Compliance with federal regulations is the least that government agencies can do to protect themselves from cyber-attacks. After all, data breaches and insider threats still persist (and still make headlines), despite the many new regulations passed every year.
Because bad actors find ways to get around compliant systems, agencies are still vulnerable even after they’ve aligned with current legislation and guidelines. In fact, that’s when the real work begins.
Lock Data Down with Code Signatures
If compliance doesn’t ensure security, what else can agencies do? First of all, they can evaluate their approaches to security. The traditional approach is to think in terms of protecting a perimeter, as if the object of the threat were a physical location.
But what adversaries really want is access to data. To protect their data, agencies require a different approach, one in which the data defends itself. Instead of building more and more walls around data, agencies can use code signatures to lock down on data. This ensures that nothing on Earth that can touch it except the very specific applications run by the very specific service accounts that access it.
This prevents malicious actors from moving laterally across a penetrated system and cherry-picking valuable data to steal.
Encrypt Data without Restricting Workflow
Credentials lie at the heart of any security strategy. Unfortunately, if an administrator’s password is cracked, the adversary can move through a system without triggering any flags or warnings. According to the system, the admin account is the admin account, not a foreign agent exporting data.
Some agencies try to solve this problem by encrypting all their data. This prevents the users responsible for administering the data from fully accessing it. Challenges arise, however, when a mission critical system goes down, but too few users have the permissions necessary to fix it.
So encryption alone isn’t enough. Instead, agencies can wrap access controls around encrypted data to fill in the gaps. Those who absolutely need access to sensitive data can access it, while the others can still orchestrate the environment it lives in without putting sensitive data at risk. In conjunction with a comprehensive access control platform, agencies can also record all interactions with the data, allowing oversight and automatically triggering flags if user behaviors turn suspicious.
Measure Security Surpluses and Deficits
In an era of shrinking resources and rising expectations, agencies can benefit from thinking in terms of security surpluses and deficits. If an agency’s department commits 70 percent of its budget to a firewall, but that tool only provides 40 percent protection, then it’s currently producing a security deficit, for example.
With new tools that enable more powerful data encryption and more thorough access controls at quicker speeds, agencies can turn that deficit into a protection surplus. The key is to focus less on armoring systems and more on implementing more on data-protection controls from the center outwards. This allows agencies to reevaluate their current security investments and make informed budget decisions.
Learn more about how government agencies can maximize their cybersecurity budgets in this GCN article on Carahsoft’s Innovation site and read Thales E-security’s 2017 report for a full breakdown of threats facing federal agencies.