The Role of Identity Governance in the Implementation of DoD Instruction 8520.04

Posted on by Frank Briguglio

On September 3, 2024, The Department of Defense (DoD) released Instruction 8520.04, titled “Access Management for DoD Information Systems,” that serves as a foundational policy guiding the secure and efficient management of access to DoD information systems. The instruction mandates protocols for managing access across various environments, including military networks and systems used by both person entities (PEs) and non-person entities (NPEs) such as devices, applications, and automated processes. At the core of this policy is the principle of identity governance, which is essential for ensuring that access to sensitive systems and data is granted, monitored, and revoked based on verified identity attributes and defined security policies.

In the dynamic cybersecurity landscape, the concept of identity governance refers to the frameworks and processes that manage the lifecycle of digital identities. This includes the creation, management, and deletion of user accounts as well as the provisioning and de-provisioning of access rights based on a combination of user attributes, roles, and organizational policies. Identity governance is critical for compliance with the DoD’s Zero Trust Architecture, as outlined in the DoD Zero Trust Strategy. It emphasizes least privilege, continuous verification, and dynamic access control, all of which are key components of DoD Instruction 8520.04.

The policy serves as maturation of the departments ICAM initiatives over the past few years and highlights some key concepts that need to be adopted across the departments ecosystem. Here are some key examples of how identity governance aligns with and strengthens this policy:

1. Access Control and Provisioning

One of the primary elements of identity governance is the effective provisioning and de-provisioning of access. This aligns with Section 4 of DoD Instruction 8520.04, which mandates that access to systems be carefully controlled through explicit or dynamic mechanisms. Explicit access involves manually provisioning access rights to specific users, which must be meticulously documented and approved by system or resource owners. On the other hand, dynamic access relies on real-time attribute verification to grant or deny access based on the most current information available, such as the user’s role, location, or security clearance.

SailPoint Identity Governance for the DoD Blog Embedded Image 2024

Identity governance solutions play a crucial role in these processes by automating provisioning and de-provisioning based on predefined policies. When a user’s role changes or they leave the organization, governance systems automatically adjust access rights, ensuring compliance with de-provisioning requirements. This automatic adjustment helps prevent orphaned accounts—user accounts that are no longer needed or authorized—which can pose serious security risks if left unmanaged.

2. Authoritative Attribute Services

DoD Instruction 8520.04 emphasizes the importance of authoritative attribute services (AAS) in maintaining the accuracy, integrity, and security of identity attributes used in dynamic access decisions. Identity governance frameworks are designed to integrate with these authoritative services, ensuring that identity attributes such as security clearance levels, employment status, and role-based entitlements are accurate and up-to-date. This enables the DoD to enforce dynamic access control based on real-time identity data.

For example, a DoD system that relies on dynamic access might check a user’s current security clearance, job function, or location in real time before granting access to a sensitive file or system, or assign a critical role. These checks are enabled by robust identity governance systems that pull data from authoritative attribute services and apply organizational policies to ensure that access is only granted to those who are fully authorized and meet the predefined criteria.

3. Least Privilege and Separation of Duties (SoD)

The concept of least privilege—granting users the minimum level of access necessary to perform their duties—is another foundational principle of both identity governance and DoD Instruction 8520.04. In Section 4.2 of the instruction, system and IT resource owners are required to document and implement explicit access policies that adhere to least privilege standards. Furthermore, systems must implement SoD controls to prevent a single user from having conflicting roles, such as both creating and approving financial transactions.

Identity governance frameworks are uniquely equipped to manage SoD by automating the assignment of roles and enforcing policies that prevent users from being granted conflicting privileges. Governance solutions continuously monitor user access and provide alerts if SoD violations occur. By integrating these capabilities with the DoD’s access management protocols, identity governance helps ensure that users cannot escalate their privileges or circumvent access controls, thereby reducing the risk of insider threats and security breaches.

4. Continuous Auditing and Compliance

Continuous auditing and monitoring of user access is a critical requirement under DoD Instruction 8520.04, particularly for privileged users. Identity governance solutions enable DoD components to implement robust audit trails that track every access request, change in privileges, and system interaction. This is particularly important for IT privileged users—those with elevated access to critical systems and sensitive data—who require enhanced monitoring to detect and respond to suspicious activity.

Through the use of identity governance tools, DoD organizations can enforce periodic access reviews, as mandated by the instruction, to ensure that users only have the access they need and that privileged access is justified and properly documented. These reviews are automated and documented within governance systems, reducing the manual workload on administrators and enhancing the overall security posture by ensuring compliance with regulatory requirements.

5. Integration with Zero Trust Architecture

The DoD Zero Trust Strategy emphasizes the need for continuous verification of users and devices as they request access to systems and data, rather than assuming trust based on their presence inside the network perimeter. Identity governance systems are integral to the implementation of Zero Trust principles within the DoD, as they enable real-time verification of identity attributes and ensure that access is granted only after all conditions are met.

For instance, an identity governance system might check not only a user’s identity but also their security status, the network they are using, and the time of the access request before enabling access to sensitive data. This multi-layered approach to access control ensures that even if one security measure is compromised, others are in place to protect critical resources.

In Conclusion

Identity governance is a foundational element of the DoD’s efforts to secure access to information systems under DoD Instruction 8520.04. By providing a structured approach to managing digital identities, provisioning access, enforcing least privilege and separation of duties, and maintaining continuous auditing and compliance, identity governance systems enable the DoD to meet the stringent security requirements laid out in the instruction. Furthermore, identity governance is a critical enabler of the DoD’s shift toward a Zero Trust Architecture, ensuring that access to sensitive systems is dynamically controlled based on real-time identity attributes and organizational policies.

As cyber threats continue to evolve, the integration of identity governance with access management protocols like those found in DoD Instruction 8520.04 will be crucial in maintaining the security and integrity of the DoD’s information systems and the data they protect.

For a details of how SailPoint Identity Security supports the departments current ICAM and Zero Trust initiatives, and specifically how the capabilities of the platform align with the requirements of the policy, please download the report here.

The 10 Cybersecurity Events for Government in 2024

Posted on by Steve Jacyna

In the fast-paced world of Cybersecurity, staying ahead of evolving threats and industry trends is paramount for Government agencies and the ecosystem that supports them. From in-depth discussions on certification processes to cutting-edge solutions for modern cyber threats, Carahsoft and our partners’ cybersecurity events promise to provide valuable insights, networking opportunities and practical strategies for enhancing Government cybersecurity posture.

Join us as we delve into cybersecurity excellence and empower Government entities to navigate the digital landscape with confidence and resilience.

Public Sector Day at RSA Conference

May 6 | San Francisco, CA

Attendees joined us for our 11^th Annual Public Sector Day event at RSA Conference. They heard from pioneering figures in Government as they shared their perspectives on the forefront cybersecurity challenges facing the Public Sector. As cyber threats continue to challenge all levels of Government, attendees learned how Government and industry are working together to protect communities at all levels from ransomware, thefts of data, election security challenges and attacks on critical infrastructure. Carahsoft was proud to host this event for our 11^th year. We will be back in 2025 in San Francisco and hope to see you there! Access our podcast series for a recap of the sessions and discover how to protect your organization’s sensitive information by leveraging compliant cloud authentication services.

AFCEA TechNet Cyber 2024

June 25-27 | Baltimore, MD

A flagship event, AFCEA’s TechNet Cyber serves as a center of gravity for a whole-of-government effort to bring together the policy, strategic architecture, operations and C2 – along with the joint capabilities – needed to meet the global security challenges and successfully operate in a digital environment. Join us in Baltimore and be part of the conversation led by U.S. Cyber Command, DISA, the DoD CIO and numerous industry and academia partners to deliver solutions for this enduring, no-fail mission. Carahsoft will host a pavilion on the exhibit floor that features more than 50 of our technology partners showcasing a range of cybersecurity solutions. Visit our website for more information!

2024 SANS Government Solutions Forum

July 25 | Online

Government agencies face a continuing stream of legislative, executive and oversight recommendations, constantly keeping teams and technologies on their toes. This SANS Government Security Forum equips Public Sector cybersecurity teams with the essential knowledge to address these challenges and modern threats head-on. Carahsoft has partnered with SANS to host this event for our third year in a row. Hear from Government and industry leaders on the latest in cybersecurity.

DOE Cybersecurity and Innovation Conference

July 29 – August 1 | Dallas, TX

Carahsoft is proud to be a sponsor of the DOE Cybersecurity and Innovation Conference. This event will explore the developments and challenges in cybersecurity, technology innovation, workforce development, and critical infrastructure protection. Speakers and attendees will include top thought leaders from across the DOE enterprise, the federal interagency, academia, international partners, and private industry leaders for thoughtful conversations about cybersecurity, modernizing IT and OT environments and solutions, sharing tools, data management, technology, and best practices with the energy industry, and developing technical solutions to meet national challenges.

Carahsoft will have a booth on the exhibit floor that features and handful of our technology partners showcasing a range of cybersecurity solutions. We will also host a networking happy hour on July 30^th from 7:30 – 9:30 pm CST. Stay tuned for more information!

Black Hat USA 2024

August 3-8 | Las Vegas, NV

Now in its 27th year, Black Hat USA returns to the Mandalay Bay Convention Center in Las Vegas with a six-day program. The event will open with four days of specialized cybersecurity trainings with courses for all skill levels. The two-day main conference (August 7-8) will feature more than 100 selected briefings, dozens of open source tool demos in Arsenal, a robust Business Hall, networking and social events and much more.

Carahsoft is pleased to host a networking reception for our vendor partners and their customers. Join us for food, drinks and networking!

Billington CyberSecurity Summit 2024

September 3-6 | Washington, D.C.

Join over 2,500 attendees and 200+ top speakers participating in more than 40 sessions and breakouts at the leading Government cybersecurity summit. Hear from speakers with years of experience in mitigating cyber threats, offering valuable insights. Government, military, nonprofit, academia and industry thought leaders will present major cyber trends and discuss solutions for current field issues. Carahsoft and more than 50 partners will showcase a full range of cybersecurity solutions in our partner pavilion on the show floor. Register Now.

The National Cyber Summit

September 24-26 | Huntsville, AL

National Cyber Summit is the nation’s most innovative cybersecurity technology event, offering unique educational, collaborative and workforce development opportunities for industry visionaries and rising leaders. NCS offers a cyber conference with diverse focus-areas, premier speakers and unmatched accessibility focused on education, collaboration and innovation.

Visit Carahsoft at our booth on the show floor and explore our CMMC Solutions Showcase.

Carahsoft Cyber Leaders Exchange

October 1-2 | Online

Discover how agencies are leading the way as the Government “fundamentally re-imagines America’s cyber social construct”. During this exclusive two-day virtual event, Federal News Network and Carahsoft will sit down with cyber leaders and experts to dive deep into efforts across Government to bring the White House vision to life and strengthen Federal cyber capabilities. Tune in for multiple sessions featuring some of our leading technology partners.

Innovate Cybersecurity Summit

October 6-8 | Scottsdale, AZ

Powered by the collective knowledge of cybersecurity executives, practitioners and cutting-edge solution providers, Innovate Cybersecurity Summit is the premier resource for CISO education and collaboration. The Reverse Expo, a featured session, is a highly interactive engagement model and a refreshing way for technology vendors to meet with attendees. Carahsoft is a premier sponsor of the event and will have a partner pavilion featuring some of our leading cybersecurity partners as well as networking events throughout the summit.

Carahsoft Cybersmart Series: State and Local Government

November 7 | Austin, TX

Carahsoft has partnered with FedInsider for a series highlighting and discussing topics on cyber in Government. Join us to hear cyber experts in State and Local organizations discuss the latest cybersecurity threats to the Public Sector and what steps State and Local agencies are taking to protect against them. This year’s half-day event focuses on how the release of AI into the broader computing environment is affecting cybersecurity strategies across the Public Sector. Collaborate with peers, thought leaders and key partners in Austin or watch the panel discussions online in a follow-up webinar!

Do not miss out on the opportunity to engage with industry experts, explore innovative solutions and network with like-minded professionals at our 2024 events. Secure your spot today and take proactive steps towards safeguarding your organization’s critical assets in an ever-evolving cyber landscape. Together, let us strengthen our cybersecurity defenses and pave the way for a more resilient Government cybersecurity ecosystem.

To learn more or get involved in any of the above events please contact us at CyberSecurity@carahsoft.com. For more information on Carahsoft and our industry leading Cybersecurity technology partners’ events, visit our Cybersecurity Solutions Portfolio and Cyber Events page.

Securing Operational Technology with Cyber-Informed Engineering

Posted on by Andrew Ginter

Cyber-Informed Engineering (CIE) is an initiative by Idaho National Laboratory with funding from the Department of Energy (DOE). The goal of CIE is to secure physical operations through the combination of cybersecurity and engineering approaches. Today, engineering mitigations are used from time to time to address cyber risks but are used neither universally nor systematically. CIE recognizes the importance and necessity of using both engineering tools and conventional cybersecurity designs to secure operational technology (OT) networks.

Protecting Critical Infrastructure

Access to OT information in IT networks, very often through PI servers, is essential to many kinds of business automation, such as automatically ordering spare parts or scheduling maintenance crews. However, because all modern automation involves computers, as businesses continue to automate processes more targets for cyberattacks are created. In addition, data in motion is the lifeblood of modern automation, but all cyber-sabotage attacks on OT systems are information, and every connection between systems and IT/OT networks is an opportunity for attacks to spread. Thus, the more automation is deployed, the more opportunities are created to attack the ever-increasing number of targets. Cybersecurity is an issue that becomes steadily more pressing as businesses automate.

The IT/OT boundary, where PI servers tend to be deployed, is very often a consequence boundary. Worst-case consequences on the OT network are very often dramatically different and more severe than consequences on IT networks. Worst-case business consequences often include expensive incident response costs, such as businesses having to buy identity fraud insurance for customers whose information was leaked into the Internet. On the other hand, worst-case consequences for OT networks in a power plant or a high-speed passenger rail switching system often include threats to worker and public safety, or to the availability of critical infrastructure services to the nation. When worst-case OT consequences are unacceptable, engineering-grade protections must be deployed at the IT/OT interface to prevent worst-case scenarios from being realized.

Waterfall Security OT and Cyber-Informed Engineering Blog Embedded Image 2024

Conventional OT Security Programs

Using exclusively IT style mitigations to protect critical OT networks is often not enough—when public safety or critical infrastructures are at risk, it is not enough to hope that cyberattacks can be detected before they compromise critical infrastructure. It is not enough to hope that if detected in time, an incident response team can be assembled fast enough to prevent consequences. Engineering-grade designs are expected to reliably perform critical physical operations within a specified threat environment until the next scheduled opportunity to upgrade defenses, with a large margin for error.

The Threat Landscape

Remote-controlled attacks are the modern attack pattern used by hacktivists, ransomware criminals and nation-states. Modern remote-controlled attacks use social media research and clever phishing emails to trick potential victims into revealing passwords or opening malicious attachments. Once remote attackers gain a foothold in their target network, they control the compromised machine remotely, using it to attack other machines through layers of firewalls, including the IT/OT firewalls deployed to send OT data into PI servers to enable IT/OT integration. Attackers then repeat, spreading further until they reach essential OT systems or valuable information that a business would be willing to pay to recover.

‘Living off the land’ is another type of remote-controlled attack seen recently. After gaining a foothold in an IT network, attackers erase all hint of their presence, including any malware that was used to gain their foothold. Eventually compromising the IT domain controller, attackers create their own remote access and credentials. These new accounts look like a normal employee logging in; no alarms are raised as the attackers use normal operating system tools in their attacks, making them extremely difficult to detect.

Unbreachable Protection with Unidirectional Gateways

In the face of sophisticated remote-control attacks, safe integration of critical OT networks with PI servers and other business automations must involve network engineering. The most common approach to network engineering is to protect the IT/OT consequence boundary with a Unidirectional Gateway. The gateways are a combination of hardware and software; the software makes copies of PI and other OT servers from OT networks, while the hardware allows information to travel in only one direction, from the OT network out to the IT network. The gateways move OT data out to where the enterprise can use it while preventing any remote-control attacks or attack information getting back through into the OT network. Even if a deceived insider carries a piece of malware into an OT network and inadvertently activates it, that malware cannot connect out to the Internet through the gateway, much less receive any attack commands from the Internet.

Increasingly, critical infrastructures are expected to have OT networks that operate reliably and independently of the IT network, even when the IT network is compromised. A Unidirectional Gateway provides OT data to PI servers and other business automation, with no ability for malware, remote-control commands or other attack information to penetrate the gateway into operations. By eliminating the risks associated with firewalls at the IT/OT consequence boundary, industrial enterprises can be confident of the integrity of their OT systems, even in the face of the most sophisticated of modern, network-based attacks.

As Cyber-Informed Engineering emerges as the most important change in OT security in a decade, Waterfall Security’s Unidirectional Security Gateways, certified to be truly unidirectional, are leading the world in safe IT/OT and OT/cloud integration, even in the face of the most sophisticated of cyber threats. Watch our webinar “Cyber-Informed Engineering for OT Security and AVEVA PI Users” to see how Waterfall’s solutions enable safe IT/OT integration and protect safe and reliable physical operations, especially for AVEVA PI installations.

Elevating State and Local Government Services in California Through Transformative Technology

Posted on by Robert Moore

State and Local Government agencies are constantly seeking ways to improve their services and processes to better serve their constituents and must embrace new technologies, prioritize cybersecurity and ensure data privacy to achieve this goal. These important topics were discussed by Government IT and industry leaders at the Carahsoft Digital Transformation Roadshow in San Jose, California. Speakers covered how to implement emerging technologies, enhance customer experience and protect constituents’ privacy and security through innovation, artificial intelligence (AI), cybersecurity and data privacy solutions.

Innovating Service Delivery to Constituents

Using advanced technologies can significantly elevate service delivery to constituents in several ways. Firstly, it can enhance the speed and efficiency of Government services, allowing constituents to access information and services more quickly and easily. Secondly, advanced technologies improve the accuracy and quality of Government services through data analytics that help identify patterns and trends, reduce errors and improve outcomes. Finally, advanced technologies increase transparency and accountability, allowing constituents to track the progress of their requests and hold agencies accountable for their actions.

State and Local agencies are often faced with a lack of resources, making it imperative to leverage new technologies and processes to save time and money. The updated systems must also be secured to protect their constituents’ data which requires significant planning, resources and collaboration to achieve successful implementation. Additionally, agencies must ensure that any changes they make comply with legal and regulatory requirements, such as data privacy laws and accessibility standards.

State and Local Government Roadshow Series California Blog Embedded Image 2024

AI solutions are just one of the successful implementations that has enabled agencies to streamline processes and upgrade service offerings to constituents. The adoption of innovative technologies has facilitated faster and more efficient interactions with constituents, leading to improved customer service and satisfaction. The integration of AI technology for real-time data analysis has also empowered agencies to make informed decisions and respond promptly to community needs.

Assessing the Impact of AI

Generative AI is a type of AI that can create new content, such as images, videos and text based on data it has compiled. By studying generative AI, State and Local agencies can develop policies and guidelines for the responsible use of this technology, including measures to prevent the creation and dissemination of harmful or misleading content.

Additionally, studying generative AI helps Government agencies identify potential applications for this technology that can benefit society, such as creating realistic simulations for training purposes or prompting new scientific discoveries. By understanding the potential benefits and risks of generative AI, agencies can make informed decisions about incorporating this technology in their operations.

If leveraged for services and processes, AI could provide many benefits to State and Local agencies through several means:

Chatbots and Virtual Assistants: handle citizen inquiries, provide information about Government services and assist with simple transactions.
Data Analysis and Predictive Modeling: analyze large volumes of data to identify patterns and trends, enabling State and Local agencies to make data-driven decisions in areas such as public safety, resource allocation and urban planning.
Automation of Routine Tasks: automate repetitive and time-consuming data entry and document processing, freeing up employees to focus on more complex and high-value activities.
Fraud Detection and Prevention: detect and prevent fraudulent activities, such as tax evasion and benefit fraud, thereby safeguarding Government resources and taxpayer funds.
Accessibility and Inclusivity: improve accessibility for individuals with disabilities by providing speech-to-text and text-to-speech capabilities, as well as other assistive technologies.

Cybersecurity and the Current Threat Landscape

State and Local Government agencies play a crucial role in national security, and their systems and data must be protected to prevent potential vulnerabilities that could be exploited by malicious actors. The current threat landscape includes sophisticated cyber threats such as ransomware, phishing attacks and advanced persistent threats. Robust cybersecurity measures are necessary to defend against these evolving threats and prevent disruptions to Government services.

Sensitive citizen data, including personal, financial and health information is often handled by State and Local agencies. Therefore, it is important for agencies to maintain strong cybersecurity and data privacy to uphold the public’s trust and confidence. By adhering to data protection regulations and compliance requirements, such as the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR), agencies can preserve the integrity of Government operations.

Several agencies have successfully implemented cybersecurity and data privacy measures:

Multi-Factor Authentication (MFA) to strengthen access controls and protect sensitive systems and data from unauthorized access.
Data encryption to protect sensitive information both at rest and in transit.
Incident response planning to effectively address and mitigate cybersecurity incidents.
Compliance with data protection regulations such as HIPAA, GDPR and the Payment Card Industry Data Security Standard (PCI DSS).
Cybersecurity training and awareness programs to educate employees about cybersecurity best practices, phishing awareness and the importance of data privacy.
Collaboration and information sharing with other agencies, law enforcement and cybersecurity organizations to stay informed about emerging threats and best practices in cybersecurity.

The path to elevating State and Local Government services requires a strategic incorporation of transformative technologies, notably AI, cybersecurity and data privacy. Leveraging advanced technologies can enhance interactions with constituents, fostering efficiency and transparency. Amidst resource constraints, agencies must implement AI solutions while also prioritizing robust cybersecurity measures. Agencies must navigate digital transformation with responsibility, ensuring the delivery of efficient, secure and privacy-focused services, thereby forging a future where technology elevates governance while upholding public trust.

Explore more resources and learn more about Carahsoft’s State and Local Roadshow Series: Digital Transformation by visiting our Roadshow portfolio.

EdTech Talks: A Comprehensive Look at Security in Education for Safe Learning Environments

Posted on by Tim Boltz

Emerging technologies today are providing K-12 schools and higher education institutions with the capabilities to support seamless and secure campus efforts, which ensures protection of academic environments as well as students, faculty and staff. Remaining vigilant, versatile and adaptable in the current education landscape, especially when it comes to security and student safety, are the most important considerations for education leadership when deciding what new solutions and integrations to incorporate into their schools.

Carahsoft’s annual EdTech Talks Summit brought together industry and education thought leaders to explore three tactical learning tracks: safety for the learning environment, the impact of technology on student growth and development, and modernizing education with artificial intelligence (AI) and machine learning. During the first day’s discussion, speakers provided insights into building safe learning settings with a comprehensive look at both cyber and physical security in education.

Analyzing Current Security Risks

Education institutions face a myriad of cybersecurity challenges such as ransomware, third-party access to school systems, internal bad actors and stolen credentials. One of the most impactful vulnerabilities is a lack of awareness across school communities regarding security. For example, individuals who are unable to recognize a phishing text message that asks the receiver to click on an unsafe link because an account has been frozen may potentially put their own data and their school’s data at risk of exposure.

While cybersecurity is one of the most important aspects of cultivating a successful learning environment, it is just as important to consider physical security for a safe learning environment. Building and campus surveillance, visitor management monitoring, lock down and fire drills, active shooter and crisis management are among some of the ways schools provide personal security for students and staff. With so many aspects of security to manage, schools also must balance being open, inclusive and engaging with communities and culture to provide more expansive learning opportunities while simultaneously protecting against threats on limited budgets.

Protecting Against Cyber Threats in the Modern World

For improved security, educators and industry leaders must collaborate to take proactive measures to safeguard digital infrastructure, data and physical campuses. The best place to start is by ensuring the fundamental standards of cyber defense are in place, functioning properly and are continuously monitored and modernized. This includes solutions and processes such as:

Utilizing multi-factor authentication (MFA) whenever possible
Email and phishing security to avoid ransomware
Maintaining a high standard of digital hygiene through services such as patching and vulnerability management
Creating robust and resilient backup strategies for all data at endpoints and in the cloud
Performing recovery testing to ensure backups and other operations are working accordingly
Providing resources and trainings to engage with school communities to raise awareness of ways students and teachers can defend themselves against physical and cybersecurity threats
Implementing a “see something, say something” mentality across school communities to ensure all potential risks are reported and mitigated
Hiring IT staff and educators who are passionate about the security and safety mission set forth by an institution and allow them to provide new ideas and innovation
Investing in quality cyber insurance to protect institutions against setback from a ransomware attack
Conducting frequent audits to ensure school’s systems are compliant with the latest policy requirements and standards in the case a claim must be made

Security Implementation for Institutions

Industry and education experts alike understand the importance of providing a safe space for all students, whether inside schools or online, and continuously aim to make sure their experience is as productive and valuable as possible. Particularly within higher education, many universities and colleges have individual point solutions that they have integrated into their systems to solve very specific problems, creating a disconnected mixture of security infrastructure. Security must be designed with students in mind and a way that provides optimal learning, collaboration and inclusion—technology can help achieve this imperative goal.

As Government and education sectors continue to move toward cloud environments, managing a multitude of products and solutions can become cumbersome and difficult to regulate security. To combat this, consolidation of products to create increased visibility, automation and agility are key for transforming a current infrastructure to be more successful and produce actionable insights.

Visit the EdTech Talks Conference Resource Center to view panel discussions and other innovative insights surrounding security, AI and student success from Carahsoft and our partners.

About Carahsoft in the Education Market

Carahsoft Technology Corp. is The Trusted Education IT Solutions Provider™.

Together with our technology manufacturers and reseller partners, we are committed to providing IT products, services and training to support Education organizations.

Carahsoft is a leading IT distributor and top-performing E&I Cooperative Services, Golden State Technology Solutions, Internet2, NJSBA, OMNIA Partners and The Quilt contract holder, enhancing student learning and enabling faculty to meet the needs of Higher Education institutions.

To Learn more about Carahsoft’s Education Solutions, please visit us at http://www.carahsoft.com/education

To learn more about Carahsoft’s Cybersecurity Solutions please, visit us at https://www.carahsoft.com/solve/cybersecurity

Applications of Technology in Higher Education at EDUCAUSE

Posted on by Tim Boltz

Technology advancement has resulted in many potential usages for university students and faculty, educational and research institutions and Government agencies. For agencies focused on higher education, taking advantage of new technology can help bolster security and ease student and faculty daily procedures. Industry and education experts joined together at the EDUCAUSE Annual Conference for an immersive experience that facilitated collaboration and discussion to promote the advancement of higher education by using information technology (IT).

Leveraging Security Technology Against Ransomware

With the increasing technology usage in everyday life, many higher education agencies are susceptible to cybersecurity threats like ransomware. The education sector is no exception, with attacks ranging from exploited vulnerabilities, to compromised credentials, malicious emails, phishing attempts, brute force attacks and malicious downloads. As ransomware comes with financial loss, it is important for higher education agencies to invest accordingly in cybersecurity. According to industry statistics, 70% of organizations have successfully recovered data using backup mechanisms. This data recovery is not only much simpler than paying the ransom, but it also removed the attack incentive since paying the ransom encourages bad actors to continue attacks. Higher education institutions own and maintain a significant amount of intellectual property as a source of data wealth and research. To protect this information and ensure the safety and financial success of educational institutions, higher education must focus on creating backups and position IT security staff as trusted advisors, fortify their cybersecurity infrastructure and foster a vigilant culture amongst students and faculty.

Digital Services in Education

With a strong cybersecurity base, universities can reap the benefits of both external and internal digital services. External market data can be used to predict internal performance. Data can help define popular markets, from student demand for majors, future employment opportunities and university competitor information. Educational institutions can utilize technology to analyze data and make millions of calculations in a minimal amount of time. With these predictive analytics, education administrations can make informed decisions when forecasting program sizes, enrollment numbers, scholarships and revenue margins.

Universities can utilize digital applications to offer user-friendly functions to support faculty and students with daily tasks such as helping locate class schedules, campus maps, facility wait times, task notifications and other essential remedies for success. Digital applications with collaboration tools and platforms can connect peers and faculty members in a simple and pragmatic way, facilitating communication on projects and learning objectives. On the administrative side, digital services can reduce time spent by automating functions such as credit transfers and transcript evaluations. Institutions can also utilize digital applications to offer automated aid for student requested services, which reduces call center wait times, manual processing errors and delayed accommodations.

The Varied Applications of AI

In the educational space, AI has a multitude of use cases:

AI can detect cyber threats and vulnerabilities, thus protecting student, faculty and stakeholder sensitive information.
By facilitating the automation of routine security tasks, patches and system updates, AI can free up more time for cybersecurity professionals to focus on more complex initiatives, thus creating a more robust security infrastructure.
Schools can utilize AI’s advanced authentication mechanism to prevent unauthorized access to sensitive data and provide seamless account access for students, faculty and staff.
Institutions are currently using AI to understand the best methods for student retention, a common concern in higher education. Methods such as text-based chat apps are designed to send encouraging messages, tutoring or counseling to students who have been identified as needing additional resources. Text applications can also be used to connect students to enrollment services, tutoring or counseling.
AI’s use of data analytics can facilitate customized learning experiences based on each student’s strengths, weaknesses and learning pace. This includes tailored content, question and answer chatbots and virtual assistants.
Adaptive learning platforms powered by AI can assess individual student performance and deliver tailored content, allowing students to grasp complex concepts at their own pace. This personalized approach enhances student engagement and motivation, ultimately leading to improved academic outcomes.

Since AI will always contain human bias, it is important to apply AI as an additional tool, and not a standalone operation. In maintaining the priority for equality and privacy in the educational sphere, each individual institution must find where AI best fits into their respective organization.

Technology can be utilized to enhance cybersecurity infrastructure, detect compromised systems, analyze data to improve common educational institution functions and improve student performance and morale. By partnering with the IT industry, higher education institutions can posture students and faculty to lead the way to success for the next generation of learners.

To learn more about utilizing IT for education initiatives, view Carahsoft’s Education Technology Solutions Resources.

About Carahsoft in the Education Market

Carahsoft Technology Corp. is The Trusted Education IT Solutions Provider™.

Together with our technology manufacturers and reseller partners, we are committed to providing IT products, services and training to support Education organizations.

Learn more at http://www.carahsoft.com/education

5 Ways to Protect Your Organization from a Cyberattack in 2024

Posted on by Jeff Stewart

As we say goodbye to 2023, we need to prepare to say hello to new cybersecurity threats in 2024. The Department of Homeland Security is already there, having published its annual Homeland Threat Assessment, which predicts “more evasive cyberattacks” thanks to cyber actors using artificial intelligence (AI) and other modern technologies to circumvent company defenses.

Protecting your organization will require a sound strategy that wards off threats and takes the fight to the attackers. Here are five best practices to help you do both.

1. Develop a playbook of response strategies and tactics

Your playbook should include detailed instructions on how to handle a cybersecurity incident, from start to finish, and who’s responsible for what. Key components of a cybersecurity playbook include:

Descriptions of potential attack methods
Steps required to effectively respond to and contain an attack
Roles and responsibilities of response team members
Remediation procedures
Details on how to handle media inquiries, customer, and partner communications, etc.
Processes for a post-incident review and analysis

Hopefully, you will never have to use your playbook. If you do, it will provide you with a standardized blueprint that will allow you to respond to an attack methodically and effectively.

2. Conduct fast and effective diagnostics

Time is of the essence during a cyberattack. Therefore, it is essential to conduct accurate and effective diagnostics as fast as possible.

Not only will you want to identify where the attack originated, but you’ll also need to quickly ascertain where it has or could spread. This requires finding gaps and vulnerabilities in your network where a virus or piece of malicious code could take root. Unfortunately, network complexity gives attackers better cover and more opportunities to hide.

Observability solutions cut through the noise and provide visibility across your entire ecosystem. Observability is different from traditional network monitoring; whereas the latter is more reactive, observability proactively detects anomalies before they become real issues. Plus, with complete visibility into the entire ecosystem, there’s no need to waste time sifting through alerts or hunting down problems. Teams can respond quickly, ensuring high resiliency.

3. Communicate openly, honestly, quickly, and continuously

Effective communication is critical to cybersecurity threat mitigation. When a threat manifests, alert impacted internal departments through secure channels so as not to tip off the attackers that you know they’re in your network. Then, communicate with law enforcement, including the FBI. Finally, reach out to customers and partners. Keep all parties apprised in the weeks and months following the attack.

If you have created a playbook, you will know who to contact and how—because you will have planned for it. You will know, for example, that it will be up to your communications team for outreach to the press, customers, and other third parties.

Your communication must be clear and honest. Tell your stakeholders what you know when you know it. Inevitably, someone is going to ask, “Am I affected?” You may not know, and that is OK—just tell them what you do know. Likewise, you will likely be fighting misinformation. Do not get sidetracked. Continue to tell the truth and communicate openly as much as possible.

4. Enlist third-party partners for help

There are many reasons why you should not take on a cyberattack alone. First, an attack can be too complex and far-ranging for your internal team to handle on its own. It is better to have an outside party that can help with auditing your networks to ensure gaps have been remediated in the wake of an incident. Second, third-party cybersecurity experts can be invaluable in providing guidance, investigative support, and consultation as you navigate through the attack. Your team is going to be busy handling any number of tasks and will appreciate their perspectives.

Outside parties can also help get your truth out to the public. Following the SUNBURST attack, we enlisted the help of reputable organizations like the Cybersecurity and Infrastructure Agency (CISA), the Krebs Stamos Group, and others. In addition to assisting in the investigation, they helped us tell the story of what happened, which went a long way toward combatting misinformation.

5. Implement a “Secure by Design” approach

You have likely heard about shifting left—building security into the foundation of your products, rather than adding it on later. I recommend taking this mindset a step further and adopting a Secure by Design approach, where security becomes a cornerstone of your entire organization.

Secure by Design includes all the best practices listed here, as well as building out your cybersecurity team, auditing applications throughout their development, and engaging with the broader community to learn and share information. It also entails adopting an “assume breach” mindset, where you assume that an asset has already been breached, determine the possible implications, and come up with fixes to limit exposure.

As we turn the calendar page, attackers may have the advantage, but it doesn’t have to be that way. Hopefully, these best practices will help gain the upper hand—and protect your organization in 2024 and beyond.

Reach out to the SolarWinds team to learn more about how you can prepare your organization.

Revitalizing FedRAMP: Navigating the Shift to a Modernized Cloud Security Framework

Posted on by John Lee

The Federal Risk and Authorization Management Program (FedRAMP) was created over a decade ago to provide a standardized approach to security assessment, authorization and continuous monitoring for cloud products and service used by Federal agencies. Embracing the dynamic advancements in cloud technology, FedRAMP has recognized the importance of modernizing to keep pace with the rapid developments in the cloud landscape. The Office of Management and Budget (OMB) released a draft memorandum in October 2023 that outlined a comprehensive FedRAMP framework, emphasizing adaptability, automation and cooperation to address evolving cloud service requirements.

An Opportunity for Modernization

As technology continues to evolve, so do the advancement opportunities in the realm of cloud security for Federal agencies. With the expansion of cloud offerings and the increasing demand for cloud-based services, FedRAMP is undergoing a significant overhaul to meet the changing landscape. The new OMB FedRAMP guidance will replace the original guidance published in 2011, a year in which the cloud security climate looked drastically different and less complex than today. Changes to address the evolving threat landscape include tools for enterprise collaboration, product development and improving an enterprise’s own cybersecurity. Having already authorized more than 300 authorized services in the FedRAMP Marketplace, FedRAMP recognizes the need to add more solutions for agencies to have all the required capabilities to deliver on their missions.[1]

OMB aims to address these challenges by establishing a plan to scale the program, bolster security reviews of cloud solutions and accelerate Federal adoption. Drew Myklegard, the Deputy Federal CIO, said during CyberTalks, a gathering of the most influential leaders in cybersecurity and digital privacy, “There’s a lot of room in the FedRAMP process with friction and [manual] steps that are causing too long of times from when people identify a product that they need until they can employ it.” [2]

The New FedRAMP Guidance

Automation and Continuous Monitoring (ConMon) stand at the forefront of FedRAMP modernization as the memo underscores the significance of automation and the use of machine-readable formats for authorization and ConMon artifacts. The new guidance will create a system for automating security assessments and reviews, as well as expand on the initiative to obtain FedRAMP security artifacts solely through automated, machine-readable processes. The General Services Administration (GSA) also plans to update ConMon processes within 180 days and exclusively accepting machine-readable artifacts within 18 months.

By automating security assessments and reviews, FedRAMP is looking to streamline the authorization process, reduce the time and cost of compliance, and improve the accuracy and consistency of security assessments. An added benefit is that automation will help identify and mitigate security risks more quickly and effectively, improving the overall security posture of cloud-based services used by the Federal Government.

The key changes proposed in the new guidance will:

Reaffirm the presumption of adequacy established in the FedRAMP Authorization Act. This provision establishes that once a CSO achieves FedRAMP Authorization, Federal agencies must presume the offering has adequate security measures for a streamlined reauthorization.
Recognize the transformation of the cloud marketplace and the need for FedRAMP to adjust its processes, originally tailored to a limited number of Infrastructure as a Service (IaaS) solutions, to now accommodate a vast and growing amount of Software as a Service (SaaS) solutions.
Introduce a fast-track authorization program for agencies that have demonstrated mature authorization processes and frequently provide the PMO with high-quality authorization packages.
Propose new authorization types: Joint-Agency and Program authorizations. The Joint Authorization Board (JAB) authorization option is evolving, with all existing JAB authorizations automatically transitioning to Joint-Agency authorizations upon the memorandum’s issuance. Joint-Agency authorizations can pool the resources of any Federal agency to review an authorization package, expanding beyond the DoD, DHS and GSA to include all relevant agencies.
Define the roles and responsibilities of the newly established FedRAMP Board. The FedRAMP Authorization Act empowered OMB to assume a more active and leading role in FedRAMP, and this memo serves as a notable illustration of that increased involvement.
Establish a preliminary “pilot” authorization category allowing agencies to test new cloud services for up to twelve months. This authorization pathway would provide agencies and CSPs with an expedited route to market, accelerating the availability of CSOs.
Streamline authorizations for products that leverage FedRAMP-authorized Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) solutions and for products which have obtained external security frameworks that evaluate relevant risks.
Establish the Technical Advisory Group (TAG) to act as an independent source of Federal Government employees for best practices to enhance the efficiency of FedRAMP’s operations.

Benefits for Federal Agencies

By scaling the program, more cloud service providers will be able to obtain FedRAMP authorization, increasing the availability of authorized cloud services for Federal agencies to use. This will enable agencies to more easily and quickly adopt cloud-based services that meet their specific needs.

Through enhanced security reviews of cloud service offerings, Federal agencies can gain increased confidence in the adherence of the cloud services they utilize to rigorous security standards. Therefore, improving the overall security posture of Federal agencies and reducing the risk of data breaches.

Streamlining the authorization process and offering a broader range of authorized cloud services can help Federal agencies alleviate the costs and administrative burden linked to duplicative security assessments. Overall, agencies will be able to more efficiently and effectively leverage cloud-based services to support their mission and better serve its citizens.

The Future of FedRAMP

Stakeholders are optimistic the new OMB guidance will pave a future for the program that will be more comprehensive, efficient and tailored to the current security environment. As more commercial providers become incentivized to pursue FedRAMP authorization, Federal agencies will have more options when it comes to cloud, and technology vendors will be more suited to achieve FedRAMP authorization success.

To explore more in-depth insights into the OMB Memo view the Carahsoft Guide to Modernizing the Federal Risk Authorization Management Program (FedRAMP). To learn more about Carahsoft’s partner marketplace for FedRAMP certified cloud solutions visit our FedRAMP portfolio and speak to a member of our team today.

Resources:

[1] “Office of Management and Budget Releases Draft Memorandum for Modernizing the Federal Risk and Authorization Management Program (FedRAMP).” The White House, https://www.whitehouse.gov/omb/briefing-room/2023/10/27/office-of-management-and-budget-releases-draft-memorandum-for-modernizing-the-federal-risk-and-authorization-management-program-fedramp/.

[2] “OMB extends comment period for new FedRAMP guidance.” FedScoop, https://fedscoop.com/omb-extends-comment-period-for-new-fedramp-guidance/

The Evolving Landscape of Cybersecurity in the Healthcare Sector

Posted on by Tim Boltz

As the nation becomes increasingly interconnected through technology, industries are also utilizing new technology to meet patient expectations for quick diagnoses and access to results. However, when this technology usage includes personal or healthcare data that may be sensitive for patients or health systems, cybersecurity becomes paramount and necessitates the implementation of new cyber standards. The Healthcare Information and Management Systems Society (HIMSS), a global society focused on information and technology in the health ecosystem, held its annual HIMSS 2023 Healthcare Cybersecurity Forum in September. Here, industry professionals converged to innovate and discuss strategies for safeguarding the healthcare sector against cyber-attacks. To protect against breaches, the healthcare system must integrate and scale to achieve a more connected technological landscape across the industry to better serve patients.

Ransomware and Cybersecurity in Healthcare

By connecting and improving interoperability between healthcare systems/EHR platforms, overall patient service is improved; however, with features such as digital integration, migration to the cloud and the incorporation of remote workers, cyber vulnerability has simultaneously increased. Bad actors oftentimes target healthcare agencies with ransomware for hire. With the increased capabilities of artificial intelligence (AI), even inexperienced bad actors can create sophisticated and dangerous attacks. Due to the immense financial loss of these attacks, it is vital that agencies prioritize cybersecurity. Hospitals, other healthcare centers, and especially their third-party stakeholders, now face a new barrage of ransomware attacks and data breaches.

There are a couple of steps administrators can take to protect hospital systems, patients and stakeholders.

Implement ‘Security-by-Design,’ a strategy where providers ensure that all products are secure by design and default, with all IT solutions and enterprise environments.
Maintain pace with the evolution of artificial intelligence (AI) and utilize it to defend against bad actors.
Standardize a detailed incident response plan that includes a thorough business continuity plan.
Exchange defense strategies between stakeholders — a united front is stronger than trying to face threats alone.
Implement multi-factor authentication and zero trust on all end users so information is accessed by the parties that need to know.
Apply data encryption to systems to protect sensitive information against hackers.

AI in the Healthcare Industry

While bad actors have utilized the capabilities of AI, the healthcare industry can also use it to improve cybersecurity. AI does not need breaks, and therefore can run all day reducing the time needed to identify a security breach by analyzing large amounts of data in real time. On a similar note, AI can identify multiple devices and manage network endpoint detection for large networks. AI has been used to predict Domain Name System (DNS) attacks before occurrence, preventing and mitigating these attacks. It can implement Secure Access Service Edge (SASE), analyze identities and manage risk. With its strength of detecting patterns, AI can distinguish subtle patterns of attack that would otherwise go unnoticed by people.

Due to the nature of this new technology, the healthcare industry must carefully decide whether it wants to implement AI, and to what extent it will be used. In terms of cybersecurity, AI may be the answer to providing a secure standard for an interconnected healthcare industry.

Partnerships to Strengthen Cybersecurity in the Healthcare Industry

To provide the best security for patients and stakeholders in the healthcare sector, the federal government and technology industry have joined the battle against bad actors in healthcare. Several federal agencies including the Administration for Strategic Preparedness and Response (ASPR), will lend a hand in bolstering the cyber posture of the American health system. The ASPR is working alongside Cybersecurity and Infrastructure Security Agency (CISA) and private sector partners to analyze the cyber threat landscape of the healthcare sector. Over the next year, the agency hopes to create a cyber division, introduce a cyber risk identification tool, track cyber incident reports and gain resources and buy-in from senior leadership. Another agency, the Department of Health and Human Services (HHS) will strengthen cybersecurity by partnering with hospitals, health organizations and federal agencies, including CISA, that have additional information on cyber threats. Under the HHS, the Health Industry Cybersecurity Practices (HICP), a publication in response to the Cybersecurity Act of 2015, provides practical cybersecurity guidelines for the healthcare industry.

HICP covers several major threats that the industry faces, including:

Social engineering
Ransomware
Payment fraud
Loss or theft of equipment
Insider, accidental, or malicious data loss
Attacks against network connected medical devices

To counter said threats, the HICP has listed its top ten best cybersecurity practices. It advises to:

Protect email systems from phishing breaches
Implement endpoint protection systems to all hardware devices
Utilize identity and access management, regardless of the size of the health care organization
Check cyber posture to prevent data loss
Manage IT assets
Execute network management for wireless or wired connections before interoperating systems
Enact vulnerability management
Take advantage of incident response plans to discover network cyberattacks
Extend relevant cybersecurity practices to network connected medical devices
Establish and implement cybersecurity and governance policies^[1]

By enabling organizations to evaluate capability against cybersecurity attacks, HICP aims to protect patients and stakeholders from private data loss.

While cyber attacks are always growing in complexity, the healthcare industry can evolve and provide superior service for its patients through the use of tested security strategies, AI and federal aid.

Visit Carahsoft’s Healthcare Solutions Portfolio to learn more about improving cybersecurity practices in the healthcare sector.

Resources:

^[1] “HICP’s 10 Mitigating Practices,” Department of Health and Human Services, https://405d.hhs.gov/best-practices

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at the HIMSS Fall Forum in September 2023.*

Revolutionizing Communication with 5G

Posted on by Mark DeMerse

As technology progresses, communication is revolutionized worldwide. To maintain pace with cybersecurity and technology standards, the United States Government can utilize the transformative features of 5G, the fifth-generation global wireless technology standard for cellular networks.

Transforming Network Standards with O-RAN

With the development of Open Radio Access Networks (O-RAN,) a feature that allows interoperability between cellular network equipment providers, the development and integration of 5G has greatly expanded. The role of O-RAN has important applications in the Department of Defense (DoD), whose goal is to promote national and economic security. By integrating 5G networks into the defense sector, different departments can quickly communicate with each other. With the usage of O-RAN and 5G combined, agencies have a much larger, diverse ecosystem of vendors to choose from.

As with any new feature, there are costs to the implementation process. In the 2021 National Defense Authorization Act, Congress put aside $1.5 billion dollars which is being utilized to develop a unified vision and strategy towards O-RAN and 5G. The congressional statutory language calls out seven big-picture objectives, most of which are centered around promoting the deployment of 5G. These are to:

Add network virtualization
Authorize new security features
Accelerate the development of technology
Promoting the deployment of 5G within the DoD
Develop standards to enable a multi-vendor ecosystem
Create open, interoperable telecommunication networks
Allow interoperability to manage multi-vendor situations

While the act provides ten years to carry out its strategy, these standards should be added as soon as possible due to the fast-paced development of technology.

Aiding the DoD

The DoD and 5G form a mutually beneficial relationship. 5G is created with security built in, so an investment in 5G is an investment in cybersecurity. By utilizing 5G at bases, the DoD can test its capabilities, as well as streamline and amplify the effectiveness of non-combat operations. This can include supply chain efficiency, large scale IoT networks, asset tracking and logistics management all while reducing costs. In return, the DoD tests and further funds 5G. The addition of 5G can provide lower mission costs, enhanced speed and provide higher quality operations. It also factors in risk reduction to each operation, by taking the cumbersome human process out of the equation and making certain operations less complex.

For the DoD, the key motivations in testing and using 5G are threefold. One, it aims to achieve streamlined and functioning interoperability, where individuals can handle operations from a single tablet. Two, it aims to reduce the amount of manual handling in operations. Since 5G has the latency to compute such artificial intelligence (AI) and machine learning (ML) capabilities, it can perform time consuming tasks such as perimeter security. And three, the usage of 5G allows the DoD to gather data about 5G to utilize predictive analytics in the future.

The Future of 5G

There is more that 5G can do for military applications. With the advantage of 5G, there may be a paradigm shift in the usage of private wireless and on-demand communication. One of the biggest advancements of using 5G in a military context is the flexibility that comes with 5G being cloud native. 5G provides more capacity than traditional Wi-Fi or hotspots as it focuses on transport networks. With 5G, international communication could be streamlined, as frequency coordination between departments and consumers would no longer be required. 5G comes with the benefits of mobile edge computing and being O-RAN compliant, meaning it is up to Federal standards. This could even be helpful in residential rural and remote environments, where internet and satellite access is limited. There have been tests across various United States bases, aiming to utilize ML to tailor 5G to each user’s needs. To get these features, consistent testing is vital, even if it is not immediately profitable.

With all the changes to the way combatants use technology, it is important to enable the military to integrate 5G operations. By codifying new strategies and usage methods, agencies can reference, read and follow through with new procurements. With the addition of 5G, communication within the DoD and nation can be revolutionized in nearly unimaginable ways.

Visit Carahsoft’s 5G technology solutions portfolio to learn more about Carahsoft’s 5G Summit event and how we, along with our partners, can leverage the best and most reliable services to support your organization’s 5G mission.

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at Carahsoft’s annual 5G Conference.*