CYBERSECURITY
According to staff, vendors and ana- lysts alike, there has been a major shift in network security strategy. Trying to contain data behind network perim- eters secured by firewalls and other tools is giving way to data-centric and user-centric strategies that aim to pro- tect data wherever it resides — whether it’s within the agency’s perimeter, in the cloud or on a mobile device.
“As we move to more of a distributed data mode, with users on nongovern- ment-furnished mobile devices, we have to move the security protection closer to the asset, and we have to tie security policies to the user,” said Chris Townsend, Symantec’s vice president for federal. “That approach aligns more to a risk mitigation strategy where we quantify the value of the assets \\\[and\\\] risk of loss and then align scarce secu- rity resources accordingly.”
While pushing the federal govern- ment in that direction, the 2017 “Report to the President on Federal IT Modern- ization” noted that “agencies have at- tempted to modernize their systems but have been stymied by a variety of fac- tors, including resource prioritization, ability to procure services quickly, and
How to get there
technical issues.”
Still, the report recommends that
agencies “prioritize modernization of legacy IT by focusing on enhancement of security and privacy controls for those assets that are essential for federal agencies to serve the American people and whose security posture is most vul- nerable.” The report also urges agencies to adopt a layered defensive strategy and emphasize application and data- level protections.
Although the report’s goals were well received, some analysts were disap- pointed by the lack of specific measures agencies should take. “It’s a great shift in focus,” said Rick Holgate, a former federal agency CIO who is now research director for the public sector at Gartner. “But in terms of how they’re going to get there and how they’re going to make that hap- pen, there is some detail missing.”
In May 2017, President Donald Trump further prodded agencies and departments to use risk management approaches to secure digital assets, making it clear that department secre- taries and agency directors would be held responsible for failures.
Again, however, the executive order
lacks details, and Michael Daniel, presi- dent of industry advocacy group Cyber Threat Alliance, describes it as “a plan to have a plan.”
Zero trust
Even without specific directives from the top, agencies are increasingly aban- doning the perimeter-centric model for security and adopting a zero-trust model.
The key to zero-trust is simple: No traffic on the network is presumed to be trustworthy. The model effectively elim- inates the distinction between trusted inside-the-perimeter network activity and untrusted activity that crosses that perimeter.
“As we move our data outside of the firewall, we have to adopt a zero-trust type model,” Townsend said. “We are shifting our security enforcement out to the data itself, and you have to have a security policy that follows that user no matter where that user is or what device they are using to access the data.”
Although no one advocates abandon- ing the old perimeter protections — firewalls and secure routers, network analytic and intruder detection tools, for example — new types of cyberse- curity strategies, sometimes with over- lapping tools, have been developed in recent years that seek to enhance data- centric security.
Microsegmentation
One increasingly popular technol- ogy that can help with implementing a zero-trust model is microsegmentation, which uses software-defined virtual networks to create myriad isolated net- works. Whereas standard networks use firewalls and routers to segment traffic for an entire organization, microseg- mentation might define a network that is accessible by a single workgroup or even a single individual.
Bill Rowan, vice president of federal sales at VMware, compared the concept to that of a submarine built with various compartments so that a breach in one
  36
GCN FEBRUARY/MARCH 2018 • GCN.COM
Actual implementation of a zero-trust model is easier said than done. It boils down to applying three principles:
1. All data must be secured regardless of location. In practice, that means all data must be encrypted even when residing and being accessed from within the network perimeter.
2. User identities must be confirmed and access to data strictly enforced, with the default being minimal privileges.
3. All network traffic should be logged
and analyzed. As a recent report from Forrester Research put it, “Zero trust flips the mantra ‘trust but verify’ into ‘verify and never trust.”