Over the years, the federal government has created a series of mandates to promote better cybersecurity practices and solutions. Today, three such mandates guide most agency efforts: the Federal Risk and Authorization Management Program (FedRAMP) for cloud security; the Continuous Diagnostics and Mitigation (CDM) program for network visibility and data security; and the Trusted Internet Connections (TIC) program for internet-based security. These mandates are increasingly seen as interlocking pieces of a larger puzzle. That puzzle is this: How can agencies create a more agile IT environment without compromising the security of their networks, systems and data? Learn more insights on how these mandates support flexible cybersecurity strategies in “Your Guide to Mission-Driven Cybersecutity”, a guide created by GovLoop and Carahsoft featuring insights from the following technology thought leaders.
Enterprise Integration Platform Accelerates Modernization
“One of the most pressing IT issues in most agencies is the concept of technical debt, with agencies continuing to be constrained by their reliance on outdated legacy systems. They would like to wipe out that debt by adopting more modern platforms, but they struggle to make that transition. How can they bridge that gap between legacy systems and modern platforms? That’s where the concept of integration platform as a service comes in. iPaaS is a cloud-based service that integrates applications, data and processes across different cloud and on-premises platforms. Although iPaaS might be new to many agencies, it has been in use in the commercial sector for more than a decade.”
Read more insights from Dell Boomi Federal’s Vice President, Alan Lawrence.
In Lieu of a Perimeter, Put Security at the Edge
“Another challenge of working in a widely distributed environment is that the user experience becomes unpredictable. In the traditional network environment, users and systems outside the data center typically rely on a virtual private network (VPN) to connect to the network securely, with variable levels of performance. By pushing security services closer to the user or system – and by connecting users or systems directly to cloud applications and services – SASE ensures optimal bandwidth and low latency. This model also provides a consistent experience as a user moves from one location to another. Whether that user is working out of an office in Washington, D.C., from home, or at a remote location, they will have the same experience and better performance…”
Read more insights from Zscaler’s’ Vice President of Global Government and Compliance, Stephen Kovac.
Why Network Visibility Is Key to Business Continuity
“Most agencies provide employees with connectivity through virtual private networks (VPNs), but that can create a false sense of security. People often assume that if they are accessing agency resources through a VPN, then security controls are in place. But a VPN only secures the transport layer, not the information being transmitted within. Malware can communicate through, and in spite of, a VPN since it can affect systems at the kernel layer of the operating system. And consider this: When an employee connects a work laptop to the home network, it likely shares that network with everything from gaming systems, smart televisions and countless peripherals. To what extent does the agency have visibility into that environment and the vulnerabilities and threats that are already present?”
Read more insights from Infoblox Federal’s Principal Security Architect, Chris Usserman.
Observability Platforms: Because App Monitoring Is Not Enough
“The complexity of operations also makes it difficult for agencies to gauge the user experience. End-user or citizen services often involve multiple applications and systems, each of which must be factored into an overall picture of the end-user experience. For example, in the case of a citizen-facing service, performance depends on such variables as the quality of connection in the end users’ area, the browser they are using and their operating system, all of which must be factored into application performance. New Relic has adopted a standard scoring system, called Apdex, that factors in a wide range of dependencies to assess both application performance and the overall user experience.”
Read more insights from New Relic’s Director of Public Sector, Bob Withers.
The Cloud Era Requires Cloud-Ready Cyber Policies
“While data center consolidation is a priority, agencies know they will always have remote offices that need local compute power. In a traditional IT environment, that requires a local hardware stack and complex network infrastructure, with all traffic backhauled through security controls back at the data center. A software-defined wide area network (SD-WAN) simplifies this environment by enabling agencies to extend security controls to the edge and to optimize network traffic between a remote office and the primary data center. This approach provides those offices with optimal connectivity to resources both in the central data center and in the cloud.”
Read more insights from Carahsoft’s VMware GEH Team’s Senior Pre-Sales Solutions Engineer, Ethan Palmer.
Identity Emerges as Key Piece of Modern Cybersecurity
“Identity and access management is essential to modern cybersecurity. As agencies transform their IT environments through the adoption of cloud solutions, they need to ensure they can easily manage which users have access to which applications and data. Without that ability, transformation simply creates too many vulnerabilities.The challenge is that cloud solutions extend applications and data outside the traditional network perimeter and security controls. The more cloud solutions that agencies adopt, the more challenging it is to manage that environment…. Not only does Okta help agencies securely adopt cloud solutions, it also provides its solution through the cloud.”
Read more insights from Okta’s Principle Security Analyst, Security & Compliance, Michelle Tuggle.
Evolving Cyber Policies Clear Way for Cloud Adoption
“The federal government’s sudden, widespread transition to a remote work environment has highlighted the importance of its decision to make policy decisions that remove barriers to cloud adoption. In particular, the Trusted Internet Connection (TIC) 3.0 initiative has opened the floodgates for increased cloud utilization in a more efficient and holistic manner…. The changes have greatly expanded an agency’s ability to embrace cloud technology without degrading performance – while still applying appropriate security controls and reducing end-user friction. DHS has indicated they are transitioning the TIC program to a more descriptive, not prescriptive methodology, recognizing that there’s no onesize-fits-all approach to securing agency data.”
Read more insights from McAfee’s Senior Solutions Architect for Federal Civilian Agencies, John Amorosi.
Intelligent Network Visibility Serves as Security Force Multiplier
“The concept of network visibility – the idea that an agency should have a clear picture of all data-in-transit moving across the enterprise – is not new. But it has taken on new importance as agencies have extended applications and data from the traditional IT infrastructure to virtual and cloud infrastructures. If an agency lacks visibility across all three environments, they leave themselves vulnerable. Both the TIC and CDM initiatives have evolved to help agencies strengthen their cyber posture as they adopt cloud, mobility and other technologies as part of their IT modernization efforts. But the importance of securing this extended enterprise has been driven home more recently by the COVID-19 pandemic. As the virus spread, many employees ended up working from home…One of the primary challenges in a remote work environment is the volume of traffic that needs to be inspected.”
Read more insights from Gigamon’s Vice President of Federal, Dennis Reilly.
Why a People-Centric Approach to Security Has Become a Necessity
“For years, cybersecurity experts have said that the weakest link in an agency’s cyber defense is not a system but a human – the employee who clicks on a link in an email that introduces malware onto the network. Nonetheless, most organizations continue to think about security strictly as a technology issue.
A technology-centric approach to cybersecurity is essential, but not sufficient. Think about it from the attacker’s perspective. What is easier: identifying and exploiting the vulnerability of a network, or tricking a user into clicking on a link opening an attachment? The nation’s recent history of data breaches, many of which began with phishing attacks, suggests that agencies need to take a people-centric approach as well.”
Read more insights from Proofpoint’s Resident Chief Information Security Officer (CISO), Federal Practice, Bruce Brody.
Why the Future of Security Is Cloud Native
“The importance of supporting the remote workforce has become even more apparent during the COVID-19 pandemic, which has led many agencies to allow employees to work from home. The situation also provides a key use case for natively cloud-based solutions. Most agencies have the capacity to enable some employees to securely telework some of the time, but what happens when a large number of employees need to work remotely all at once and with little notice? In theory, a cloud-based security solution should provide the necessary flexibility and scalability. However, many so-called cloud solutions were not designed for the cloud but instead retrofitted for it, relying on script languages to provide automated capabilities.”
Read more insights from Palo Alto Networks’ Director of Federal Business Development Capture, David Knisley, and Regional Sales Manager for Federal Systems Integrators, Dan Beaman.
Download the full GovLoop Guide for more insights from these government cybersecurity thought leaders and additional government interviews, historical perspectives and industry research on the FedRAMP, CDM and TIC 3.0 mandates from GovLoop.