“As we move our data outside of the firewall, we have to adopt a zero-trust type model.”
 — CHRIS TOWNSEND VICE PRESIDENT FOR FEDERAL, SYMANTEC
 compartment would not flood the oth- ers. “That’s where we are taking the ap- proach of microsegmenting networks,” he said.
According to Rowan, a well-designed microsegmentation solution imposes no noticeable cost in terms of network performance and even simplifies some network chores, such as moving an ap- plication from one virtual network to another. “Because we are separating the physical from the logical, I can simply build that same network topology on the other side,” he said. “Heretofore, I had to go back in and change all my net- work settings to make sure the applica- tion could effectively communicate.”
Townsend, however, said it’s not clear whether microsegmentation will be via- ble. His main concern is scalability. “The idea is that for every virtual application and every virtual network segment, you have a security policy that follows that data or that portion of the network,” he
said. That could overwhelm an agency’s IT team.
“Right now, our federal customers are struggling from an operations stand- point to manage their security environ- ment as it stands today,” he added.
Data loss prevention
The Cybersecurity Framework pub- lished by NIST in 2014 designated data loss prevention (DLP) as a core cyberse- curity strategy.
DLP solutions use various technolo- gies to keep unauthorized people from accessing data. Although organizations can implement data loss prevention measures using separate tools for con- trolling user access to network and data center resources — firewalls, intrusion detection, file permissions and user cre- dentials, for example — DLP generally refers to software packages that classify data and control access to it by compar- ing pieces of data to user authorizations.
DLP software might also prevent or allow users to copy, print or email data. Some advanced packages also monitor access to data and use artificial intelli- gence to detect unusual, even if autho- rized, access.
“One of the biggest challenges that we are seeing, especially in the federal space, is where you’ve got well-meaning internal users who are using Gmail or Dropbox to move potentially sensitive or personally identifiable information around,” Townsend said.
DLP tools monitor such actions. If an upload contains sensitive information, Symantec’s solution will dynamically encrypt the data and force the user to authenticate. “It forces them to ac- knowledge that and stores the keys on premises,” Townsend said. “No matter how many times it’s been forwarded on, you could always revoke the key and es- sentially wipe the data.”
A 2014 study found that only 18 per-
GCN FEBRUARY/MARCH 2018 • GCN.COM 37