We’ve all seen the news lately. It seems as though the revelations about the Office of Personnel Management’s (OPM) cyber attack and data breach keeps escalating, potentially exposing up to 22 million Americans’ personal data (mine included). These events have shot cybersecurity reform into the spotlight at all levels within the federal government — starting with OPM’s Cybersecurity Action Report, which identifies steps employees and contractors can take to improve security and modernize systems.
In June, federal Chief Information Officer Tony Scott ordered a 30-day cyber sprint to secure agency networks and data while assembling a tiger team — including the Office of Management and Budget’s (OMB) E-Gov Cyber Unit, the National Security Council’s Cybersecurity Directorate, the Defense Department and the Department of Homeland Security (DHS) — to review current policies and recommend a formal cyber strategy.
Meanwhile, the Department of Defense is also facing questions regarding its lack of cyber-compliance practices, which begs the question: How can agencies clean up their act and tackle the issues of cyber hygiene and compliance?
Scott outlined key areas of focus for the 30-day sprint, some of which agencies have been struggling to adopt for years.
Several of these areas are naturally addressed by transitioning to a software-defined workplace, which combines the power of virtualization, mobility and networking to create a secure government workspace, an environment where government employees and contractors can work without falling victim to the next cyber attack.
Here are a few basic things agencies can do to protect themselves against cyber attacks:
Accelerate the use of personal identity verification (PIV) cards and other forms of multi-factor authentication. Software-defined workspaces can natively support PIV cards and multiple forms of multi-factor authentication across various endpoints (Win, OSX, Linux, iOS, Android, zero clients). Some of these workspaces can also enforce multi-factor/PIV authentication for Windows/Web applications that weren’t originally built for PIV, enabling agencies to save on app development costs associated with meeting this authentication mandate for existing legacy apps.
Protect data at rest and in transit. Software-defined workspaces can ensure that all data in transit is encrypted using Federal Information Processing Standard (FIPS) 140-2 compliant algorithms, allowing data to be accessed securely over unsecure networks including Web apps, virtual private network, mobile access or virtual remote access. Agencies should look to implement a solution that can also be completely virtualized, negating the need for any data-at-rest on the end-user device therefore reducing data exposure. For instance, where data must be stored locally due to network connectivity concerns (e.g. mobile devices), all data-at-rest can also be encrypted using FIPS 140-2 compliant algorithms.
Decrease time needed to manage configurations and patch vulnerabilities to standardize and automate processes. Keeping apps and operating systems patched is an arduous process, which needs to be 100 percent compliant to be an effective cyber-defense. Virtualizing servers, desktops and apps as part of a software-defined workspace solution can provide simplified image management of apps and operating systems. Once virtualized, patching is done once in the data-center where it can be controlled and compliant, then delivered everywhere instantly.
Decrease complexity and number of things defenders need to protect to reduce attack surfaces. Network simplification and consolidation ensure that critical entry points into secure government networks are controlled and secured. A unified gateway in the demilitarized zone (DMZ) can help consolidate existing multiple network appliances that are managed and patched separately creating network complexity. This consolidated DMZ appliance can help simplify external access methods for all remote users and apps, enforcing authentication and authorization at the border before allowing entry into the network.
With the 30-day sprint crossing the finish line, OMB has already seen significant progress among agencies. According to Scott’s blog, 72 percent of federal civilian agencies increased their use of strong authentication for privileged and unprivileged users, and, more than half of the largest agencies have implemented the same level of strong authentication for nearly 95 percent of their privileged users.
Of course, these changes won’t happen overnight and the focus on accelerating the use of PIV cards won’t eliminate security breaches altogether; however, every step toward implementing secure government workspaces can help agencies focus their efforts in the right places to manage their infrastructures more effectively and align their strategies to further protect federal information and improve the security posture to handle threats.
Ensuring adherence to a well-thought-out cyber policy can ensure our nation’s most valuable assurance resources within Department of Homeland Security, the U.S. Cyber Command (CYBERCOM) and the Intelligence Community (IC) can focus on the real threats instead of reacting to preventable breaches. It is no longer the question of if an agency or organization will experience a breach but when one will occur. Agencies must address existing infrastructures and transition to a software-defined workplace to secure classified information from getting into the wrong hands.
Faisal Iqbal is the public sector CTO for Citrix. He brings more than 10 years of engineering, consulting and project management experience to his current role, focused on providing mobility, virtualization and cloud solutions for several agencies throughout the federal government.