Cyber security is never considered easy, and it’s made more difficult when your security solutions don’t match your network architecture. The federal security solutions in use today were built during a time when a hardened perimeter delineated a “trusted” network boundary. The approach was simple: Protect that boundary and everything that existed inside of it remained secure.
With federal employees tied to desktop computers and remote work not yet an accepted practice, information security professionals could dedicate their resources to keep this well-defined network as protected as possible. That, though, is no longer the case.
The Changing Perimeter
Current security strategies, such as the Trusted Internet Connection (TIC), EINSTEIN and others, were built with perimeter defense in mind. But, given the push for a more mobile workforce and the advancement of Bring Your Own Device (BYOD) policies, today’s IT environments have evolved to include cloud computing services, including IaaS, PaaS and SaaS.
As federal employees access cloud computing services outside the traditional perimeter – whether it be through a remote work station at their home, at a remote branch office, or on a mobile device out in the field – the boundaries of yesterday no longer apply. The boundaries of today are simply where the data exists, whether that’s on-premise or in the cloud.
As agencies start to implement the recommendations included in the recently released IT Modernization Report, that boundary will be pushed even further out, as the report directs agencies to modernize the legacy systems that run government today. In doing so, agencies will need to adopt new technologies and cloud capabilities that TIC and other architectures are too outdated to support.
As such, federal agencies will need to alter how they think about, and approach, their security strategies. They must transition to a defense-in-depth approach that focuses on securing the data – as opposed to solely focusing on the physical perimeter – at every stage of its lifecycle.
A New Structure
Under this new modernized, cloud-centric architecture, critical data will be housed in multiple areas – within an agency’s own environment as well as a cloud service provider’s (CSP) FedRAMP-authorized data center. But even with the FedRAMP authorization, not all risk will be transferred to the CSP.
The shared responsibility model requires agencies to manage FISMA controls associated with data in the CSP platform, requiring constant configuration management to mitigate technical and human factors.
Agencies must modernize their security architectures to support a hybrid approach, one that improves security for legacy on-premise systems while enabling adoption of cloud and mobile platforms. One that adds redundancy without introducing further risk, complexity and cost.
Protecting the Data
To do this, agencies need to figure out how to implement solutions that can get down to the data itself and apply protections no matter where it resides. By taking a data loss prevention (DLP) approach, agencies receive discovery, monitoring and protection capabilities, enabling total visibility and control over their data whether on-premises or in the cloud.
This approach will also eliminate blind spots, support compliance efforts to defend intellectual property, control endpoints and safeguard data through encryption and policy enforcement. Additionally, as agencies continue to move critical data between on-premise and cloud environments, this approach will allow them to effectively manage access of that data, including establishing multi-factor authentication, enforcing uniform policies and better managing shadow IT to deter unsanctioned usage.
Finally, configuration management for cloud applications and associated data must be constantly evaluated relative to “actual-state,” using tools which can identify improper configuration and usage. This allows security leaders to provide automated remediation in real-time for unusual and illicit data use.
IT modernization is bringing government forward. A push to deploy new technologies will result in increased efficiencies and operability, but requires a complete change in thinking about security. The perimeter-only model worked in its time, but as federal agencies modernize outdated systems it must modernize its security approach as well. As the perimeter disappears, we can only hope that the old way of approaching security follows. Agencies need to focus on the data, whether that be on-premises, at the endpoint, in the cloud or anywhere in between. This is the new security model.
For additional information on how to better protect down to the data itself, click here. And please check back for our next blog in the modernization series, as we look at what the federal IT Modernization Report really means for cyber security.
If you found this information useful, you may also enjoy:
- WEBINAR: Making Sense of Federal IT Modernization
- DATA SHEET: Drive Total Protection of Your Sensitive Data
- Report to the President on IT Modernization
We encourage you to share your thoughts on your favorite social platform.