The coronavirus pandemic escalated government adoption of technologies like artificial intelligence, cloud, and the internet of things, as entire workforces shifted to telework. But just as agencies have adopted modern tech at record speeds, so too have cyber adversaries – and the rapid adoption of new solutions may create exploitable blind spots and gaps in security. Perimeter-less cloud-based systems present unique cybersecurity challenges, including maintaining visibility into a complex mix of cloud and on-premises systems. Grappling with the new reality of cloud-based environments requires government agencies to explore new strategies and best practices – including adopting a zero trust mindset, monitoring employee cyber hygiene, and investing in cybersecurity tools capable of simplifying complex tasks. Read the latest insights from industry thought leaders in cybersecurity in Carahsoft’s Innovation in Government® report.
How Employees Can Boost Cybersecurity
“Security controls are even more important in a world of perimeterless IT environments and expanding cloud adoption. Agencies need to appropriately budget for cybersecurity and apply the basic hygiene of security patching and vulnerability assessment. Those steps can cover about 80% of basic threats, and the security team can focus its energy on more complex threats. Having a strong team is the foundation of those efforts, but it’s not easy to recruit private-sector cybersecurity professionals for government jobs. An alternative is to recruit from within. The government should consider creating programs to train IT team members to take on higher-level cybersecurity roles, which helps agencies build effective teams and helps employees progress on a career path. Whether they bring in new talent or train existing employees, agencies must offer competitive salaries and benefits to keep cybersecurity professionals satisfied and engaged.”
Read more insights from SolarWinds’s Vice President of Products and Application Management, Jim Hansen.
A Better Approach to Telework Security
“This large-scale shift to working from home introduces interesting challenges for government agencies. How do they secure a growing number of remote devices while keeping employees productive? How do they enforce least privilege while allowing end users to perform necessary tasks? How do agencies secure devices, access and systems when the network perimeter has been stretched to support large numbers of remote workers? Some IT leaders have committed to VPNs or remote desktop access, both of which can be difficult to secure and scale. Devices are still at risk when they’re not connected to the VPN or remote access technology because of vulnerabilities in the home network. For example, agencies can’t protect against a family member or housemate using an employee’s home computer. They may also not be able to enforce whether or not basic software, such as antivirus or OS, is up-to-date on a personal device. The situation fundamentally requires a shift to the cloud.”
Read more insights from BeyondTrust’s CTO and CISO, Morey J. Haber.
Rethinking Security in the Age of COVID-19
“Although agencies are focused on telework security, they also need to think about what’s over the next hill. They should be aware that sequestration is likely just around the corner. Given the mounting deficit due to the pandemic-related stimulus package, I believe flat will be the new up for agency budgets, and when IT allocations shrink, security is often deprioritized. Now is the time to find smart ways to spend money. Agencies should look for multifunctional solutions, such as software-defined networking, and choose options that are intrinsically secure. Fortunately, we are on the cusp of a revolution driven by the intersection between the platform-based approach to cybersecurity and increasingly mature artificial intelligence. That convergence will tip the balance from attacker to defender.”
Read more insights from Fortinet’s Public-Sector Field CISO, Jim Richberg.
Visibility and the Quest for Zero Trust
“For the foreseeable future, agencies will use a blend of on-premises data centers, virtual environments, and public and private clouds. To better manage and protect those resources, agencies must have maximum visibility into all their data, including data in transit and encrypted data. A unified solution that provides pervasive visibility and manages information from a single pane of glass is increasingly important. That visibility enhances the security tools agencies are already using to defend their networks and improves the way they detect, investigate and respond to cybersecurity threats. In addition, zero trust architecture has gained a lot of momentum in the federal government. However, although agencies report that 80% or more of their network traffic is encrypted, we have seen that only about 30% is actually inspected. It’s a significant blind spot that must be addressed. Without pervasive visibility into data in motion — whether it’s in a physical or cloud-based environment — agencies can’t implement a zero trust architecture.”
Read more insights from Gigamon’s Vice President of Public Sector, Dennis Reilly.
The Growing Need for Asset Management
“More people are acting in decentralized ways right now, but that decentralization is part of a larger trend. Multi-month strategic plans are becoming a thing of the past, and fewer IT purchases go through the CIO’s office. According to researchers, over half of IT spending is now done by line-of-business leaders, not by a central function such as a CIO. Therefore, agencies must have a simple, comprehensive process for gaining insight into technologies as they’re added to the network. Otherwise, more security gaps will invariably occur. Those gaps are exacerbated by the pandemic because agencies cannot easily add secure data center capacity to support large-scale telework. It’s much easier to use a government purchase card to address a pressing need for videoconferencing, for example. But even approved cloud products and services are not secure by default. They need to be continuously monitored.”
Read more insights from Expanse’s CTO and Co-Founder, Matt Kraning.
The Key to Securing Cloud Resources
“The recent surge in telework affects the vast majority of government employees, including IT teams. But it is a challenge to manage and secure servers and other infrastructure located inside agency data centers without being able to physically access those resources. Given the restrictions on sending employees into government offices, many agencies are accelerating their move to cloud-based infrastructures, which essentially transfers the responsibility for physically managing servers to the cloud platform providers. Moving to the cloud is a logical and essential step toward enabling remote IT employees to gain access to systems and data, but it also expands the systems an agency must manage and heightens the need to control access to them.”
Read more insights from Centrify’s Chief Strategy Officer, David McNeely.
Adopting a New Defensive Strategy
“Threat actors are shifting their tactics to take advantage of your now decentralized workforce, which means the nature of your enterprise defines your threat landscape. To use a sports analogy, two teams face off against each other on a football field. The offensive line’s actions are executed to make it to the defender’s end zone. The line between the two is clearly defined, and each opposing team adjusts its actions to take advantage of the other’s potential gaps. Two factors come into play: visibility into how the opposing team is lined up and what plays it usually executes in that situation. In cyber, this requires visibility into where your teammates are, what your gaps are, where the opposing force is and what plays it may execute to take advantage of those gaps.”
Read more insights from Infoblox’s Principal Security Architect, Chris Usserman.
Why AI Transforms Cybersecurity
“The focus of protection has long been moving to the endpoint, but now that move is more pronounced than ever. However, agencies can no longer rely on a network to gain visibility into those end-user devices and know whether they are protected and what resources users are accessing. All that insight now happens via the endpoint rather than the firewall. The distributed nature of the workforce makes it harder to control where devices are and sometimes even to provision them. Along with allowing remote work, agencies must also allow remote security. That means they need to be able to monitor all those endpoints via the cloud, and devices need to have embedded mechanisms that deliver real-time protection regardless of cloud connectivity.”
Read more insights from SentinelOne’s Co-Founder and CEO, Tomer Weingarten.
A Unified Approach to Visibility and Security
“In one recent example of the growing sophistication of adversaries, Trustwave conducted a threat hunt that led to the discovery of a new malware family dubbed GoldenSpy. The malware was found embedded in tax payment software required for conducting business operations in China. GoldenSpy essentially is a backdoor that allows adversaries to inject malware or spyware into the company’s network. Even if you uninstall the tax software, the backdoor remains. Countering such threats requires coordinating a complex mix of on-premises, hybrid and multi-cloud environments. Furthermore, although a cloud provider typically offers security tools for securing data on its platform, those tools often won’t work across other cloud environments or give agencies complete visibility.”
Read more insights from Trustwave Government Solutions’s President Bill Rucker.
How to Build Stronger Security Teams
“Based on the lessons we’ve learned during the coronavirus pandemic, government networks may permanently become virtual, remote environments. The old approaches often don’t scale well for remote users, so the focus must shift to credentials and how to protect them. As computing resources move to the cloud, the credential is what glues everything together. Network defenders need to be able to record each action associated with a credential and know whether that behavior is normal or abnormal. With agencies operating in a complex mix of cloud and on-premises environments, it can be difficult to understand what’s going on and, more important, what’s normal and what’s abnormal. Machine learning through modeling allows agencies to answer those questions more quickly, more efficiently and with a higher degree of confidence than humans can.”
Read more insights from Exabeam’s Chief Security Strategist, Steve Moore.
Ripple20: A Mission-Critical Risk
“Forescout worked with JSOF, which first uncovered Ripple20, to identify the devices and vendors impacted by these vulnerabilities. JSOF estimates that hundreds of millions of internet of things and operational technology (OT) devices are at risk, and they are as varied as printers, uninterruptible power supplies, medical infusion pumps and industrial control systems. In short, Ripple20 can disrupt mission-critical technology that security teams typically don’t spend much time managing and sometimes can’t manage because the embedded software is not accessible. Unfortunately, that means there is no single manufacturer with a practiced way to fix the software. Instead, the burden falls on security teams to understand and mitigate the risk.”
Read more insights from Forescout Technologies’ Director of Federal Civilian Agencies, Erik Floden.
Download the full Innovation in Government® report for more insights from these Government Cloud Security thought leaders and additional industry research from FCW.