Although federal agencies are increasingly prioritizing security and prevention, a number of challenges—including budget constraints, limited resources, and complexity—have left the agencies’ networks vulnerable to security breaches.
A recent survey of 200 federal government IT decision makers by government research firm, Market Connections, and network solutions provider Brocade, revealed that just 26 percent of agencies feel data on their networks is fully protected.
“I think you will see some of the challenges that the other 74 percent are facing are tied to budget challenges number one, as far as providing a true end to end pictures and having the dollars to implement that as such,” Judson Walker, systems engineering director at Brocade, told Homeland Security Today.
“Also, there is often a tradeoff between security measures and performance,” Walker said. “In many cases those security measures are removed to ensure performance at an optimal level. It comes down to the issue of how you deliver a security paradigm that is simple, reputable, and manageable with limited personnel and resources to administer day in and day out.”
Brocade and Market Connections launched the survey as a platform to obtain a better understanding from public sector technical leaders on how they feel about overall data protection and what they are and are not focused on.
The survey found prevention is the highest priority within an agency’s cybersecurity strategy. Although the respondents stated their agencies’ cybersecurity budgets for 2015 will remain largely unchanged from the previous fiscal year, nearly a quarter of respondents anticipate a rise in the budget for prevention in Fiscal Year 2015.
Walker says awareness of the importance of prevention is there, but many agencies are not implementing the right tools to help overcome network security obstacles without adding complexity to the network. For example, while 60 percent of those surveyed gave the data within their data center a rating of “excellent,” that number decreased to 30 percent whenit came to data in transit.
While almost all of the respondents recognized encrypting data on the network as important, only 76 percent of agencies encrypt their data. Moreover, a majority focus on SSL encryption to secure web-based applications, neglecting many other applications that need to be encrypted in transit.
“SSL is a great component of an end to end security strategy but it is only one piece,” Walker said. “SSL is more focused on web-based applications and how those individual applications are secured from an end point perspective or an encryption perspective.
“But that is really only one data set out of many,” Walker added. “You look at these government agencies and the amount of sensitive data that transitions these environments and a lot of that transition is not based on a web-based set of tools or applications. So there must be other security measures in play outside of SSL to accommodate multi-types of data sets.”
The respondents cited budget constraints and impact on network performance as the top reasons for not encrypting their data. Incompatible hardware and software, lack of internal resources, complexity and lack of bandwidth capacity were also considered obstacles.
“Despite the volume of unencrypted inter- and intra-agency data traversing most enterprises, many federal agencies are not implementing procedures to protect the network because it is expensive and degrades performance,” the report stated.
Walker said Brocade advocates leveraging these security components, such as SSL Encryption, firewalls, and active control lists, but also exploring new ways to encrypt data on the wire that grow as network bandwidth expands.
“We want to deploy an encryption solution in a simple, low cost way that can be scaled effectively as requirements change, and also falls in line with some of the government-preferred cryptographic algorithms, such as the Suite B algorithm,” Walker said.
Eighty-seven percent of the surveyed IT leaders believe in the importance of basing their network protection strategy on the Suite B encryption algorithm, which is promulgated by the National Security Agency as part of its Cryptographic Modernization Program. The report stated Suite B serves as an interoperable cryptographic base for both unclassified and classified information.
“Suite B was developed and certified by NSA and the purpose was to provide a tool for commercial companies like Brocade to develop commercial classified products that government agencies can use and install in their environment that have a strong and flexible encryption mechanism they can leverage without fear of compromise,” Walker said.
The report recommended respondents select a data protection solution for their agencies’ networks that is simple to maintain and implement, does not increase network costs due to complexity, is Suite B compliant, and can handle the data connection speeds of today and tomorrow.
In addition, one of the things Brocade is trying to relate to the public sector is the concept of security as agile, flexible, adjustable and easy manageable—adjectives that have not traditionally defined security. Brocade’s product offerings, for example, are centered on the concept of the “new IP” and the ability to enhance infrastructure agility, flexibility, control and management.
“You see it every day, from Snowden to Sony, from Target to Anthem Healthcare, consumers want availability, they want to be connected with various types of mechanisms and media on a global scale,” Walker said. “With that, the want and the willingness and necessity to think of the end to end and to be proactive verses reactive in their security approaches is going to be key for these agencies, especially for agencies delivering services to external commercial customers, like Amazon Web Services.”
“These are solutions we didn’t see 10 years ago,” Walker added. “They have changed the security paradigm and how we think aboutsecuring our environment moving forward.”