Page 30 - FCW, Nov/Dec 2017
P. 30
NETWORK MODERNIZATION IDENTITY-DRIVEN SECURITY
explains Susie Adams, chief technology officer at Microsoft Federal. “Since data can live on any device or in the cloud, it must be locked down with a key, and that key is identity. Identity is the new firewall.”
And because data can be anywhere—in the cloud,
on a server, or on an edge device such as a smartphone or sensor—it’s also more difficult to ensure that all
data is secure at all times. Agencies need a new way of protecting data that continually monitors all connections and endpoints and leaves no corners unwatched.
Focusing on detection instead of only protecting data and assets is another important shift. Even though it might seem uncomfortable, it’s important to recognize the importance of having an “assume breach” mentality. By approaching security as though the environment
has already been compromised, agencies can shift from passive defense to active defense. That makes the entire environment more aware, prepared, and ready to act.
With that type of holistic approach, a focus on identity and detection, and the right tools, agencies can identify and detect issues early enough to prevent damage. For example, when employees begin using a new software- as-a-service application, the IT team can detect it
immediately and understand what risks it might pose to the agency. Or if the system sees that an employee logged on from Wyoming and five minutes later from Sao Paolo, is forgetting his or her password more often than usual, or is signing on in the middle of the night for several nights in a row, the IT team will be alerted and know there has been some type of breach.
FOCUS ON IDENTITY
A comprehensive approach to protection and detection provides great benefits but is not possible without taking some steps to prepare the environment. The first step is making sure that every person in the organization has only one identity. For example, an employee might have identities as a regular user and
as an administrator with elevated privileges. If those identities are not consolidated or federated, it can cause security problems.
Agencies are on the right path toward federated identity, with efforts such as Federal Identity, Credential, and Access Management providing guidance for identity management and federation and for logical and physical access.
Compliance with the Cybersecurity Executive Order
When the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure was released earlier this year, experts praised its emphasis on migrating to a hybrid cloud infrastructure, tightening policies and practices for privileged users, and complying with the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework.
Under the order, agencies must document their current risk posture and their plans for compliance, and they must show a preference for shared IT services, including cybersecurity.
Given the complexity of the challenges, agencies have expressed concerns about the amount of work involved and their ability to complete that work within an acceptable time frame.
Microsoft offers a host of tools and services to help agencies comply with all aspects of the order, including the move to a shared cybersecurity model
that will allow them to manage diverse operating systems on premises and in any type of cloud. When agencies share cybersecurity services, they can protect their systems more efficiently and cost- effectively.
The company can also assist agencies in adopting NIST’s Cybersecurity Framework by offering a range of risk assessment guides and services. One remote service details the compliance status of an agency’s critical infrastructure. The result is an analysis that will either validate compliance with the NIST framework or detail what must be done to achieve it.
In addition, the Azure Blueprint Customer Responsibilities Matrix is designed to help agencies reduce the scope of the security controls they must implement for Azure-based systems by applying certain controls across the board and identifying the ones agencies must address for their particular cloud environment.
Sponsored Content