As use of smart cards within the federal government has become standardized, there may be a tendency for federal IT professionals to perceive them as the ultimate security blanket. The non-profit Smart Card Alliance asserts that smart cards are “the most appropriate technology for identity applications that meet critical security requirements.”
But are smart cards the end-all, be-all answer to network security? If you answered yes, think again.
In the third annual SolarWinds Federal Cybersecurity Survey, 38 percent of respondents indicated that the increasing use of smart cards is the primary reason why federal agencies have become less vulnerable to cyberattacks than a year ago. This 2016 survey also revealed that nearly three-fourths of federal IT professionals employ the use of smart cards as a means of network protection. And more than half of those federal IT professionals surveyed noted that smart cards are the most valuable product when it comes to network security.
Smart cards can be used not only to access areas of a facility, but operating systems as well. For example, the Windows operating system, which is still the predominant OS being used by the federal government, uses a specific authentication sequence to determine when a user has logged onto a computer using a smart card.
Indeed, thanks to their versatility, prevalence and overall effectiveness there’s no denying that smart cards play a crucial role in providing a defensive layer to protect networks from breaches. Case in point, the attack upon the Office of Personnel Management that exposed more than 21 million personnel records. The use of smart cards could have perhaps provided sufficient security to deter such an attack.
But there’s increasing evidence that the federal government may be moving on from identity cards sooner than you may think. Department of Defense (DoD) Chief Information Officer Terry Halvorsen has said that he plans to phase out secure identity cards over the next two years in favor of more agile, multi-factor authentication.
Halvorsen’s position indicates that one cannot be too reliant upon any one tool or technology as an adequate defense. Liken it to the need for a joint defense network comprised of Army, Navy, Air Force and Marines. Just as no single unit in and of itself can protect our nation, network security requires multiple lines of defense.
Smart cards may be an effective first line of that defense, but they should be complemented by other security measures that create a deep and strong security posture. First, federal IT professionals should incorporate Security Information and Event Management (SIEM) into the mix. Through SIEM, managers can obtain instantaneous log-based alerts regarding suspicious network activity, while SIEM tools themselves can provide automated responses that can mitigate potential threats. It’s a sure-fire line of defense that must not be overlooked.
Federal IT professionals may also want to consider implementing network configuration management software. These tools can help improve network security and compliance by automatically detecting and preventing out-of-process changes that can disrupt network operations. Users will be able to more easily monitor and audit the myriad of devices hitting their networks, and configurations can be assessed for compliance and known vulnerabilities can be easily addressed. It’s another layer of protection that goes beyond simple smart cards.
At the end of the day, no single tool or technology has the capability to provide the impenetrable defense that our IT networks need to prevent a breach or attack. And technology over time is continually changing. It is the duty of every federal IT professional to stay up on the latest tools and technologies out there that can make our networks safer.
Be sure to look at the entire puzzle when it comes to your network’s security. Know your options and employ multiple tools and technologies so that you have a well-fortified network that goes beyond identification tools that may soon be outdated anyway. That’s the really smart thing to do.