When it comes to cybersecurity, the federal IT leaders are overwhelmed by the number of threats, the volume of potential attack vectors, and the myriad of solutions in the very crowded cybersecurity market. So where should agencies begin as they try to understand the cyber threat landscape and all of the associated risk?
Agencies will do well to focus on the fundamentals–the simple things that can be done right now to make a meaningful, measurable difference and to enhance security posture. There are several fundamentals that apply independent of the threat, or the risk, or what the attack spectrum looks like.
Zero Trust Means Zero Trust
The first fundamental is zero trust. While it may sound straightforward, zero trust must truly mean zero trust. When you look at typical attacks, breaches, and data loss incidents from the past six months – even those outside of the federal government – most have originated with a user or within an organization’s application in some way. These attacks were perpetrated by giving some level of trust to an attacker, typically inadvertently.
Therefore, it shouldn’t be surprising that the security world is adopting this zero trust model – trust no one, trust no thing, trust no device. But what we’re really talking about here is strong verification using multi-factor authentication. For those in the federal space, this means CAC and PIV. The point is that cybersecurity is not just focused on the user or the application and the database anymore, but also at the endpoints. We know that attackers are creative and incredibly patient, so we must strengthen our systems against these threats. Device hardening, two-factor authentication, and a dedicated focus on validation across the entire environment is truly a fundamental in today’s landscape.
You Can’t Secure What You Can’t See
Bad guys use the very same technology to perpetrate an attack that we deploy to encrypt our data. They’re using encryption to hide their information, their intentions, and the critical content they are exfiltrating from our systems. In fact, bad actors often use the very same connections and data pathways that we use every day to do our jobs. However, manually encrypting and decrypting data to identify these threats – which is what many agencies do now – is incredibly difficult to do, puts a serious strain on network capabilities, and can dramatically affect system performance.
To go back to fundamentals, agencies should adopt the technologies that overcome these performance limitations, like SSL Break and Inspect or Air Gap solutions. While traffic threat mitigation may be a less exciting part of cybersecurity defense, it’s truly an imperative and a fundamental that agencies must rely on. It’s time to look at our encrypted traffic and figure out what’s going on inside of it.
Fortify the Perimeter
Organizations’ perimeters are dramatically different than they were just five years ago. Traditional perimeters were very rigid and structured; they had an edge around the datacenter with multiple tiers and structures surrounding that core. A few years ago, we would set out to protect the perimeter at these very clear points. That structure no longer exists. The new perimeter is loosely defined by access and applications, both of which are independent of time, space, and device.
In my own life, I use 15 work applications on a daily basis, each of which is consumed in a different way. Some applications are housed in a public cloud, some are in a private cloud, others are on premise, and others I access at my home, or at a customer site, or in the office from my phone and sometimes from a PC. For me, just like all other modern employees, I expect the same level of availability, performance, and security regardless of where I am, what time it is, and what device I’m on. This level of availability and access is a real problem for security professionals to solve, but it’s a fundamental one because they’re constantly under attack. This fluid structure is the new perimeter that we must defend.
Advanced cybersecurity postures and proactive defense are possible. Peace of mind, security, strong authentication, single sign-on, and the avoidance of password fatigue are all possible today in cloud, on premise, and hybrid type environments. The key to getting to this level of defense is to focus on the basics. To be most effective in government cybersecurity, agencies need to worry less about threat intelligence and all the new products on the market; to be successful, you must go back to the fundamentals.
To learn more about why agencies should embrace a broader, higher security posture to protect themselves, check out this whitepaper.