Page 18 - GCN, May 2016
P. 18

To truly defend against evolving threats, federal IT leaders must apply security
at the application layer.
FEDERAL IT MANAGERS, CISOs and security professionals are often overwhelmed and confused with the seemingly endless volume of security threats, warnings, solutions and
vendors. Firewalls, intrusion detection and prevention, APT, threat intelligence, compliance, cloud security, DLP—the list goes on and the “cyberscape” grows more confusing.
Amid all this confusion and uncertainty, there are three imperatives—the underpinnings of any sound cybersecurity implementation—federal agencies should focus on now.
1. Zero trust means zero trust. An analysis of recent attacks on federal IT systems reveals the
vast majority have resulted from users handing
over some level of trust to an attacker. The trend in application access is to trust no one, no connection, and no traffic flow; and relying on advanced encryption and identity management to establish trust. This means securing network infrastructure devices that are almost always overlooked when it comes to strong, multi-factor authentication.
The DoD Cybersecurity Discipline Implementation Plan, from October 2015 and amended in February 2016, prescribes Four Lines of Effort (LoE) to better secure DoD networks
and applications. LoE 1 is Strong Authentication involving PKI/CAC-enabled authentication for all applications, accounts, servers and network devices. “The connection between weak authentication and account takeover is well-established,” the plan notes. “Strong authentication helps prevent unauthorized access, including wide-scale network compromise, by impersonating privileged administrators.” Implement strong authentication for not just users and applications, but also devices.
2. You can’t secure what you can’t see. Data encryption (SSL and TLS) has traditionally deterred malfeasance on websites with high-value assets. Over time, SSL adoption has extended to everyday websites to protect user information.
While approximately 30 percent of popular websites currently use SSL, this trend is growing 20 percent annually. At the same time, the bad guys are using the same technology to encrypt their conversations that federal agencies are using today.
The point is federal agency IT network managers must inspect inbound and outbound traffic. This includes encrypted traffic. When using a traditional firewall or IPS device, users can expect a 70-90 percent performance tax. If there’s no inspection, agencies are blind to about 50 percent of all traffic. Agencies must deploy purpose-built SSL inspection devices to eliminate security blind spots.
3. Strong security must scale across all modes.
The security world has typically been described in rigid or structured ways. Defined perimeters are drawn across network boundaries. Today’s perimeter is based simply on two things: access and applications. This is independent of time, space, and even device type and consumption mode (cloud, on-premises, or hybrid). The challenge for federal security professionals is to implement strong security that scales across all access modes, while not impeding the application experience. That’s a tall order.
For applications and systems access, federal security professionals must deploy access and identity architectures based on full user, application, and network context awareness to ensure single-sign on and application access federation.
Finally, consider that 90 percent of a typical federal organization’s security investment has been on threats to the network. Nearly 75 percent of attacks have been targeted at the application. It’s time to make application security a priority.
Federal agencies must create and deploy consistent, tailored policies and services—on an application-by-application basis—based on risk, context and visibility at the application level.
Randy Wood is Vice President Federal, F5 Networks.

   16   17   18   19   20