Major breaches have created a sense of urgency around securing high-value assets (HVAs) in federal agencies. In May the Department of Homeland Security released binding operational directive (BOD) 18-02 requiring agencies to take new steps in identifying and mitigating the vulnerabilities in their own HVA systems. But agencies need to ask themselves first whether they have the right tools for the job.
“There is practically no data handled by the federal government that isn’t sensitive in some way, whether it’s highly sensitive military secrets, including designs or plans, to the interactions between agencies and the day-to-day functions of government,” said Leo Taddeo, chief information security officer for Cyxtera.
As a former special agent in charge of the Special Operations/Cyber Division of the FBI’s New York Office, Taddeo has had insight into the most damaging breaches in public sector and the government.
Veteran health data, tax information, trade secrets from companies under regulations, financial institutions being scrutinized for compliance, all of this is federal data, and all of it needs to be secured from actors with malicious intent and the latest tools and techniques for breaking into systems. Even unclassified data could put agencies and taxpayers at risk if unsecured.
“What we wouldn’t think of as sensitive could become sensitive information, including the aggregation of unclassified information,” Taddeo said. “So, when you look at data in isolation, you could consider it to be lower classification, or perhaps not as sensitive, but when combined with other data, including open source, it could give an adversary exactly the type of insight he or she is looking for.”
Currently, most agencies are attempting to protect their data with legacy technology like VPNs, firewalls and NACs. But it’s virtually impossible to secure modern distributed, hybrid IT infrastructure with perimeter-based security that hasn’t been updated in 20 years. These antiquated tools are also complex and expensive to operate.
Agencies instead should be exploring zero-trust, software-defined-perimeter (SDP) solutions. SDP flips the script on the standard TCP/IP procedure, where the user connects with the asset, presents credentials, and is authenticated. Instead, with SDP, the user is authenticated first, then allowed to connect the asset. And this is the primary benefit of SDP: the user is connected to the authorized asset, and only that asset, after being authenticated.
This has multiple benefits. It prevents a bad actor from sending malicious packets to an application, or from scanning and probing the system. Users have limited visibility to the system, and so they’re prevented from applying critical portions of an attack sequence: reconnaissance, lateral movement, escalation of privileges.
This is because, while VPNs create an encrypted tunnel through a firewall, SDP is far more specific, creating an encrypted tunnel from user to asset. By limiting a user to just that asset, it denies an adversary the chance to search for vulnerabilities and exploit them. That’s what zero-trust means.
And SDP is scalable. A single security policy can be adapted to cover a specific resource, or an entire enterprise.
But the strength of SDP isn’t just in the technology. A door is only secure if someone bothers to lock it.
“Security officials should think about user experience when they think about the efficiency and effectiveness of a security tool,” Taddeo said.
Security fatigue is a real issue among employees in complex technological environments. Consider: if an agency uses a VPN to access an on-premises solution, that means multiple VPNs depending on where the workload is. Then users have a different method of signing on for a Software-as-a-Service solution. Each is another password, another sequence of entries that encumbers the employee.
“We are imposing on the employee a workload and a complexity that could be a significant disadvantage to our security posture,” Taddeo said. “This is what I mean: if the number and complexity of access tools given to the employee become cumbersome, we have found that our employees tend to work around them, avoid them, and compromise security that way.”
Instead, SDP solutions encourage buy-in. Having a single, simple sign-in process that is secure and can apply to multiple environments is appealing to employees. If a solution can appeal to an employee, they’ll use it. And because a single sign-in reduces the number of tools an employee has to use and the number of passwords they have to remember, SDP also boosts productivity by reducing the amount of time it takes them to get to work.
It also boosts productivity indirectly as well. Most of the workload for IT helpdesks is resetting passwords. Reducing complexity reduces the IT helpdesk workload, because if the number of passwords goes down, the number of calls to reset those passwords goes down as well. This frees IT workers up for more complex and important tasks, while reducing the amount of time employees are incapable of performing their work.
Taddeo said one regulatory agency already uses Cyxtera’s zero-trust solution, AppGate SDP, to secure both its on-premises environment and its Amazon Web Services resources. With DHS’ new binding operational directive, more agencies should be exploring this solution to secure their data.