Modernization has become the mantra across government agencies, encompassing all areas of operations – including an urgent focus on cybersecurity as the risk of cyberthreats and cyber warfare continues to grow. However, agency leaders are finding that traditional cybersecurity modernization initiatives are becoming cost-prohibitive and ineffective.
Government agencies sometimes fall into a pattern of “bolting on” new cybersecurity capabilities to existing technology solutions in an attempt to counter growing and evolving threats. Often they take this approach because they have already made significant investments in their existing systems and are reluctant to throw them away in favor of something new. But building layers and layers of security solutions is not effective or efficient because bolted-on solutions or acquisitions were never designed to work seamlessly together, resulting in inevitable gaps in data protection coverage. Bolted-on solutions also require additional expertise and often must be managed within a separate console, introducing complexity that is counterproductive and a strain on limited resources.
Instead, taking a complementary approach to cybersecurity modernization is needed to maximize effectiveness. True modernization requires doing things differently than they were done in the past. That doesn’t mean agencies should completely pull the plug on their current solutions; rather, it means they should start setting up new solutions in parallel to current systems and gradually evolving into new ways of protecting infrastructure, systems and data.
The growing availability of cloud services in government presents a perfect opportunity for this discussion. The vast majority of government agencies are still running much of their security solutions on premise despite the fact that many of their services now reside in the cloud. Agencies can cut costs and increase effectiveness by embracing cloud-based cybersecurity solutions that do not rely at all on what has been done in the past.
Zero Trust Can Serve as a Model
Some agencies may resist this approach, because many of their legacy vendors are pushing a more complex hybrid model that requires expensive hardware refreshes that limit modernization. Consequently, they have found the layered approach they’ve taken in the past – in which they basically recreated a data center in a cloud instead of refactoring cloud-enabled applications – was too expensive and complex. Overcoming this hurdle may require the same type of paradigm shift as the shift agency leaders encountered years ago when they set out to implement zero trust frameworks in their organizations.
The idea behind zero trust was for agencies to get to a point where they did not have to continue the old paradigm of layering in security controls. With the widespread adoption of zero trust frameworks, agencies were able to increase their returns on investment, reduce total cost of ownership and make operations more efficient in a holistic security architecture because zero trust protections are built in a way that do not require the costs associated with bolting on and layering on new capabilities.
We can apply the same approach to modernization in three steps:
- Define modernization as the “North Star” that will guide the agency going forward. Modernization should be achieved through a holistic approach that includes decoupling policy enforcement points from legacy technology. Agency leaders should evolve their concepts of operations beyond the traditional siloed approach while automating responses to cyberthreats and to ensure alignment to evolving mission goals.
- Define and overcome the barriers to modernization. These often include:
- Avoid solutions tied to legacy technology and on-premise appliances that can create a “boat anchor” effect on zero trust initiatives, requiring significant overhead and technical debt such as tying a zero trust architecture to IPsec tunnels or data center-dependent appliances. For instance, on-premise appliances require significant resources for maintenance, patching, and upgrades. In addition, legacy technology doesn’t have the flexibility to evolve with hybrid environments and effectively integrate with other security tools.
- Get rid of internal silos that create budget and resource issues in which various groups inside the organization claim ownership of tools and data, leading to capability overlaps and gaps.
- Address data overload issues that result in inefficient use of data to automate policy creation and response against emerging threats. This happens when many data feeds try to collapse logs into a signal log management tool. Not only does this require tremendous storage space and expense, significant resources are required to get actionable intelligence from the data. Agencies need to look beyond simply gathering the data, to platforms that natively gather and analyze the data for strategic policy decisions based on risk.
-
- Put in place guardrails for mapping of capabilities to the agency mission and goals to ensure flexibility and appropriate risk mitigation strategies are in place. By integrating security architecture frameworks and governance, agencies can better customize security strategy to agencies needs and implement an effective security program for both the long and short term.
- Implement a platform that allows the organization to pull together security controls around all of its data, leveraging a single pass architecture. Agencies should avoid building new silos in the cloud. Instead, they should ensure the security platforms can bidirectionally exchange data with existing security stack investments for true effectiveness. Security platforms should possess full line of sight both horizontally and vertically if visibility and performance are critical.
Vertical cloud silos are created through increased dependence on public cloud infrastructures. This often happens when performance is added as a critical capability, requiring that users are able to access cloud applications while also enabling security and data protections. However, this can lead to performance being valued over security and vice versa, which can lead to friction in operations.These dependencies can create resistance in the flow of traffic and what capabilities are available, ultimately leading to security policy that is less aligned with supporting the mission and more about ‘best effort’ given technical limitations.
Government agencies have to fundamentally change their approach to modernization in order to get out of the traditional mode of bolting on new capabilities on top of dated, old solutions. They recognize they need to better understand how cloud-based solutions are built in order to be truly efficient and effective stewards on behalf of the ultimate customer, the taxpayer. They can start moving in that direction by adopting a holistic approach, defining and addressing barriers and embracing platforms that avoid re-creating silos in the cloud.
