National prosperity and security are reliant on a secure information environment. There are no activities, whether in the private or public sector, that are completely segregated from the IT infrastructure. So why do federal agencies continue to respond to emerging cybersecurity threats by adding layers to security strategies that rely on two decades old technology?
“The landscape has changed significantly over the last 40 years. I am talking about a time when we still had mainframes like the IBM360s. Then we all got PCs on our desktop and had that compute power at our fingertips,” said Cheryl Peace, Chief Operating Officer for Cyxtera Federal Group. “This created the age of script kiddies and kids hacking from their parents basements. Twenty years ago, I was worried about those nuisance hackers but that is nothing compared to today’s threats. With everything we own connected to the internet, hacking has become a very profitable business and often Nation State sponsored.”
Firewalls and Virtual Private Networks (VPNs) were introduced 22 years ago and were tailored to the security threats of the times. They attempt to block or blacklist capabilities from making their way into networks. But firewalls have become increasingly difficult to maintain and keep current. For example, with growth of both capabilities and threats, the rules governing firewall operations often number in the tens of thousands, taxing an already stressed and burdened work force to maintain and operate them.
The biggest contributor to the growth in firewall rules are VPNs. They have proliferated to the point where not only do they poke holes through the firewalls, the firewall rules permitting VPN operations continue to mount, adding additional overhead for administrators trying to maintain the rules and keep them current. The result is a system akin to arteries clogged with ever-increasing layers of cholesterol.
“Complexity is the bane of security. When you keep on adding layer after layer, without cleaning out things that are no longer as viable or as effective, it causes problems and increases risk, because you’re adding burden to an already over-tasked workforce,” said Greg Touhill, president of Cyxtera Federal Group.
That’s why simplicity is the next big thing in cybersecurity. Adopting a Zero Trust security model, which is focused on the recognition that organizations cannot automatically trust anything on either the inside or outside of their networks and instead must verify identity and roles before granting access, is proving itself extremely effective in reducing the attack surface, streamlining operations, and improving security.
Cyxtera’s approach to implementing the Zero Trust security model includes its AppGate Software-Defined Perimeter (SDP) product. SDP technology addresses fundamental weaknesses in TCP/IP, which connects then authenticates users to the network. In contrast, SDP authenticates first using a rigorous identity-centric approach that leverages multi-factor authentication combined with role-based access control. Once identity is confirmed, the user is connected only to the assets they are authorized to see while the rest of the network is rendered invisible.
How SDP works can be easily understood with an analogy. “Imagine you enter a hotel. You show your credentials and credit card, which are verified by the reception, and you are given a room key. After checking in, you go to the elevator and get in it,” Peace said. “But the elevator doesn’t have any buttons on it. Your room key is your access and the elevator takes you to your room. You don’t know how many floors are in that building, nor do you need to. You only know what room you’re going to. When you get off that elevator, you are where you need to be and only accessing your room. You don’t know how many other rooms or offices are on that floor or in the building, nor do you need to. That’s least privilege.”
The idea behind SDP is that you can only connect to what you’re authorized to see and what you are unauthorized to see is completely invisible to you and impossible to detect. Whether your information is on-premises, in a data center, in the cloud or mobile devices, you want an approach designed around user identity, not the IP address. Now, in an age where the work force is mobile and using multiple devices in multiple locations, the perimeter is now the user themselves. There are no checks and balances to what a user can see once they’re in a traditional network. In contrast, with SDP, even superusers are limited only to what they are authorized to access. The attack surface shrinks from the entire network to just the single user.
This capability means it protects organizations from internal threats as well as external ones. SDP is just as effective at preventing the next Edward Snowden as it is at preventing the next Office of Personnel Management breach.
“If you don’t have full access to the entire system, you are limited to what you can take, you are limited to what you have access to,” Peace said. “I think this is something the government really needs, because when you come from the environment that I’ve come from at the National Security Agency, we’re all cleared, we all take polygraphs, but that doesn’t necessarily mean we should all be trusted without any parameters. I think software-defined perimeter helps better define what you trust me to do.”
Federal agencies have all kinds of sensitive data and potential use-cases for enforcing the zero-trust model with SDP. For example, the Departments of Health and Human Services and Veterans Affairs are the custodians of sensitive information about individuals, patients, intellectual property and pharma research. And NASA, the Department of Energy, and other agencies have an open-information exchange with partners from academia and other nations. They have to be able to share some data openly with the worldwide scientific community, while at the same time protecting intellectual property and national security information.
Cyxtera’s zero-trust solution, AppGate SDP, has the security capabilities and flexibility to accomplish these missions and more.
“Relying on concepts and tools that are decades old puts national prosperity and national security at risk,” Touhill said. “We as a society need to be sensitive to the threat environment and these new capabilities. Now is the time to best leverage the Zero trust model and SDP and keep pace with the people, process and technologies needed to better protect our information.”