The Patent and Trademark Office wants to improve the security of its crown jewels

The U.S. Patent and Trademark Office (USPTO) recently expanded a contract to improve the cybersecurity of its main databases, as well as move the agency to that...

The U.S. Patent and Trademark Office (USPTO) recently expanded a contract to improve the cybersecurity of its main databases, as well as move the agency to that all-important zero-trust architecture. For the details, Federal Drive with Tom Temin spoke with the USPTO Chief Information Officer Jamie Holcombe and the President of Trustwave Government Solutions, Bill Rucker.

Interview Transcript: 

Tom Temin All right. Let’s begin at the beginning here. What is this contract covering? What is it you’re trying to protect here from a database standpoint? Jamie?

Jamie Holcombe Well, we have some of the country’s most guarded secrets, and that’s our intellectual property. Those novel and unique innovations that our applicant sent to us to get patented. And so what we need to do is ensure that when we store this in our databases, that they remain secure and that we have that sacred duty to ensure that nobody else sees them. And so because of that, we want to increase our security posture. It’s always been secure. But with the new threats and the new vulnerabilities out there, when we introduced new applications, we want to ensure that our security is coming up to the new modernized standards as well. We’re doing a lot of things out in the cloud, too. So we want to ensure that we’re scanning our databases and ensuring that all those new hacks and those new attacks are taken care of, monitored and alerted.

Tom Temin And just to give us a sense of the extent of the database, how large it is and what’s in there. This is used by patent examiners to look for prior art, that kind of thing.

Jamie Holcombe Oh, that’s exactly right. In fact, we have nine petabytes addressable online ready to go for any of our examiners to search for prior art. And that’s the term used when you’re ensuring that it’s unique and novel, that it hasn’t been done before any time in history. So it’s a really sacred duty and I can’t believe these examiners do that. My hat’s off to them for having the ability to search far and wide to ensure that these patents are that unique and novel concept. And so we have the security duty to make sure that we scan and we ensure nobody else is getting to those data elements. And that’s what this new contract is doing. We’re trying to get to that zero trust architecture maturing along the five pillars. And one of those huge pillars is data. And the data element is very key. Now, not everything needs to be protected, Tom. What we’re trying to do is ensure that we’re protecting only what needs to be and that other things, PII personally identifiable information as well as BII, which is business identifiable information. We’re trying to keep those in a yellow status where, what I was just talking about, is in our red status. And then we have public information which is on our green status. So in essence, I’m trying to create a wedding layer cake with a green foundation base, a yellow center middle, and then a red topping. That’s where we need to put our most secure data, and that’s where we need to ensure that we’re doing all the scanning and ensuring that we take care of all these new attacks.

Tom Temin I guess you wouldn’t want to smash that cake into the groom’s face with all those flavors and colors. And Bill, tell us, what are some of the latest technical trends in protecting databases? What’s different between now and, say, in the eighties, nineties and aughts.

Bill Rucker When people look at protecting systems, especially when it comes to vulnerabilities in really far before zero trust scanning systems and workstations and servers and things were never really, wasn’t a big deal to say that vulnerability scanning was kind of a common practice as data became more and more important and obviously the amount of data became more significant and then the contents of that IP, that’s what the bad guys want. Adversaries are consistently trying to exfiltrate data out of environment. And so by treating databases, definitely people are able to raise their level of cyber hygiene and a traditional scanner that was built for servers and workstations just doesn’t really apply to the database world. And that’s one of the reasons when we look at our customers, they actually go and buy something that’s purpose-built to protect their data in their environment, what users have access to it, what they can touch, what they can’t touch, and then what’s actually taking place on that database in real time. Right? If adversaries are trying to exploit trait that they’re going to be able to have controls around seeing what’s happening in real time on those systems.

Tom Temin We’re speaking with Bill Rucker. He’s president of Trustwave Government Solutions. And Jamie Holcombe, CIO of the U.S. Patent and Trademark Office. And, Jamie, tell us more about the zero trust aspect of this in relation to this expanded deal here with Trustwave.

Jamie Holcombe Well, what I love about Trustwave, it’s not just a license for a scanner, it’s more of a service. And we’re looking at even engaging more based on increasing our security posture and ensuring for cyber hygiene. And the five pillars are an outstanding way to discuss this. The first pillar, everybody talks about user I.D. and authentication, but that’s just the first pillar of things. You do need to have multifactor in the user, but you also have to have the second pillar, which is applications. As an example, why do we just start up an application at the command line and just let it go? Why doesn’t the application actually have to authenticate into a server to make sure that that application is not vulnerable, that that application is authenticated and trusted? The number three thing we’re talking about before, again, the scanning of the database and the data pillar. Number four was the network pillar. And that’s always been encrypted, encrypted motion, as they say. And finally, the fifth pillar is your devices, because a network is comprised of devices, including servers, routers, etc. Why do we just assume that a server is what it says it is? Why don’t we have to also authenticate into the network that the server is authorized so we use other products to ensure for authentication certificates on the device side. So in that regard, zero trust and the maturation along all those five pillars is essential to actually creating a very secure environment.

Tom Temin And Bill, tell us more about the scanning aspect of this. It sounds like you move from a occasional check over to maybe a continuous type of scanning of your database.

Bill Rucker Sure. And it’s part of the continuous monitoring mindset. Dovetailing into Jamie’s comment on zero trust. We really focus on the user and the data piece, right? And so from a scanning perspective, we’re looking at very deep dive inspection of the database itself, vulnerabilities that could exist in that. If you take a comparison against a traditional scanner that’s built for a server as a workstation in a database, they might check 5 to 600 things. We’re just under 6000 checks of vulnerabilities inherent across different mainstream data stores and also the ability to actually look at the users and how they’re configured in your databases. Do they have the right privileges? Do they have access to sensitive information or high value assets, yet their passwords aren’t secure enough or they’re using the same password on multiple high value assets? So that’s the scanning portion, really the focus on the vulnerabilities in the users. Right. And then the last component is really the monitoring of that. So think of being able to see what’s taking place on your database in real time and being able to know if there’s anything that’s an anomaly. Right? A data actualtration that is not up the norm. That could be a leading indicator of an adversary in your environment.

Tom Temin Got it. And Jamie, the USPTO is calling this a partnership. Why that and not just a contract?

Jamie Holcombe Well, because it’s not just for licenses, it’s actually for service and analysis as well. And the fact is, having a partner means that you can share in some of that responsibility. And although it might not be contractual yet, what we hope to do is find some advice and guidance along our journey, along our maturation in that data pillar. So we have high hopes that we’re maturing that relationship, growing it and becoming even more safe in our security posture.

Tom Temin All right. And what happens next here? How do you operationalize all of this?

Jamie Holcombe Well, we actually are implementing it right now as we speak. And I’ve been going to different conferences as well as getting people inside the PTO to look at our unique and specific configurations. One of the big items of vulnerability nowadays happens to be application API in the cloud. So we’re looking at that in the future as a possible engagement. And of course that will be put out in procurement and it will give everyone an ample opportunity. But why I’m saying it right now is because we’re trying to ensure that that maturation matches the current attack surface that has increased tremendously with everybody working remotely in a hybrid environment.

Tom Temin All right. And Bill, final word on how the cloud does complicate all of the security situations and getting to zero trust.

Bill Rucker As far as looking at environments Tom, we’re in a unique timeframe where there’s such a mix of workloads, right? We have customers that are still on prem, some that have moved all of their workloads to the cloud. But the majority of our government customers are still in multi environments, right? And so they need to be able to have a way to protect both and be able to see a common picture of what their risk assessment is. So one of the things that we work closely with our customers on and Jamie talked about the partnership, right? This is cybersecurity is hard, right? It’s absolutely has to be a team sport. So we do a consistent amount of work on trying to raise a level of awareness with our customers, whether it’s cloud or on prem, by helping them with the risk assessments that are specific to data. Because at the end of the day, I mean, people talk about cyber tools or scanning. My job to my customers really at the base level is really helping them make sure that there’s not inadvertent access to data. Right. If you boil everything else down, that’s really when it comes down. There’s other things with zero trust and APOs and ensuring their supply chain is protected and insider threat. But inadvertent access to data kind of encompasses all those. And that’s the accountability we have back to the U.S. government.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories