NGO City Broker diving into potential answers to how secure can this be?

Great email yesterday about the NGO City Broker. Why an NGO? Was the initial question. That actually came from a conversation with a good friend and longtime mentor. He pointed out to me that a City with its bureaucracy would never fully implement the broker model I envisioned. A 3rd party, independent and chartered without profitability would be more effective. So the why of an NGO rather than the city itself is both flexibility but also extensibility and deployability.


An NGO could span multiple cities. That means that a larger city could offer the NGO City Broker to a number of smaller cities. That would great increase the security stance of the smaller city, increase the regional security stance of citizens and decrease the overall costs for the smaller city. The NGO would sit outside of city government, so the larger city would be simply the initial customer rather than the CEO, CFO and COO wrapped around a city council meeting.

The second question was a much harder question and one that I am pondering right now. So, my initial response to the question is here, but I am open to persuasion as I don’t know that I have the right answer yet. The question was as follows “your central security, and home black box concept is interesting but how would you build the infrastructure to implement something like that and be able to scale it quickly.” So first of all there is a product shipping someday once they get out of their current code issue, that will serve as a jumping off point.

1. Blackbox deployed in the home of a citizen. The BlackBox has two components in its function the first is to scan inbound and outbound packets for malware and other bad actions. Additionally, you can add virus scanning and secure file storage.

2. The Blackbox will also offer two different VPN options (VPN – Virtual Private Network) the first being a secure connection to City services through the NGO City Broker. The second would be a VPN connection and quarantine for companies that are connected to and using the NGO City Broker.

The second one would be only for small companies that would rely on unmanaged or don’t have the staff to manage remote connectivity. The majority of businesses that are hacked today, are small businesses. They tend to get hacked and go out of business within a year of the hack. The goal of creating an NGO City Broker is three fold:

· Create a unified cost model for cloud services, business services and city services within a city marketplace to reduce cost, increase service availability and increase service access.

· Create a more secure platform for citizen services within the city, region, state or sphere of the national government implementing the NGO City Broker.

· Provide ongoing support for and incubation of small business.

That central security service and the ability to increase the security posture of the incubated small business community is critical. Given the NGO’s ability to offer a number of services at lower cost to the new small business or the incubating business we start off with lower barrier to start up this new company. Providing the additional security service is critical. Frankly this would mean using the model currently leveraged by a number of companies and a number of government agencies. A CIRT (computer incident response team) issues bulletins and fixes for attacks. Security teams within the agencies do vulnerability scans, Penetration testing and solution validation (during solution development process not after deployment). This model works, however there is a cost to developing this type of model. That cost would have to be a shared service cost across the organizations engaged with the NGO City Broker. A connection fee that would include the components of cloud services, city services, security services and of course office space if needed. The risk for the city in this is that incubation and small startups don’t have revenue, therefore don’t have a tax liability to start. The fee changed would have to give them greater access to services and ultimately more secure services.

The reality of modern computing is we won’t be able to build a system that stops all hackers. Everything built by humans has holes in it. Hackers are incredibly smart, and they find holes. The goal of this system would be to proactively present stupid mistakes while reactively recovering from vulnerabilities. Thoughts?