The Office of Management and Budget’s latest Federal Information Security Management Act report to Congress showed that agencies faced more than 31,000 cybersecurity incidents in 2018. This was a 12% decrease over 2017. At the same time, 2018 also marked the first year since the creation of the major incident.
That was the good news.
The bad news is agencies continue to struggle with basic cyber hygiene. OMB released the latest data on the IT modernization cross-agency priority goal that showed 70% of all civilian agencies have implemented hardware asset management, which was up 5% over the previous report card.
OMB also says 83% of all civilian agencies have implemented software asset management, which was up 4% over the previous report card.
So while it’s better, these numbers show agencies continue to struggle in some basic cyber defenses.
Dan Fallon, the senior director of federal engineering for Nutanix, said the way to close many of those cybersecurity gaps is to adopt the concept of inherent security or secure by original design.
An easy way to understand this concept, Fallon said, is to go back to the 1990s when people used to debate whether Apple or Windows computers were better.
“There is more inherent security built into the OS for Apple. You don’t have to install a bunch of extra security agents in the Mac. The operating system, built on a Linux platform, has more security built into the underlying system,” Fallon said on the IT Innovation Insider. “For example, if you are logged in as an administrator, which means if a bad guy gets access, they can take advantage. Apple prompts you to do things like install an application. That is a simple example. Windows has gotten better, but only a couple of versions ago. The Apple devices are much better at prompting so at least the users are aware.”
He said while that debate still happens today, this concept of secure by design or security in the architecture is growing among all vendors.
Among the reasons for this shift, albeit a slow shift, is the ever-growing threat to systems and data.
Fallon said both agencies and vendors see the value of finally making the old adage it’s “better to build in security, than bolt it on after the fact” a reality.
“Secure by design takes more of the burden off agencies. It saves them time and money by the vendor taking more responsibility in the product so your security policies and features are in the system when you take it out of the box,” he said. “That’s a huge cost and time savings. It means more rapid time to deployment to meet mission.”
To put this concept into action, Fallon said vendors must move away from implementing security guidelines from the National Institute of Standards and Technology or the Defense Information Systems Agency as a “custom” add-on after the vendor has installed the product.
Where agencies and vendors need to go is to follow the model of a software-as-a-service provider in the cloud where the product is secure out of the box.
“There is a lot of human error in someone going through a spreadsheet line-by-line trying to match with security controls. But if the product has it built in, you know across all products across your data center it has that underlying baseline,” Fallon said. “We know all our commercial customers will not want to meet the 14-character DoD password guidance. We treat the system as wanting to have the same security baseline and give the commercial customers all that great security posture the federal government provides because it benefits them as well. There are some things that go a little above and beyond like some of the DoD rules with password guidance and warning banners. We actually have a check box that turns on those features. You constantly balancing security versus usability.”
The Federal Risk Authorization Management Program (FedRAMP) has helped push the need mind shift toward security by design.
“When you look at the on-premise in the private cloud, that’s a big reason why you are seeing more products offer more security features built it. They have to keep up with the cloud model,” Fallon said. “But even in the cloud, it’s still a big shared responsibility. The cloud vendor doesn’t own a 100% of the security stack. They are responsible for the baseline infrastructure.”
Fallon said agencies also have to put some tools in place when using the commercial cloud to improve the governance of tracking the security requirements from NIST or DISA.
“You now have this proliferation of cloud services so there is a lot more to track there and it’s outside your data center. It’s even more important for that safety net to catch those security misconfigurations,” he said. “Smart governance and continuous monitoring go hand-in-hand. It’s no longer the old days of a once every three years security audit. That goes out the window in cloud. It’s a continuous lifecycle, daily, if not almost by the minute. It’s clear there needs to be more monitoring and more asset tracking, and the ability to respond if an asset is out of patch compliance or a port that is misconfigured on the open internet, how do I within minutes or seconds reconfigure that so it’s now closed?”