Evolving to Zero Trust Architecture (ZTA) – Part 2

Evolving to Zero Trust Architecture (ZTA) – Part 2

In the previous blog, I had provided insights on what ZTA is, what the core components that belong to ZTA are, why organizations should adopt ZTA and what the threats to ZTA are. In this blog, I will go through some of the common deployment use cases/scenarios for ZTA using software defined perimeters and move away from enterprise network-based perimeter security.

Scenario 1:  Enterprise using cloud provider to host applications as cloud services and accessed by employees from the enterprise owned network or external private/public untrusted network

In this case, the enterprise has hosted enterprise resources or applications in a public cloud, and users want to access those to perform their tasks. This kind of infrastructure helps the organization provide services at geographically dispersed locations who might not connect to the enterprise owned network but could still work remotely using personal devices or enterprise owned assets. In such cases, the enterprise resources can be restricted based on the user identity, device identity, device posture/health, time of access, geographic location and behavioral logs. Based on these risk factors, the enterprise cloud gateway may wish to grant access to resources like employee email service, employee calendar, employee portal, but may restrict access to services that provide sensitive data like the H.R. database, finance services or account management portal. The Policy Engine/Policy Administrator will be hosted as a cloud service which will provide the decision to the gateway based on the trust score calculated from various sources like the enterprise system agent installed on devices, CDM system, activity logs, threat intelligence, SIEM, ID management, PKI certificates management, data access policy and industry compliance. The enterprise local network could also host the PE/PA service instead of the cloud provider, but it won’t provide much benefit due to an additional round trip to the enterprise network to access cloud hosted services which will impact overall performance.

Scenario 2:  Enterprise using two different cloud providers to host separate cloud services as part of the application and accessed by employees from the enterprise owned network or external private/public untrusted network

The enterprise has broken the monolithic application into separate microservices, or components hosted in multiple cloud providers even though it has its own enterprise network. The web front end can be deployed in Cloud Provider A, which communicates directly to the database component hosted in Cloud Provider B, instead of tunneling through the enterprise network. It is basically a server-server implementation with software defined perimeters instead of relying on enterprise perimeters for security. The PEPs are deployed at the access points of web front end and database components which will decide whether to grant access to the service requested based on the trust score. The PE and PA can be services hosted either in cloud or other third-party cloud provider. The enterprise owned assets that have agents installed on them can request access through PEPs directly and the enterprise can still manage resources even when hosted outside the enterprise network.

Scenario 3:  Enterprise having contractors, visitors and other non-employees that access the enterprise network

In this scenario, the enterprise network hosts applications, databases, IoT devices and other assets that can be accessed by employees, contractors, visitors, technicians and guests. Now we have a situation where the assets like internal applications, sensitive information data should only be accessed by employees and should be prevented from visitors, guests and technicians accessing it. The technicians who show up when there is a need to fix the IoT devices like smart HVAC and lighting systems still need to access the network or internet. The visitors and guests also need access to the local network to connect to the internet so that they could perform their operations. All these situations described earlier can be achieved by creating user, device profiles, and enterprise agents installed on their system to prevent network reconnaissance/east-west movement when connected to the network. The users based on their identity and device profile will be placed on either the enterprise employee network or BYOD guest network, thus obscuring resources using the ZTA approach of SDPs. The PE and PA could be hosted either on the LAN or as a cloud service based on the architecture decided by the organization. All enterprise owned devices that have an installed agent could access through the gateway portal that grants access to enterprise resources behind the gateway. All privately owned devices that are used by visitors, guests, technicians, employee owned personal phones, or any non-enterprise owned assets will be allowed to connect to BYOD or guest network to use the internet based on their user and device profile.

Zero Trust Maturity

As organizations mature and adopt zero trust, they go through various stages and adapt to it based on the cost, talent, awareness and business domain needs. Zero trust is a marathon, and not a sprint, hence incrementally maturing the level of zero trust is the desired approach.

Stage 0: Organizations have not yet thought about the zero trust journey but have on-premises fragmented identity, no cloud integration and passwords are used everywhere to access resources.

Stage 1: Adopting unified IAM by providing single sign-on across employees, contractors and business partners using multi-factor authentication (MFA) to access resources and starting to focus on API security.

Stage 2: In this stage, organizations move towards deploying safeguards such as context-based (user profile, device profile, location, network, application) access policies to make decisions, automating provisioning and deprovisioning of employee/external user accounts and prioritizing secure access to APIs.

Stage 3: This is the highest maturity level that can be achieved, and it adopts passwordless and frictionless solutions by using biometrics, email magic links, tokens and many others.

Most of the organizations in the world are either in stage 0 or stage 1 except for large corporations who have matured to stage 2. Due to the current COVID situation, organizations have quickly started to invest heavily to improve their ZT maturity level and the overall security posture.

Acronyms

References

Draft (2nd 1) NIST Special Publication 800-207. Available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207-draft2.pdf

The State of Zero Trust Security in Global Organizations

Effective Business Continuity Plans Require CISOs to Rethink WAN Connectivity

Zero Trust Security For Enterprise Mobility

As we mentioned in our previous post, we are celebrating our 40th anniversary and, as part of our celebrations, we have created this 40 Years and Forward blog series. So, without further ado, welcome to the second posting in that series!

In our last blog, we took a stroll down memory lane and reminisced about CC Pace’s origins and what the world was like in 1980 when we were founded. While much has changed here at CC Pace and in the world in general (internet anyone?), we have been steady in our drive to meet the needs of our customers by providing valuable business solutions. Working with a national client base that ranges from tech start-ups to Fortune 500 companies as well as government entities – no company or project has proven to be too big or too small.

While we have remained consistent to our values and in our focus, another key aspect to our longevity has been our adaptability. For instance, CC Pace’s biggest client during our first year was the Department of Energy and we were deeply involved with the Oil and Gas industries. As we grew and our client base expanded, we shifted direction to the telecommunications and the financial services/mortgage industry. We focused our strategic planning on truly understanding how innovative technologies and methodologies work, and when and where to apply them.  For example, back in 1999, when others were consistently using the waterfall approach, CC Pace started to think differently and used an Agile methodology, XP, for the first time on a custom software development project.

Our adaptability has also come into play as we have successfully navigated our way through many challenging times including the financial crisis of 2009 and most recently the coronavirus pandemic, we find ourselves in today. By seizing the opportunity to adapt to the market, investing in our people and discovering new technologies, CC Pace has successfully kept up with our clients’ needs. We are carrying that adaptability into 2020 as our development teams are currently creating mobile apps and working on cloud transitions and integrations. It is through these continued efforts and our ability to adjust to the market, that CC Pace has become a nationally recognized leader in Agile training and coaching, custom application development, financial and healthcare services consulting and IT staffing.

We invite you to stay tuned to our next 40 Years and Forward blog series in which we’ll share deeper insight into our company culture. And, how our team has thrived in a social, collaborative and productive environment that even encourages playfulness while at work!

CC Pace is seeking a Mortgage Subject Matter expert as introduced here by Senior Recruiter, Rechelle Card. In this exciting position you will work with a wide variety of mortgage clients on an array of projects.  If you think you are ready to make a change and become an important member of our Financial Services team please apply for this exciting opportunity here and let’s talk!

“This isn’t a time to postpone your job hunt…”  Yes, hiring may be slowing down, but it is not coming to a halt.  There are many fulfilling jobs out there and now is the time to prepare yourself for that next great opportunity!  This quick read outlines 5 job seeking strategies that will help put you ahead of your peers when this health crisis normalizes.

Taking the time to invest in yourself and completing a small job hunting task each day, will position you for success when hiring emerges to its normal feverish pace.  Stay safe and healthy my friends and remember… be patient, persistent and most of all be flexible. #weareallinthistogether

https://www.forbes.com/sites/carolinecastrillon/2020/04/06/how-to-job-hunt-during-the-coronavirus-pandemic/#69680f5a259d

 

Meet Morgan Romero the newest member of the CC Pace Recruiting Team! Morgan joined us in January and jumped right into her role as a Recruiter Assistant with great enthusiasm! We couldn’t be happier with her contributions to our recruiting efforts and are seeking someone just like Morgan for our new Recruiter position – if you think you are ready to take the leap and become a CC Pace Recruiter please apply for this exciting opportunity here and let’s talk about getting started on your new career today!

I have a deep interest in cybersecurity, and to keep up with the latest threats, policies and security practices, I became a member of ACT-IAC organization and enrolled in the Cybersecurity Community of Interest group. This is where I got the opportunity to work as a volunteer in the Zero Trust Architecture Phase 2 project. Hence, I am trying to share the knowledge I gained around ZTA strategy and principles. I am planning to break my blog into four series based on how the project progresses.

  • What is ZTA?
  • Real world deployment scenarios
  • ZTA core capabilities
  • Vendors providing ZTA capabilities

What is ZTA and how did it come into existence?

Traditionally, perimeter-based security has been used to protect the network infrastructure behind a firewall where if the user gets authenticated, they can access all the resources behind the firewall assuming all network users/devices as trustworthy. This caused a lot of security breaches across the globe where attackers could move laterally and exploit resources to which they were not authorized. The attackers only had to get through the firewall and later crawl across any resource available in the network causing potential damage in terms of data loss and other financial implications that can come via ransomware attacks.

Currently, an enterprise’s infrastructure operates around several networks like cloud-based services, remote users connecting from their own network using their enterprise-owned or personal devices (laptops, mobile devices), network location can change based on where the users/devices are connected from for e.g. public WIFI, internal enterprise networks etc. All these complex use cases made the possibility of moving away from perimeter-based security to “perimeter less” security (not confined to one network infrastructure) which led to the evolution of a new concept called as “Zero-Trust” where you “trust no one, but verify”. ZT approach is primarily based on data protection but it can be applied across other enterprise assets like users, devices, applications and infrastructure.

ZTA is basically an enterprise cybersecurity strategy that prevents data breaches and limits lateral movement within the network infrastructure. It assumes all the internal or external agents (user, device, application, infrastructure) that wants to access an enterprise resource (internal network or externally in the cloud) is not trustworthy and needs to be verified for each request before granting access to them.

What does Zero Trust mean in a ZTA?

(Image courtesy: NIST SP 800-27 publication)

In the above diagram, the user who is trying to access the resource must go through the PDP/PEP. PDP/PEP decides whether to grant access to this request based on enterprise policies (data/access/risk), user identity, device profile, location of the user, time of request and any other attributes needed to gain enough confidence. Once granted, the user is on an “Implicit Trust Zone” where it can access all the resources based on network infrastructure design. “Implicit Trust Zone” is basically the boarding area in an airport where all the passengers are considered trustworthy once they verify themselves through immigration/security check.

You can still limit access to certain resources in the network using a concept called “Micro-Segmentation”. For example, after getting through the security check and reaching the boarding area, passengers are again checked at the boarding gate to make sure they are entering the authorized flight to reach their destination. This is what “Micro Segmentation” means where the resources are more isolated to a segment and access requests are verified separately in addition to PDP/PEP.

Tenets of ZTA: (As per NIST SP 800-27 publication)

All the resources whether its data related, or services provided should be communicating in a secure fashion irrespective of their network location. Each individual access request will be verified before granting access to any resource based on the client’s identity, device they are using to request, type of application used, location coordinates and other behavioral attributes. Each access request granted will be authenticated and authorized dynamically and strictly enforced. In addition, the enterprise should collect all activity information, log decisions, audit logs and monitor the network infrastructure to improve the overall security posture.

What are the logical components of ZTA?

(Image courtesy: NIST SP 800-27 publication)

Policy Engine: Responsible to make and log decisions based on enterprise policy and inputs from external resources (CDM, threat intelligence etc.) to grant access or not to a request.

Policy Administrator: Responsible for establishing or killing the communication path between the subject and enterprise resource based on the decision made by PE. It can generate authentication tokens for the client to access the resource. PA communicates with PEP via the control plane.

Policy Enforcement Point: Responsible for enabling, monitoring and terminating communication between subject and enterprise resource. It can be either used as a single logical component or can be broken into two components: the client agent and resource gateway component that controls access. Beyond the PEP is the “Implicit Trust Zone” to access enterprise resources.

Control Plane/Data Plane: The control plane is made up of components that receive and process requests from the data plane components that wish to access network resources. The control and data planes are more like zones in the ZTA. All the resources, devices, and users within the network can have their own control plane component within them to decide whether the data should be routed further or not. In this diagram, it is just used to explain how control plane works for data plane components.  Data plane simply passes packets around and the control plane routes them appropriately based on decisions made.

Note: The dotted line that you see in the image above is the hidden network that is used for communication between the various logical components.

Why should organizations adopt ZTA?

When adopting a ZTA, organizations must weigh all the potential benefits, risks, costs, and ROI. Core ZT outcomes should be focused on creating secure networks, securing data that travels within the network or at rest, reducing impacts during breaches, improving compliance and visibility, reducing cybersecurity costs and improving the overall security posture of an organization.

Lost or stolen data, ransomware attacks, and network and application layer breaches cost organizations huge financial losses and market reputation. It takes a lot of time and money for an organization to resume back to normal if the security breach was of the highest degree. ZT adoption can help organizations avoid such breaches which is the key to survive in today’s world, where state funded hackers are always ahead of the game.

As with all technology changes, the biggest challenge to demonstrate higher ROI and lower cybersecurity costs is the time needed to deliver the desired results. Organizations should consider the following:

  • Assess what components of ZTA pillars they currently have in their infrastructure. Integration of components with existing tools can reduce the overall investment needed to adopt ZTA.
  • Consider including costs or impacts associated with risk levels and occurrences when doing ROI calculations.
  • ZT adoption should simplify, and not complicate, the overall security strategy to reduce costs.

What are the threats to ZTA?

ZTA can reduce the overall risk exposure in an enterprise but there are some threats that can still occur in a ZTA environment.

  • Wrongly or mistakenly configured PE and PA could cause disruptions to the users trying to access the resources. Sometimes, the access requests which would get unapproved previously could get through due to misconfiguration of PE and PA by the security administrator. Now, the attackers or subjects could access resources from which they were restricted before.
  • Denial of service attacks on PA/PEP can disrupt enterprise operations. All access decisions are made by PA and enforced by PEP to make a successful connection of a device trying to access a resource. If the DoS attack happens on the PA, then no subject would be able to get access as the service would be unavailable due to a flood of requests.
  • Attackers could compromise an active user account using social engineering techniques, phishing or any other way to impersonate the subject to access resources. Adaptive MFA may reduce the possibility of such attacks on network resources but still in traditional enterprises with or without ZTA adoption, an attacker might still be able to access resources to which the compromised user has access. Micro-segmentation may protect resources against these attacks by isolating or segmenting the resource using technologies like NGFW, SDP.
  • Enterprise network traffic is inspected and analyzed by policy administrators via PEPs but there are other non-enterprise-owned assets that can’t be monitored passively. Since the traffic is encrypted and it’s difficult to perform deep packet inspection, a potential attack could happen on the network from non-enterprise owned devices. ML/AI tools and techniques can help analyze traffic to find anomalies and remediate it quickly.
  • Vendors or ZT solution providers could cause interoperability issues if they don’t follow certain standards or protocols when interacting. If one provider has a security issue or disruption, it could potentially disrupt enterprise operations due to service unavailability or the time taken to switch to another provider which can be very costly. Such disruptions can affect core business functions of an enterprise when working in a ZTA environment.

References

[ACT-IAC] American Council for Technology and Industry Advisory Council (2019) Zero Trust Cybersecurity Current Trends. Available at https://www.actiac.org/zero-trust-cybersecurity-current-trends

Draft (2nd 1) NIST Special Publication 800-207. Available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207-draft2.pdf

NIST Zero Trust Architecture Release: https://www.nccoe.nist.gov/projects/building-blocks/zero-trust-architecture

Welcome to the first blog in our 40 Years and Forward anniversary series! All of us here at CC Pace love thinking back about where we have been, what we have accomplished and all the experience we have gained here at CC Pace, but we get even more excited thinking about where we are headed. That’s why we have decided that 40 Years and Forward is the perfect theme as we celebrate our 40th anniversary.

We will start at the beginning in this first blog and do a bit of that much beloved reminiscing, shall we?  Did you know CC Pace was founded in 1980? It’s true. The very same year that Pac-Man was introduced, CNN was launched and the big topic around watercoolers across the country was “Who Shot JR?” (in case you don’t remember or possibly were not born yet, it was his wife Sue Ellen’s sister, Kristen). Anyway, 1980 was also the year during which CC Pace President and founder, Mike Gordon held an IT position with a financial services technology consulting firm called R. Shriver and Associates. When that firm decided to sell off their DC branch, Mike and some colleagues jumped at the opportunity to purchase it, and so as the story goes CC Pace was born.

Here’s another piece of trivia and a question we get asked quite often: Where did the name CC Pace come from? It’s a bit of a long story, but here goes, Mike and his colleagues decided on the name Cabot Consulting for their new company.  Back then, Oil and Gas was the market that CC Pace’s focus was on and unfortunately, as Mike and his partners found out, there was a Fortune 500 oil and gas company that was named Cabot Corporation.  So, in 1988, they went through the naming process again.  The result was the name ‘Pace’.  Since Mike was looking for a way to transition from the old name to the new name, and the general consensus was to also consider adding either a word or prefix/suffix that would distinguish us from all the other Paces out there, it was decided to incorporate the prefix of C.C. that would reference  Cabot Consulting.  Yes, we admit our naming story is not a simple one, but that is how we ended up with our beloved name of C.C. Pace (aka CC Pace).

Now that we have taken a little stroll down memory lane, we would like to invite you to stay tuned to our 40 Years and Forward blog series to see how we have adapted to change over the years and what our plans are for the future.

What is App Modernization

Legacy application modernization is a process to update existing and aging applications with modern architecture to enhance features and capabilities. By migrating your legacy applications, you can include the latest functionalities that better align with what your business needs to succeed. Keeping legacy applications running smoothly while still being able to meet current day needs can be a time consuming and resource intensive affair. That is doubly the case when software becomes so outdated that it may not even be compatible with modern day systems.

A Quick Look at a Sample Legacy Monolithic Application

For this article, say a decade and half year-old, Legacy Monolithic Application is considered as depicted in the following diagram.

 

This  depicts a traditional, n-tier architecture that was very common in the past 20 years or so. There are several shortcomings with this architecture, including the “big bang” deployment that had to be tightly managed when rolling out a release. Most of the resources on the team would sit idle while requirements and design were ironed out. Multiple source control branches had to be managed across the entire system, adding complexity and risk to the merge process. Finally, scalability applied to the entire system, rather than smaller subsystems, causing increase costs for hardware resources.

Why Modernize?

We define modernization as migrating from a monolithic system to many decoupled subsystems, or microservices.

The advantages are:

  1. Reduce cost
    1. Costs can be reduced by redirecting computing power only to the subsystems that need it. This allows for more granular scalability.
  2. Avoid vendor lock-in
    1. Each subsystem can be built with a technology for which it is best suited
  3. Reduce operational overhead
    1. Monolithic systems that are written in legacy technologies tend to stay that way, due to increased cost of change. This requires resources with a specific skillset.
  4. De-coupling
    1. Strong coupling makes it difficult to optimize the infrastructure budget
    2. De-coupling the subsystems makes it easier to upgrade components individually.

Finally, a modern, microservices architecture is better suited for Agile development methodologies. Since work effort is broken up into iterative chunks, each microservice can be upgraded, tested and deployed with significantly less risk to the rest of the system.

Legacy App Modernization Strategies

Legacy application modernization strategies can include the re-architecting, re-factoring, re-coding, re-building, re-platforming, re-hosting or the replacement and retirement of your legacy systems. Applications dating back decades may not be optimized for mobile experiences on smartphones or tablets, which could require entire re-platforming. Lift and Shift will not add any business value if you migrate legacy applications just for the sake of Modernization. Instead, it’s about taking the bones, or DNA, of the original software, and modernizing it to better represent current business needs.

Legacy Monolithic App Modernization Approaches

Having examined the nightmarish aspects of continuing to maintain Legacy Monolithic Applications, this article presents you with two Application Modernization Strategies. Both listed below will be explained at length to get basic idea on to pick whatever is feasible with constraints you might have.

  • Migrating to Microservices Architecture
  • Migrating to Microservices Architecture with Realtime Data Movement (Aggregation/Deduping) to Data Lake

Microservices Architecture

In this section, we shall take a dig at how re-architecting, re-factoring and re-coding per microservices paradigm will help avoid a lot of overheads of maintaining a legacy monolithic system. The following diagram helps you better understand Microservice Architecture – a leap forward from legacy monolithic architecture.

 

At a quick glance of above diagram, you can understand there is a big central piece called API Gateway with Discovery Client. This is comparable to a Façade in a Monolithic Application. API Gateway is essentially an entry point to access several microservices which are comparable to modules in Monolithic Application and are identified/discovered with the help of Discovery Client. In this Design/Architecture of Microservices, API Gateway also acts as API Orchestrator as it resorts to one Database set via Database Microservice in the diagram. In other words, API Gateway/Orchestrator orchestrates the sequence of calls based on the business logic to call Database Microservice as individual Microservices have no direct access to database. One can also notice this architecture supports various client systems such as Mobile App, Web App, IOT APP, MQTT App et al.

Although this architecture gives an edge to using different technologies in different microservices, it leaves us with a heavy dependency on the API Gateway/Orchestrator. The Orchestrator is tightly coupled to the business logic and object/data model, which requires it to be re-deployed and tested after each microservice change. This dependency prevents each microservice from having its own separate and distinct Continuous Integration/Continuous Delivery (CI/CD) pipeline. Still, this architecture is a huge step towards building heterogenous systems that work in tandem to provide a complete solution. This goal would otherwise be impossible with a Monolithic Legacy Application Architecture.

Microservices Architecture with Realtime Data Movement to Data Lake

In this section, we shall take a dig at how re-architecting, re-factoring, re-coding, re-building, re-platforming, re-hosting or the replacement and retirement of your legacy systems per microservices paradigm will help avoid a lot of overheads of maintaining a legacy monolithic system. The following diagram helps you understand a complete advanced Microservices Architecture.

 

At the outset, most part of the diagram for this approach looks like the previous approach. But this adheres to the actual Microservice paradigm more than the previous. In this case, each microservice is individual and has its own micro database of any flavor it chooses to be based on the business needs and avoids dependency on a microservice called database microservice or overload API Gateway to act as Orchestrator with business logic. The advantage of this approach is, each Microservice can have its own CI/CD pipeline release. In other words, a part of application can be released with TDD/ATDD properly implemented avoiding costs incurred for Testing/Deploying and Release Management. This kind of architecture does not limit the overall solution to stick to any particular technical stack but encourages to provide quick solutions with various technical stacks. And gives flexibility to scale resources for highly hit microservices when necessary.

Besides this architecture encourages one to have a Realtime Engine (which can be a microservice itself) that reads data from various databases asynchronously and apply data aggregation and data deduping algorithms and send pristine data to Data lake. Advanced Applications can then use the data from Data lake for Machine Learning and Data Analytics to cater to the business needs.

 

Note: This article has not been written any cloud flavor in mind. This is general App Modernization Microservices architecture that can run anywhere on-prem or OpenShift (Private Cloud) or Azure Cloud or Google Cloud or AWS (Private Cloud)

It’s that time of the year when we get together with friends for fun, good food and some friendly rivalry. That’s right, it’s Superbowl weekend and we here at CC Pace decided to kick it off early with a Jeans and Jersey day!  Although we have nothing but love and respect for both the Chiefs and the 49ers, we didn’t want to exclude any form or flavor of team spirit. So, we opened the jersey wearing to any team, in any sport. And, Pacers did not disappoint! People joined in on the fun and showed up in an array of team attire and we shared a field of treats!

We decided we needed to add some competition to our festivities and played a Superbowl word game and guess who the big winner was…CC Pace president, Mike Gordon – Way to go Mike! (and, no we did not let him win because he is the president, we are all way to competitive for that!)

You may notice in the pictures that there was a clear shortage of the Superbowl’s colors, but everyone did have a clear pick on a winner for the big game. The majority of us are rooting for the Kansas City Chiefs, and not just because they haven’t won a Superbowl since 1969 (well, maybe that’s part of it). Go Chiefs!

We recently conducted a (sold out!) webinar on the LIBOR Transition, driven by the NY DFS sending a letter to over 1,000 companies that they regulate Board of Directors, with a response due on March 23, 2020.

The first question we received in response to the webinar was “you guys use a lot of acronyms, can you explain what it means, please?”  And it’s true, we do use a lot of terms, so we put together a LIBOR transition cheat sheet (a Glossary) to explain not only what each acronym means, but why it is important in a LIBOR transition context.

Some facts about LIBOR:

  • LIBOR has been in use since the 1970’s and is well understood by the markets and regulators.
  • Many loans use LIBOR as an index rate, especially mortgages and student loans.
  • However, dollar volume of LIBOR based contracts, futures, options, or other types of derivatives is far greater than its use in loans.
  • Although people talk about it as if it were a single number, it actually has its own “Term Structure” (see our glossary) with 7 different rates and its own yield curve. Having a Term Structure is a great attribute for a Reference Rate to have, and most Alternative Replacement Rates do not have that, at least not yet.
  • The Financial Conduct Authority (FCA, below) that oversees the publication of LIBOR decided in 2017 to not compel any bank to contribute to the LIBOR process after December 31, 2021. This means it is very unlikely that banks will participate after this date, and LIBOR will cease to be credible if it exists at all.
  • Liquid markets require many participants. Therefore, regulators and associations are issuing Replacement Guidance to move participants to a new market.  In the US, the ARRC (below) is guiding markets towards SOFR (below).

Here are the first four LIBOR-related acronyms you’ll hear us mention when we talk about the transformation. The full list of terms can be found here.  It will be updated on a regular basis.

 

[i] https://en.wikipedia.org/wiki/SOFR
[ii] https://www.newyorkfed.org/arrc

The primary goal of Marine Toys for Tots is to help bring the joy of Christmas through the gift of a new toy and send a message of hope to America’s less fortunate children. To join in this amazing effort, CC Pace signed up to be donation center for a second year in a row.  Our employees shined with generosity and holiday spirit by overflowing our donation boxes! Not only did they provide games, dolls, books, cars, scooters and toys, but a group of them even took time to go out and shop together for our corporate donation – and as our video shows, had a blast while doing so! Here’s to Toys for Tots for celebrating their 72nd year in spreading joy!

The holiday season brings with it a flurry of fun activities, things like, gatherings with family or friends, taking part in treasured traditions and eating special dishes (there is always so much food!). With all those things in mind we have decided to kick off the holiday season with a festive and fun blog where we surveyed the CC Pace team to find out what they enjoy most during this time of year. So, without further ado, here’s a little insight on what our team enjoys most about the holidays:

What is your favorite holiday dish (excluding dessert)?

Stuffing was the #1 answer with 49% of CC Pacers in agreement! Looks like we have a lot of carb lovers, and they like a variety of stuffing. The answers varied from “inside stuffing” to “chestnut stuffing” to “cornbread stuffing” and just the classic “stuffing”. So, let’s hear it for stuffing!!

Which outdoor winter activity do you enjoy most?

  • Building a snowman – 5%
  • Skiing, Snow Tubing and/or Sledding – 40%
  • Shoveling snow – 0% (hey, some people like shoveling snow – right?!)
  • None, I like to stay inside and watch the snow from there – 55%

Apparently, staying cozy and warm inside is the priority for most of our team on a snowy day! Speaking of snow, here’s an interesting fact for those who live in the DC area: this year local forecasters are calling for a total snowfall of 10-16 inches inside the beltway, and 15-25 inches outside. Let’s all look back here in April and see how well their predictions held up!

What is your favorite holiday movie?

When it comes time to sit back and relax our team clearly goes for the comedies, with Love Actually and Christmas Vacation tying for the #1 favorite holiday movie, to which we can only say “yes, please”!

Which method do you prefer for holiday shopping?

  • Shopping online – Amazon Prime all the way! – 68%
  • Going to mall – I like the hustle and bustle of the crowds and grabbing my Starbucks! – 32%

Do you have a charitable organization or volunteering opportunity that you like to attend/favor during the holidays? If so, which one?

Our employees are very generous year-round, and this season is no different. Here are the Top 5 charity organizations they will be supporting during the holidays:

  1. Toys for Tots seems to be the most popular charity at this time of year amongst our team. That is great news for us since this year CC Pace is again participating as a collection center for the Marine Toys for Tots Program. Toys for Tots was started in 1947 and distributes an average of 18 million toys to 7 million less fortunate children annually. All are welcome to drop off toys at our headquarters through December 13th!
  2. Wreaths Across America
  3. SOME (So Others Might Eat)
  4. St. Jude Children’s Research Hospital
  5. Tie – several local shelters and children’s charities.

Eggnog or Hot Chocolate?

Hot Chocolate by a landslide – 75%.

 

What is your favorite Christmas carol or holiday song?
All I Want for Christmas Is You, by Mariah Carey, was released in 1994 and quickly rose to the top of the charts; it is the most downloaded Christmas song of all time. Ms. Carey said when recording this song that she wanted to create a classic, and that she certainly has accomplished!

From CC Pace to all of you, have a happy holiday season full of good cheer and best wishes for the new year!

 

 

One of our very own just celebrated this big milestone and rather than just giving you the 411 on it all, we’d like to change things up a bit and play a guessing game with you! If you’d like to play along keep reading, and no peeking at the pictures below. So, can you guess who it is? No? Well it is probably a bit hard given that CC Pace’s employees have an average tenure of 12+ years of service, so we figured we would give you some other clues to help you narrow down your guess:

Clue #1 – This person is a favorite amongst both those of us as CC Pace and our clients.

Clue #2 – This person speaks fluent Russian.

Clue #3 – This person recently obtained their AWS Practitioner certification.

Clue #4 – This person has musical talent and plays the bass.

Clue #5 – This person is also a skilled tennis player.

Still haven’t figured it out? then let’s keep going… Joining CC Pace in 2004, this person was part of the mortgage technology offering LOS Advantage. After working on various projects for us, they began working at the Municipal Securities Rulemaking Board (MSRB) on the EMMA product, and have been there for over 10 years. During their time at MSRB, they have been consistently praised for their ability to deliver what is asked of them, and always delivering on time.

Need another hint? Now our team lead at MSRB, they constantly work on building their technical skills, learning and adapting to different methodology frameworks, and working very well with people (seriously, everyone loves working with this person). The leadership at MSRB epitomizes the type of client partnership we strive for, one built on value, trust and all-around success, and is due largely to this individual.

Ready for the big reveal??

Please join us in congratulating Leo Belenky for his 15 Year Anniversary at CC Pace. Our president, Mike Gordon presented Leo with his service award and highlighted how his hard work and dedication are vital to the success of our organization. Thank you Leo, for 15 wonderful years of service! And, to our readers, thank you for playing along!

I recently attended a Data Connectors Cybersecurity strategies conference in Reston, VA. Companies practicing various security solutions had speakers’ sharing knowledge about security threats that are currently affecting the market and how to protect an IT organization against such attacks. Interestingly, Sophos speaker Paul Lawrence (cybersecurity sales engineer) discussed Ransomware as a Service (RaaS) and how to protect against these attacks. Below you will find the high-level information that I gathered in this conference which I feel will help others who are unaware of this threat.

P.S. – This is just an informatory blog on what RaaS is and how to prevent IT organizations from this attack.

What is Ransomware as a Service?

In layman’s term, RaaS is an unusual type of software as a service provided over the internet by criminals to attack IT systems and get paid ransom for it.

In 2018, 53% of the organizations were hit by ransomware and 1/3 of them paid ransom to recover from the ransomware attack.

How it works?

Suppose I am the bad guy who wants to hack machines, data, information but doesn’t want to reveal the identity and, I want to get paid ransom for hacking.

I can use RaaS (Ransomware as a Service).

I need to register my account by providing the bank details where I want to be paid the ransom. All my information that I provide to this service platform will be safe and it won’t be tracked (presumably).

Next, I download the viruses from this service platform and start infecting machines. Once infected, I can provide details about where they can pay the ransom to recover from the attack.

Figure 1: Shows how RaaS services are hosted on the web with their malicious intent. (Image downloaded from Google)

Figure 2: Another RaaS model where you can purchase the malicious software online. (Image downloaded from Google)

Now anybody can be a hacker using this RaaS service since malicious actors have created various models to attack any IT system. All you need is to follow the guidelines they provide with step by step details.

How do RaaS providers make revenue?

They will collect ransom from the organizations or individual vendors who were attacked through RaaS account payment system. Once they get paid the full ransom, a share of that money goes to the criminal who initiated this account payment by registering for this service.

Basically, a win-win situation for both the RaaS provider and the malicious actor who used this service to attack the IT system of the organization or individual vendors.

Types of Ransomware attacks

Two types:

  1. Traditional ransomware attack: The attack is automated and doesn’t need manual intervention. It can spread rapidly across the globe. WannaCry is the most widely known traditional ransomware variant that infected nearly 125,000 organizations in over 150 countries.
  2. Targeted ransomware attack: This is a well-planned manually targeted attack by attacking the network and computers on the network. RobbinHood variant was used in the Baltimore ransomware attack which compromised most of Baltimore’s government computer systems.  13 bitcoins was the ransom demanded to unlock the computers.

Prevent from Ransomware attacks

Ransomware attacks are getting more targeted. One of the primary attack vectors for Ransomware attacks is Remote Desktop Protocol (RDP)

  1. Lock down RDP
    1. Use Strong passwords.
    2. Do not disable Network Level Authentication (NLA), as it offers extra authentication level.
    3. To learn more, please go to Malwarebytes Labs.
  2. Patch to prevent privilege elevation
  3. Limit the users to those that really need it
  4. Secure your network both from the outside and inside
  5. Disaster Recovery plan or Aftermath of an attack
  6. We need to ask this question to ourselves “Do we really need remote access?”

Selfie taken at the Data Connectors cybersecurity event 😊

Are you a seasoned Agile Practitioner interested in expanding services beyond yourself while providing strategic guidance to a variety of clients?

CC Pace is currently looking for a dynamic Agile Thought Leader who is ready to make an immediate impact and drive our Agile transformation services. The ideal candidate is local to the DC metro area, is comfortable making decisions and implementing innovative ideas. CC Pace will provide a flexible working environment and support interest in growing a personal reputation in the global Agile community, in addition to a competitive, comprehensive suite of benefits.

 What will an Agile Thought Leader at CC Pace do?

  • Set the direction for our Agile transformation services, drive strategic imperatives, define Agile offerings, establish priorities and grow our Agile business
  • Represent CC Pace at conferences, through independently orchestrated thought leadership and by guiding client engagements
  • Provide strategic guidance to clients through enhancing, producing and delivering Agile training and coaching both in person and via alternative delivery modes
  • Build and mentor a team of consultants to deliver the services both with internal staff and business partners
  • Define and brand CC Pace while developing new relationships in the Agile community

Position Requirements:

  • Current certified Agile credentials or equivalent level of experience
  • Strong communication and presentation skills – must be versed at public speaking and a capable writer
  • Proven experience leading Agile engagements, including developing training materials and coaching at both the enterprise and team level
  • Ability to demonstrate leadership experience in IT delivery, including building and sustaining high-performing teams
  • Strong leadership skills that will support setting the direction for our Agile practice, managing a team of resources and driving the Agile offering and delivery strategies
  • Ability to provide ample thought leadership to further our footprint in the Agile community
  • Strong business acumen that will assist in supporting the sales & marketing efforts involving Agile transformation services

At CC Pace we have a strong referral program and encourage not only our employees but even those who don’t work for us to take advantage of it – so if you know someone who would be a fit for this position please refer them!

For more information regarding this Agile Thought Leader position, please contact Rechelle Card, rcard@ccpace.com

For CC Pace’s 2nd quarter community outreach event, we collected personal care items in support of the Katherine K. Hanley Family Shelter (KHFS). KHFS is located in Fairfax, right around the corner from our office!

Thanks to everyone who participated. We were able to collect and put together “Care Kits” for 15-20 children, 10-12 women and 10-12 men. These Care Kits were comprised of items such as tooth paste, shampoo, conditioner, body wash and a tooth brush. These items will go to the families and individuals in need at the Katherine K. Hanley Family Shelter.

KHFS opened in 2007 and was the first emergency shelter in Fairfax County to adopt a rapid re-housing approach – an approach that was so successful, it has been incorporated into all emergency shelters in Fairfax County. Currently, KHFS houses 72 people, 45 of which are children. KHFS is part of the Shelter House organization.

Shelter House is a community-based, non-profit organization that provides crisis intervention, safe housing, and supportive services to homeless families and victims of domestic violence in our community. Shelter House was formed in 1981 as a grassroots responder to the homelessness crisis in Fairfax County. Shelter House is comprised of 3 emergency shelters: the Katherine K. Hanley Family Shelter, Artemis House and the Patrick Henry Family Shelter.

In the past year, across all programs, Shelter House served over 2,300 individuals, more than half of which were children. Of the families that exit Shelter House, nearly 70% move to permanent housing.

Thank you to everyone for your support and participation!

If you would like to learn more about Katherine K. Hanley or Shelter House, follow the link below:

https://shelterhouse.org/

There is a great team of people who work at CC Pace. We took a few minutes to get up close and personal with George Perkins, Ron Peterson and Suzie Wheeler, three of the people whose roles are front and center with our clients and candidates.

George Perkins

George is a Practice Manager who has just celebrated his 25th anniversary with CC Pace. George is responsible for the management of several of our client accounts and staff augmentation services. His primary focus in on the financial services and healthcare industries. Always the jokester, George is never one to miss the opportunity for a good one-liner during a meeting! Connect with George on LinkedIn.

We asked George some questions, and here’s what he had to say:

  • Do you participate in some community outreach you would like to highlight?  At CC Pace we believe in giving back to the community and participate in multiple events each year. Over the past few years I’ve been involved with the Ronald McDonald house, Homestretch’s backpacks for school kids, and sponsoring local families for Christmas. Also, I enjoy helping out with the local animal shelter.
  • What professional groups do you belong to and what professional events do you attend? I attend NVTC events, Agile DC, and belong to WARN (Washington areas recruiters’ network) and ASA (American Staffing Association). I also represent CC Pace at job fairs and other IT conferences.
  • What is your favorite…
    • Food? Almost anything Asian, love the spices.
    • Movie? Pulp Fiction and American Beauty
    • Book? On the Road
    • Team? Redskins
    • Quote? “It’s just a flesh wound”
    • Dog or Cat? Dog
  • If you could do Carpool Karaoke with any singer living or dead, who would it be and why? Neil Young, I love his music and would be interested in talking to him about the days living in Laurel Canyon in the mid/late 60’s when all the great music/musicians were hanging out there.

Ron Peterson

Ron is our Senior Practice Manager for Federal Business Development. He focuses on building relationships and networking with government agencies on the local, state and federal level. Ron is probably one of the most easy-going people in the office. His calm demeanor and willingness to help out make working with him a true pleasure. Connect with Ron on LinkedIn.

So, Ron, tell us …

  • Do you participate in some community outreach you would like to highlight? For 30 years, I have been volunteering in Federal and State prisons and local jails.  Currently I am volunteering at Fairfax County Adult Detention Center.
  • What professional groups do you belong to and what professional events do you attend? I belong to ACT-IAC and National Contract Management Association (NCMA). I also attend various conferences and industry events representing CC Pace.
  • What is your favorite…
    • Food? Seafood
    • Movie? The Invisible Guest
    • Book? The Bible
    • Team? Yankees, Giants, and Golden State Warriors
  • What is your hidden talent? Chess and Bid Whist (Bid Whist is an exciting, popular partnership trick-taking game. It is played with a standard 52 card deck plus 2 jokers, for a total of 54 cards).

Suzie Wheeler

Suzie is our Talent Acquisition and Recruiting Manager. She is responsible for the on-going strategy to find employees for the company with specific skillsets and recruiting for our clients’ technical positions. Suzie is always smiling, happy and has a pep to her step. She brings her positive attitude and enthusiasm to the entire CC Pace team. Connect with Suzie on LinkedIn.

Other fun facts about Suzie are:

  • What professional groups do you belong to and what professional events do you attend? I belong to Women in Technology, SourceCon, and Project Save. I attend multiple events for various technical meet-up groups in the DC area, technical job fairs and agile conferences.
  • What is your favorite…
    • Food?  Mexican, Maryland Blue Crabs, Spicy foods
    • Movie? It’s hard to say just one, The Bucket List, Pay it Forward, The Notebook, Green Book
    • Book?  Disclosure by Michael Crichton, and The Secret by Rhonda Byrne
    • Team?  Dallas Cowboys and University of South Carolina teams
    • Quote?  “In the midst of movement and chaos, keep stillness inside of you” ~ Deepak Chopra
    • Dog or Cat?  Definitely dog
  • If you could witness any historical event, what would you want to see? Probably witnessing the life of Jesus, I have so many questions about the events of this timeframe.

 

 

Our recent quarterly meeting made for a fun afternoon and evening for everyone. We had a lively staff meeting with presentations, service awards and team building activities, followed by a festive gathering at Dave & Busters.

At CC Pace, we’re lucky to have so many tenured employees. As our team members celebrate their CC Pace anniversaries, they are recognized by their colleagues and leadership team for their contributions throughout the years. We kicked off our service awards recognizing Chris Soule, Technical Consultant, for his 5 year anniversary with CC Pace. Chris was hired for an opening we had on our development team for MSRB. His success with this client continues today, where he has become a key leader on the EMMA project working not only on the data base side, but also helping to revamp the user interface. Per our client, Chris is the epitome of a team player! Chris, may you continue to inspire us for many years to come!

 

George Perkins, Practice Manager, was recognized for celebrating his 25th anniversary with us! George was hired as our first full-time recruiter. Over the years, as the staffing area of the business has evolved, he moved into the role of an Account Manager for some of our major clients. George’s philosophy has always been work hard towards success and have fun while you’re doing so – and he does just that! George, we thank you for your energy, enthusiasm and corporate commitment!

To take advantage of the rare moments our people are actually all together, we used this time to engage in some team building activities that were facilitated by Debbie Shatz, Sudhindra Shetty and the “always up for a good time”, George Perkins. Divided into 5 teams with red Solo cups in hand, our staff took aim at various building and stacking tasks (and, did we mention there were prizes)! Lots of cheering and yelling lead to some pretty hilarious bragging rights by the winners!

EAT. DRINK. PLAY. We kept the party going and had everyone move over to the new Dave & Buster’s in Fair Oaks Mall for an entertaining evening! There was food, drinks, billiards and of course lots more games and plenty of, should we say friendly competition. Together everyone enjoyed some good old fashioned laugh-out-loud fun!

The new URLA is coming. But the status report, for July 2019, is decidedly Red.

Warning signs regarding the immensity of the forthcoming changes have been out for well over a year, yet it seems some lenders are just starting to realize the size and implications of the coming changes related to the new loan application – the Uniform Residential Loan Application (URLA, aka 1003 or form 66). This is the first of a short series of blogs exploring the benefits and challenges that lie ahead.

The URLA is undergoing a total redesign for the first time in 30 years and that is driving major changes in four areas:

  1. The application itself – its form, data elements, organization and fundamental operation
  2. Its corresponding data file, the Uniform Loan Application Dataset (ULAD)
  3. The agencies’ automated underwriting systems (DU, Fannie Mae’s Desktop Underwriter and LP, Freddie Mac’s Loan Prospector) submission, interfaces and files
  4. The retirement (at least not keeping current) of the Fannie Mae DU3.2 file, which has long been the industry de facto standard for transferring data.

The optional date is coming soon – July 1, 2019 – and the required date is February 1, 2020 – not very far away for a truly major change.

When the subject of the new ULRA came up at the recent National Advocacy Conference, a gentleman sitting at my table said, “My vendor is taking care of it.” When he didn’t smile and the rest of us figured out that he was serious, the branch manager and the lawyer at my table both asked him “You mean your vendor sets your policy for how to fill out the language preference and whether you let the MLO do that instead of the borrower?”

I saw two other issues myself, including “Which vendor?” and “Are all your counterparties ready? Does your entire process work end-to-end?”

On the issue of leaving things to your vendor, even small lenders are likely to be dealing with two or more vendors who not only have to be ready, their systems have to be tested together to make sure that your process works.

Below is a simplified snippet taken from CC Pace’s Reference Architecture, showing internal interfaces that are affected by the new URLA:

 

That’s a lot of moving parts undergoing substantial change that need to continue to work together. Let’s look at things from the perspective of relatively common test cases. It seems reasonable to expect that a POS submission to DU and an LOS submission to DU will both work. But in an equally common, but decidedly more complex scenario, when you take the application on the POS, transfer the loan to the LOS, where you rerun DU and then request a set of documents from your doc vendor, it’s not hard to imagine that initially something will break down, simply based off of different assumptions that were made.

On the issue of counterparty readiness, the reference architecture reveals even more counterparties and vendors that have to be ready and that you will have to test your process with:

 

But wait, there’s more! As far as the industry is concerned, not only do you and your counterparties have to be ready, but the entire ecosystem has to be ready, end-to-end. And the status for that is decidedly red.

Take the previous difficult test case and now extend it to a common industry chain. A broker starts the application, it closes with a mortgage banker who then sells it to a correspondent investor, who now runs Early Check or LQA on it, purchases it from the mortgage bank and then delivers it to Fannie or Freddie. It is known that this will not all work in July 2019.

Here is what I gleaned from the MBA ResTech call from May 16th, 2019:

  • Many individual vendors appear to be ready – but what that means is that they are ready to be tested in conjunction with other counterparties in the ecosystem
  • Not all components necessary for an agency correspondent transaction are ready
  • Correspondent Purchasers are starting to issue guidance that they will not purchase loans on the new URLA until 2020

It is CC Pace’s recommendation that every organization be extremely active monitoring the status of the new URLA both within and outside of their company; it is impossible that “our vendor is taking care of it all” is the right answer. This July through February represents a significant and much needed test period, not just for the systems and your process, but also for your compliance and training.

Some Correspondent Purchasers are issuing their own guidance on the matter. Have you?