Varun Badhwar, CEO and co-founder of RedLock, a cloud infrastructure security company, said moving to the cloud alone will not solve the government’s IT security issues.
“It’s important to note that simply moving IT assets to the cloud won’t make them immune to the threats we face today,” he said. “Cloud providers are only responsible for securing the underlying physical infrastructure, and the government will remain responsible for securing the applications, data and users within these environments. Securing cloud infrastructure requires a unique cloud-native approach – existing security tools do not work in the cloud."
The recent cybersecurity executive order signed by President Trump — the final draft of which Homeland Security Today first reported — mandates all federal IT systems be moved to the cloud, presumably, as the administration stated, to avoid a fractured security posture within traditional IT environments. Homeland security adviser Tom Bossert said, “From this point forward, the President has issued a preference in federal procurement in federal IT for shared systems. We’ve got to move to the cloud and try to protect ourselves instead of fracturing our security posture.”
The order stated, “Effective immediately, it is the policy of the executive branch to build and maintain a modern, secure and more resilient executive branch IT architecture … Agency heads shall show preference in their procurement for shared IT services, to the extent permitted by law, including email, cloud and cybersecurity services.”
“Further,” Bossert added, Badhwar said, “the government must ensure their security tools provide holistic visibility and continuous monitoring across three critical areas: network traffic, system security and user behavior. After all, you’re only as secure as your weakest link, and taking a siloed approach with these three areas can provide a false sense of security. True holistic visibility into all three is paramount to the security of the government’s cloud infrastructure.”
“The government, like all organizations, must operate under the assumption that they will get breached someday, and be prepared to rapidly investigate, contain and respond to security incidents within hours – not months or years as is the case today,” Badhwar said, adding, “New technology built specifically to secure cloud infrastructure can help the government accomplish this, while also applying cloud-specific intelligence and security policies.”
MeriTalk, a public-private partnership focused on improving the outcomes of government IT, new report, Inside Job: The Sequel – The 2017 Federal Insider Threat Report, found, “Federal agencies are increasing their focus on insider threats, with 85 percent of survey respondents saying their agency is more focused on combating insider threats today than one year ago – up from 76 percent in 2015. Additionally, 86 percent say they have a formal insider threat prevention program in place – a big jump from just 55 percent in 2015.”
“But, despite these efforts,” the study said, “75 percent of respondents say insider threats are just as or more challenging to identify and mitigate today than one year ago, and nearly a quarter say they lost data to an insider threat incident in the last year.” And, “Cloud is a big reason why,” the study said. “Fifty nine percent of the survey respondents say that the growing number of cloud-based systems has made insider threats more difficult to identify – due to increased complexity, endpoint monitoring challenges, lack of preventative measures and difficulty implementing and enforcing identity and access management policies. Despite the cloud’s impact on the insider threat equation and the serious potential consequences of these incidents, fewer than half of agencies have taken specific steps to ensure cloud adoption does not jeopardize insider threat protection.”
“As boundaries dissolve, the threat landscape is becoming more complex. Thanks to cloud adoption, endpoint multiplication, and the ever-growing remote workforce, insider threats are even more difficult to manage and prevent,” said Rob Potter, vice president, public sector, Symantec. “Agencies can establish better control over their cybersecurity programs and manage risk more effectively by leveraging the NIST Cybersecurity Framework (CSF) to identify gaps in their security posture and chart a plan to address them. Formal threat detection and response protocols, as well as systems for reporting and maintaining potential or actual incidents, are critical to preventing data loss.”
Yet,”the study said, “agencies that have lost data to insider incidents are less likely than those that have not to say they use key security technologies agency-wide. Case in point: just 34 percent of agencies that have lost data use data loss prevention (DLP) technology across their environment, compared with 65 percent of agencies that have not. Only a third of agencies give themselves an ‘A’ rating for DLP.”
“The recent Vault 7 Wikileaks release shone a harsh spotlight squarely on the insider threat issue,” said Steve O’Keeffe, MeriTalk founder. “Our study found that half of agencies report that unauthorized employees access protected information at least weekly. It’s time to plug those holes. The potential consequences – from identity theft to national security crisis – are too dire.”
The study said, “Federal agencies see a clear path to insider threat prevention … To minimize data loss, respondents say agencies must limit access points (60 percent), adopt multi-factor authentication(50 percent), expand real-time activity monitoring (49 percent), implement data loss prevention capabilities (45 percent) and classify data (45 percent). The top investments planned for the next two years include user behavioral analytics, commercial threat intelligence and anomaly detection tied with multi-factor authentication.”
Perhaps the good news from the study — underwritten by Symantec — is, “Despite an increased focus on insider threats and the significant growth of formal prevention programs, the study, reveal[ed] that the rate of cyber incidents perpetrated by insiders remains relatively stagnant – 42 percent of agencies report incidents over the last year, compared to 45 percent in 2015."
Meanwhile, the Professional Services Council (PSC) welcomed the swift passage by the House of the Modernizing Government Technology Act of 2017 (the “MGT Act”). The legislation would create funds for agencies to invest in new, innovative information technology solutions that reduce costs and increase network security.
“Federal agencies now spend a disproportionate share of their IT budgets simply to maintain inefficient and costly legacy systems that are decades behind modern technologies in terms of capabilities and network security,” said PSC President & CEO David Berteau. “The MGT Act will make a critical investment in modernizing the government’s IT infrastructure to help limit cybersecurity vulnerabilities inherent in current computer systems and increase the effectiveness of government services and missions.”
The MGT Act would also establish dependable funding sources for federal agencies to invest in IT system modernization, incentivize agencies to utilize the funds for agency priorities and accelerate the transition to the cloud.
“PSC applauds the House for prioritizing the MGT Act this early in the session. Coupled with a bipartisan Senate companion bill and the administration’s strong support, we believe the bill should be—and are optimistic that it will be—signed into law,” Berteau said.
McAfee Chief Public Policy Officer Tom Gann also commended the House on passing MGT Act. “We have only to remember breaches such as [the] Office of Personnel Management two years ago to realize that federal networks do much more than enable our federal agencies to function; they house extremely sensitive data that can be valuable to all kinds of attackers. Our federal systems and networks deserve an enterprise-class security architecture that’s built into every part of the IT fabric and cloud-ready. That kind of innovative security is best delivered on systems that are up-to-date … The MGT Act will enable old IT systems to be retired and replaced so that security with intelligent, self-remediating endpoints can get to work protecting our national assets.”