.
Solicitation Number: HQ0034-18-R-0077
Agency: Department of Defense, Director of Administration and Management,Washington, D.C.
File Number: B-416657.1
Oracle America, Inc. (“Oracle”), by its undersigned counsel [Arnold & Porter
Kaye Scholer LLP, Washington, DC], fles this pre-award protest challenging
(among other things) the decision of the Department of Defense
(“Department” or “DoD”) to make a single, potential 10-year, $10 billion
Indefnite Delivery Indefnite Quantity (“IDIQ”) contract award under
Solicitation No. HQ0034-18-R-0077 (the "RFP"). The RFP seeks a Joint
Enterprise Defense Infrastructure (“JEDI”) Cloud for use by DoD and other
entities involved in DoD business. The JEDI Cloud will provide infrastructure
as a service (“IaaS”) and platform as a service (“PaaS”) oferings, in both
unclassifed and classifed environments, to support DoD business and
mission operations in the homeland and abroad, including the full range of
military operations.
DoD's single awardee IDIQ contract approach is contrary to statutory and
regulatory requirements; contrary to the perspective of numerous industry
experts that a multi-vendor IDIQ contract ofers the most advantageous
approach for DoD's near term and long term technology requirements;
contrary to the market trend toward multi-cloud environments; and contrary
to DoD's own stated objectives of fexibility, innovation, a broad industrial
base, and keeping pace with evolving technology. DoD is a complex,
heterogeneous computing environment driven by unique (in many cases,
non-commercial) requirements for security, scalability, performance, and
government-specifc purpose built features. Standardizing on a single cloud
today makes no more sense than standardizing on a single on premise
computing architecture decades ago.
Source: Arnold & Porter. Pre-award Protest of Oracle America, Inc. Under RFP No.
HQ0034-18-R0077, Department of Defense Joint Enterprise Defense Infrastructure
Cloud. August 6, 2018. https://regmedia.co.uk/2018/08/07/oracle_pre_award_protest.pdf](https://image.slidesharecdn.com/oracleamericainc-180809004539/85/Oracle-America-Iinc-GAO-Protest-DOD-JEDI-Network-Segmentation-Cybersecurity-Keystone-1-320.jpg)
![For the estimated 2 million Defense Department employees, the secretary's
warning served as more of a pep-talk than a crash course in digital security.
“There can be no complacency,” the memo warned. “Vigilance is our best
defense” against losing sensitive data, it added.
On June 20, lawmakers appear to have been briefed on the hack. Rep. Adam
Smith, D-Wash., lashed out at the military for its lack of cyber preparedness.
“It was shocking how disorganized, unprepared and, quite frankly, utterly
clueless the branch of the military was that [it] had been breached,” Smith said
during a hearing on June 21. “Even in this day and age, we still have not
fgured out how to put together a cyber policy to protect our assets.”
And baked into the secretary's memo appears to be at least one other reference
to a high-profle breach of sensitive Defense Department information.
“Protect your health, biometrics and fnancial information,” Mattis warned in
the memo, which was written seven months after sensitive military outposts
were revealed using data from the Strava ftness app. While Mattis' memo did
not address the alleged China hack or Strava incident by name, it was clear-
eyed regarding the consequences for poor cyber hygiene.
“The potential consequences of compromised data could be serious, not just for
you and your families, but for the readiness and resiliency of this department.”
________________________________________________________
HACKERS UNLEASHED ON PENTAGON, AGAIN
By: Mark Pomerleau. FIFTH DOMAIN.
April 3, 2018, accessed August 8, 2018
https://www.ffthdomain.com/dod/2018/04/03/hackers-unleashed-on-pentagon-again/
The Department of Defense is turning hackers loose on its networks yet again.
The ffth iteration of the “Hack the Pentagon” bug bounty program, which
launched April 1 and closes April 29, will focus on identifying faws in the
public-facing websites of the Defense Travel System, an enterprise system DoD
employees use to book travel across the globe.](https://image.slidesharecdn.com/oracleamericainc-180809004539/85/Oracle-America-Iinc-GAO-Protest-DOD-JEDI-Network-Segmentation-Cybersecurity-Keystone-3-320.jpg)
![The month-long efort included 19 vetted hackers primarily from the United
Stated and United Kingdom, HackerOne said. The group reported 65
vulnerabilities, 28 of which ranked high or critical in severity.
“The 'Hack the DT'’ challenge helped uncover vulnerabilities we wouldn’t have
found otherwise, complementing the great work [Defense Manpower Data
Center] is already doing to protect critical enterprise systems and the people
those systems serve,” said Jack Messer, project lead at DMDC.
The Hack the Pentagon initiative in totality has disclosed over 3,000
vulnerabilities in government systems. In addition to the Pentagon initiative,
the Army and Air Force have launched similar bug bounties in concert with
HackerOne.
________________________________________________________
'TRIED AND TRUE' NETWORK SEGMENTATION CAN COME TO THE RESCUE
By Security Roundtable Staf
SecurityRoundtable.org, Palo Alto Networks®
February 9, 2018, accessed August 8, 2018
https://www.securityroundtable.org/tried-true-network-segmentation-can-come-rescue/
Implementing network segmentation is a complex afair that will ultimately
change your business processes and IT systems and processes in ways that
efectively reduce enterprise risk from cyber incidents.
It may be a major undertaking to introduce segmentation, but with the increase
of sophisticated cyber criminals, the benefts outweigh the costs.
Network segmentation adds a thick layer of interior defense to the outside wall,
and helps protect businesses from being completely exposed, even after a
security breach. Being sure to implement the process in a steady, strategic way,
and starting from a small pilot, can help ease the burden of transition.](https://image.slidesharecdn.com/oracleamericainc-180809004539/85/Oracle-America-Iinc-GAO-Protest-DOD-JEDI-Network-Segmentation-Cybersecurity-Keystone-5-320.jpg)
![A FRAMEWORK TO PROTECT DATA THROUGH SEGMENTATION
By Jazib Frahim, Principal Engineer and Aun Raza, Consulting Engineer
Cisco Security Research & Operations
Accessed August 8, 2018
https://www.cisco.com/c/en/us/about/security-center/framework-segmentation.html#7
The concept of segmentation is nothing new. In ancient history, Romans
created fghting units based on the ethnic and geographic identity of captured
warriors. The idea was simple: group the warriors with similar backgrounds
together so they can bond and eventually become better fghting units.
Throughout history, this concept has been used as a basis for creating religious,
ethnic, geographic, gender-based, and political groups [1]. As we look at the
digital world, organizations have been performing user, trafc, or data
segmentation through logical or physical means to protect core parts of their
infrastructure.
Consolidating and centralizing the network infrastructure has been a key driver
for segmentation. Previously isolated application infrastructures are now
migrating to common shared physical and virtual networks that require
separation to maintain some level of isolation.
Similarly, networks have gone through a dramatic shift over the past few years
with the introduction of virtualization, containers, smart phones, tablets,
wireless connectivity and, of late, the Internet of Things (IoT).
Organizations have used policy enforcement through L2 technologies such as
VLANs, virtual routing and forwarding (VRF), and virtual frewalls as popular
methods of providing network segmentation.
The obvious question that comes to mind is, if organizations are already
segmenting their network components, why do we need to discuss this topic?
Before we answer this question, let us present a few data-points.
The traditional network architectures were built by placing the jewels of the
crown (the data) in a well-guarded castle (the data-center). You get a
comfortable feeling that all your critical resources are protected by a strong
perimeter and nothing can pass through your defenses if not explicitly allowed.](https://image.slidesharecdn.com/oracleamericainc-180809004539/85/Oracle-America-Iinc-GAO-Protest-DOD-JEDI-Network-Segmentation-Cybersecurity-Keystone-6-320.jpg)
![ORACLE DATABASE (ORACLE DB)
Oracle database (Oracle DB) is a relational database management system
(RDBMS) from the Oracle Corporation. Originally developed in 1977 by
Lawrence Ellison and other developers, Oracle DB is one of the most trusted
and widely-used relational database engines. The system is built around a
relational database framework in which data objects may be directly accessed
by users (or an application front end) through structured query language (SQL).
Oracle is a fully scalable relational database architecture and is often used by
global enterprises, which manage and process data across wide and local area
networks. The Oracle database has its own network component to allow
communications across networks. A key feature of Oracle is that its
architecture is split between the logical and the physical. This structure means
that for large-scale distributed computing, also known as grid computing, the
data location is irrelevant and transparent to the user, allowing for a more
modular physical structure that can be added to and altered without afecting
the activity of the database, its data or users. The sharing of resources in this
way allows for very fexible data networks whose capacity can be adjusted up
or down to suit demand, without degradation of service.
It also allows for a robust system to be devised as there is no single point
at which a failure can bring down the database, as the networked schema
of the storage resources means that any failure would be local only.
[Emphasis Supplied]
Source: technopedi∧. Oracle Database (Oracle DB). Accessed August 8, 2018
https://www.techopedia.com/defnition/8711/oracle-database
CYBERSECURITY IS THE KEYSTONE ISSUE FOR THE GAO
DOD JOINT ENTERPRISE DEFENSE INFRASTRUCTURE (“JEDI”) CLOUD
SINGLE AWARD ⎪ MULTIPLE AWARD
Original Source Reference: Pacifc Business News. Oracle Files Protest Against $10B Pentagon
Cloud Contract. By Luke Stangel – Contributing writer. August 8, 2018
https://www.bizjournals.com/pacifc/news/2018/08/08/oracle-pentagon-jedi-contract-orcl-amzn-goog-msft.html?
ana=e_me_set3&s=newsletter&ed=2018-08-08&u=b1TiK2N3FHmAqzc9X35fIA013f99a0&t=1533763497&j=83158551](https://image.slidesharecdn.com/oracleamericainc-180809004539/85/Oracle-America-Iinc-GAO-Protest-DOD-JEDI-Network-Segmentation-Cybersecurity-Keystone-8-320.jpg)
Oracle America,Iinc. - GAO Protest - DOD JEDI - Network Segmentation - Cybersecurity Keystone
- 1. GAO Bid Protest Docket Protestor: Oracle America, Inc. Solicitation Number: HQ0034-18-R-0077 Agency: Department of Defense, Director of Administration and Management,Washington, D.C. File Number: B-416657.1 Oracle America, Inc. (“Oracle”), by its undersigned counsel [Arnold & Porter Kaye Scholer LLP, Washington, DC], fles this pre-award protest challenging (among other things) the decision of the Department of Defense (“Department” or “DoD”) to make a single, potential 10-year, $10 billion Indefnite Delivery Indefnite Quantity (“IDIQ”) contract award under Solicitation No. HQ0034-18-R-0077 (the "RFP"). The RFP seeks a Joint Enterprise Defense Infrastructure (“JEDI”) Cloud for use by DoD and other entities involved in DoD business. The JEDI Cloud will provide infrastructure as a service (“IaaS”) and platform as a service (“PaaS”) oferings, in both unclassifed and classifed environments, to support DoD business and mission operations in the homeland and abroad, including the full range of military operations. DoD's single awardee IDIQ contract approach is contrary to statutory and regulatory requirements; contrary to the perspective of numerous industry experts that a multi-vendor IDIQ contract ofers the most advantageous approach for DoD's near term and long term technology requirements; contrary to the market trend toward multi-cloud environments; and contrary to DoD's own stated objectives of fexibility, innovation, a broad industrial base, and keeping pace with evolving technology. DoD is a complex, heterogeneous computing environment driven by unique (in many cases, non-commercial) requirements for security, scalability, performance, and government-specifc purpose built features. Standardizing on a single cloud today makes no more sense than standardizing on a single on premise computing architecture decades ago. Source: Arnold & Porter. Pre-award Protest of Oracle America, Inc. Under RFP No. HQ0034-18-R0077, Department of Defense Joint Enterprise Defense Infrastructure Cloud. August 6, 2018. https://regmedia.co.uk/2018/08/07/oracle_pre_award_protest.pdf
- 2. MOAT AROUND THE CASTLE The “moat around the castle” defense is the tried-and-true way to handle computer network security, to keep cyber attackers out. “Flat” networks focus on providing reliable and fast connectivity for all devices on the network, while security eforts hone in on isolating external networks from internal networks. This traditional approach, however, no longer works to secure the modern enterprise's complex web of interconnected digitized networks, or the cyber attackers with their ever-evolving tricks — which has led to high- profle breaches like the recent WannaCry ransomware attack. Companies are moving data in and out of networks every second. Yet, while they move to a more mobile workforce to relocate IT services to the cloud, there is a blurring line between the enterprise network and the external network. Instead, network segmentation, or splitting a network into subnetworks, is the best way to phase out outdated security approaches, says Fredrik Lindstrom, Manager CIO Advisory at KPMG.1 Source: CIO. IDG Communications. KPMG. Network Segmentation as Security Imperative. Network segmentation, or splitting a network into subnetworks, is the best way to phase out outdated security approaches. July 13, 2017, accessed August 8, 2018 https://www.cio.com/article/3208025/leadership-management/network-segmentation-as-security-imperative.html MATTIS DECLARES VIGILANCE TO BE THE BEST CYBER DEFENSE By Justin Lynch. FIFTH DOMAIN. June 25, 2018, accessed August 8, 2018 https://www.ffthdomain.com/dod/2018/06/25/mattis-declares-vigilance-to-be-the-best-cyber-defense/ In the lineage of warnings like “loose lips sink ships,” Secretary of Defense James Mattis warned Department of Defense employees in a memo to “remain vigilant” in a world where secrets can fall into the hands of digital intruders, coming after a series of high-profle data breaches that has embarrassed America's top defense ofcials. 1 KPMG (Klynveld Peat Marwick Goerdeler). One of the Big Four auditors, along with Deloitte, Ernst & Young (EY), and PricewaterhouseCoopers (PwC).
- 3. For the estimated 2 million Defense Department employees, the secretary's warning served as more of a pep-talk than a crash course in digital security. “There can be no complacency,” the memo warned. “Vigilance is our best defense” against losing sensitive data, it added. On June 20, lawmakers appear to have been briefed on the hack. Rep. Adam Smith, D-Wash., lashed out at the military for its lack of cyber preparedness. “It was shocking how disorganized, unprepared and, quite frankly, utterly clueless the branch of the military was that [it] had been breached,” Smith said during a hearing on June 21. “Even in this day and age, we still have not fgured out how to put together a cyber policy to protect our assets.” And baked into the secretary's memo appears to be at least one other reference to a high-profle breach of sensitive Defense Department information. “Protect your health, biometrics and fnancial information,” Mattis warned in the memo, which was written seven months after sensitive military outposts were revealed using data from the Strava ftness app. While Mattis' memo did not address the alleged China hack or Strava incident by name, it was clear- eyed regarding the consequences for poor cyber hygiene. “The potential consequences of compromised data could be serious, not just for you and your families, but for the readiness and resiliency of this department.” ________________________________________________________ HACKERS UNLEASHED ON PENTAGON, AGAIN By: Mark Pomerleau. FIFTH DOMAIN. April 3, 2018, accessed August 8, 2018 https://www.ffthdomain.com/dod/2018/04/03/hackers-unleashed-on-pentagon-again/ The Department of Defense is turning hackers loose on its networks yet again. The ffth iteration of the “Hack the Pentagon” bug bounty program, which launched April 1 and closes April 29, will focus on identifying faws in the public-facing websites of the Defense Travel System, an enterprise system DoD employees use to book travel across the globe.
- 4. “The DoD has seen tremendous success to date working with hackers to secure our vital systems, and we’re looking forward to taking a page from their playbook,” said Jack Messer, project lead at Defense Manpower Data Center. “We’re excited to be working with the global ethical hacker community, and the diverse perspectives they bring to the table, to continue to secure our critical systems.” The newest iteration — which is continuing to work with HackerOne, an organization that helps companies run bug bounties — will allow participants that are U.S. citizens; are eligible to work in the United Kingdom, Canada, Australia or New Zealand; are active military members; and/or are contractors. However, military and contractors will not be eligible for the hundreds of thousands of dollars in cash rewards. “Millions of government employees and contractors use and rely upon key enterprise systems every day,” said Reina Staley, chief of staf at Defense Digital Service. “Any compromise of the system or the sensitive information it handles would be detrimental to our people and our mission. These bug bounty challenges are a way to give talent outside the public sector a channel to safely disclose security issues and get rewarded for these acts of patriotism.” __________________ HERE ARE THE RESULTS OF THE LATEST HACK THE PENTAGON By: Mark Pomerleau. FIFTH DOMAIN. May 30, 2018, Accessed August 8, 2018 https://www.ffthdomain.com/dod/2018/05/30/heres-the-results-of-the-latest-hack-the-pentagon/ White hat hacker company HackerOne released the results of the ffth iteration of the “Hack the Pentagon” bug bounty program, focused on identifying faws in the public-facing websites of the Defense Travel System, an enterprise system DoD employees use to book travel across the globe.
- 5. The month-long efort included 19 vetted hackers primarily from the United Stated and United Kingdom, HackerOne said. The group reported 65 vulnerabilities, 28 of which ranked high or critical in severity. “The 'Hack the DT'’ challenge helped uncover vulnerabilities we wouldn’t have found otherwise, complementing the great work [Defense Manpower Data Center] is already doing to protect critical enterprise systems and the people those systems serve,” said Jack Messer, project lead at DMDC. The Hack the Pentagon initiative in totality has disclosed over 3,000 vulnerabilities in government systems. In addition to the Pentagon initiative, the Army and Air Force have launched similar bug bounties in concert with HackerOne. ________________________________________________________ 'TRIED AND TRUE' NETWORK SEGMENTATION CAN COME TO THE RESCUE By Security Roundtable Staf SecurityRoundtable.org, Palo Alto Networks® February 9, 2018, accessed August 8, 2018 https://www.securityroundtable.org/tried-true-network-segmentation-can-come-rescue/ Implementing network segmentation is a complex afair that will ultimately change your business processes and IT systems and processes in ways that efectively reduce enterprise risk from cyber incidents. It may be a major undertaking to introduce segmentation, but with the increase of sophisticated cyber criminals, the benefts outweigh the costs. Network segmentation adds a thick layer of interior defense to the outside wall, and helps protect businesses from being completely exposed, even after a security breach. Being sure to implement the process in a steady, strategic way, and starting from a small pilot, can help ease the burden of transition.
- 6. A FRAMEWORK TO PROTECT DATA THROUGH SEGMENTATION By Jazib Frahim, Principal Engineer and Aun Raza, Consulting Engineer Cisco Security Research & Operations Accessed August 8, 2018 https://www.cisco.com/c/en/us/about/security-center/framework-segmentation.html#7 The concept of segmentation is nothing new. In ancient history, Romans created fghting units based on the ethnic and geographic identity of captured warriors. The idea was simple: group the warriors with similar backgrounds together so they can bond and eventually become better fghting units. Throughout history, this concept has been used as a basis for creating religious, ethnic, geographic, gender-based, and political groups [1]. As we look at the digital world, organizations have been performing user, trafc, or data segmentation through logical or physical means to protect core parts of their infrastructure. Consolidating and centralizing the network infrastructure has been a key driver for segmentation. Previously isolated application infrastructures are now migrating to common shared physical and virtual networks that require separation to maintain some level of isolation. Similarly, networks have gone through a dramatic shift over the past few years with the introduction of virtualization, containers, smart phones, tablets, wireless connectivity and, of late, the Internet of Things (IoT). Organizations have used policy enforcement through L2 technologies such as VLANs, virtual routing and forwarding (VRF), and virtual frewalls as popular methods of providing network segmentation. The obvious question that comes to mind is, if organizations are already segmenting their network components, why do we need to discuss this topic? Before we answer this question, let us present a few data-points. The traditional network architectures were built by placing the jewels of the crown (the data) in a well-guarded castle (the data-center). You get a comfortable feeling that all your critical resources are protected by a strong perimeter and nothing can pass through your defenses if not explicitly allowed.
- 7. The biggest faw with this design is: What if an unauthorized entity is already inside the castle? What if the unauthorized entity already has access to the jewels? What if the unauthorized entity has found a way to move the jewels out of your castle? We can all agree that the security landscape has changed in the last few years. Cyber attacks are becoming more sophisticated and targeted. If you look at recent data breaches, one thing that stands out is the layout of those networks. To keep up with business demand, most companies with large networks overlook most aspects of security, at times rendering their networks virtually fat. Additionally, most organizations have limited trafc visibility and lack properly defned segmentation policies. These data breaches demonstrate that once malicious actors have penetrated your perimeter defenses, they can roam freely in your network. As part of their reconnaissance activity, they try to determine ways to access critical resources and data. If a network is fat and users are able to access any resource with only limited security controls in place, such as authentication or IP-based access-control lists, then there is very little work an attacker needs to do to exploit those gaps. What is needed is a new approach that can cater to today's application-focused business environment, that can combine threat intelligence from various sources, and that can build a complete context around end-to-end data connections. This is an approach that can dynamically compartmentalize these data connections based on the understanding of applications, users, consumers, threat actors, and devices by building appropriate access-control methods. Currently there is no framework that breaks an infrastructure into individual components, builds connections between the relevant components, and then applies access-control models for complete trafc separation. We need a framework that is beyond the technical controls and products that are often deployed as band-aids to address these security concerns, a framework that provides senior management and network architects a blueprint to ensure that segmentation is an indispensable part of the overall strategy.
- 8. ORACLE DATABASE (ORACLE DB) Oracle database (Oracle DB) is a relational database management system (RDBMS) from the Oracle Corporation. Originally developed in 1977 by Lawrence Ellison and other developers, Oracle DB is one of the most trusted and widely-used relational database engines. The system is built around a relational database framework in which data objects may be directly accessed by users (or an application front end) through structured query language (SQL). Oracle is a fully scalable relational database architecture and is often used by global enterprises, which manage and process data across wide and local area networks. The Oracle database has its own network component to allow communications across networks. A key feature of Oracle is that its architecture is split between the logical and the physical. This structure means that for large-scale distributed computing, also known as grid computing, the data location is irrelevant and transparent to the user, allowing for a more modular physical structure that can be added to and altered without afecting the activity of the database, its data or users. The sharing of resources in this way allows for very fexible data networks whose capacity can be adjusted up or down to suit demand, without degradation of service. It also allows for a robust system to be devised as there is no single point at which a failure can bring down the database, as the networked schema of the storage resources means that any failure would be local only. [Emphasis Supplied] Source: technopedi∧. Oracle Database (Oracle DB). Accessed August 8, 2018 https://www.techopedia.com/defnition/8711/oracle-database CYBERSECURITY IS THE KEYSTONE ISSUE FOR THE GAO DOD JOINT ENTERPRISE DEFENSE INFRASTRUCTURE (“JEDI”) CLOUD SINGLE AWARD ⎪ MULTIPLE AWARD Original Source Reference: Pacifc Business News. Oracle Files Protest Against $10B Pentagon Cloud Contract. By Luke Stangel – Contributing writer. August 8, 2018 https://www.bizjournals.com/pacifc/news/2018/08/08/oracle-pentagon-jedi-contract-orcl-amzn-goog-msft.html? ana=e_me_set3&s=newsletter&ed=2018-08-08&u=b1TiK2N3FHmAqzc9X35fIA013f99a0&t=1533763497&j=83158551