This article is an excerpt from GovLoop’s recent report titled “Your Guide to Key Advancements in Government Cybersecurity.” Download the full report here.
In today’s world of complex IT environments and highly motivated adversaries, government organizations must be more vigilant and proactive than ever before. Government IT professionals are challenged to support mission achievement with a balance of security and end user productivity.
Mandates such as the Cybersecurity Strategy and Implementation Plan (CSIP) and the Defense Department’s (DoD) Cybersecurity Discipline Implementation Plan strive to provide structure and accountability to ensure optimal security.
These and others — including the National Institute of Standards and Technology (NIST) cybersecurity and the Federal Information Security Management Act of 2002 (FISMA) frameworks — however, add to the challenges federal agencies face through annual reviews and cumbersome reporting requirements.
In a recent interview with GovLoop, Morey Haber, Chief Technology Officer at BeyondTrust, discussed how a layered approach to IT modernization makes the process easier for agencies by adding security barriers while supporting legacy systems and modern technologies. BeyondTrust partners with government organizations to provide visibility and awareness solutions that effectively maintain security and support compliance requirements.
Any successful modernization strategy starts with understanding what’s in your IT environment. “You have to decide what you’re going to tackle first,” Haber said.
Agencies that comprehend their IT environments can determine the best tradeoffs for modernization. Systems that are fully air gapped should not be a high priority since they lack the same risks as those with internet connections.
Haber said organizations should also remember their primary mission and what requirements drive it. Modernizing mission-critical systems requires more urgency than those that merely support agency goals.
Modernizing legacy systems introduces concerns including cost, technologies’ lifespans and vulnerabilities. Haber added that a key issue is whether an organization is using a custom-built or commercial o -the-shelf (COTS) system.
Haber said custom-built systems usually last 15 years or longer, while COTS typically have shorter lifespans. Either system must meet an agency’s cybersecurity life expectancy before its expiration date or parts become obsolete.
Helping employees understand they should not customize or personalize government-issued technology at work is also crucial. These technologies must meet established security standards for government business.
Besides enforcing those standards across the workforce, agencies should also consider the benefits of layered cybersecurity, separating portions of their IT infrastructure with security layers. Layering helps government agencies leap from legacy systems
to modernized technology by isolating applications, devices and systems from other non-mission-critical environments, ensuring stronger, disciplined-based cybersecurity.
The strategy adds specific safeguards to different IT layers on a case-by-case basis, protecting each as needed and ensuring the health of the greater whole. Cybersecurity layers include networks, hardware, infrastructure perimeters, devices, and Bluetooth and Wi-Fi endpoints.
“Security is like an onion,” Haber said. “Every single layer and every single resource must be considered an onion layer. Each may require different strategies.”
Haber said government IT staff modernizing their agency’s technology should recognize what cybersecurity layers impact their mission, acting accordingly to ensure each layer’s security. He recommended that agencies use a SWOT analysis to identify the Strengths, Weaknesses, Opportunities and Threats related to their business units or specific projects.
Haber noted that not all government agencies should implement the same cybersecurity layers, adding some could ignore them entirely because of their mission parameters.
Through a unified suite of solutions, BeyondTrust integrates privileged access management with vulnerability management to provide a centralized view of user, account and asset security. Incorporation of threat and vulnerability intelligence with behavioral analytics adds context to risk assessments and provides a complete view of user and asset risk — with the ability to understand how they affect one another.
“Using these two layers — privileged access and vulnerability management — are how we help protect government assets,” Haber said, “regardless of whether the application or system is custom- built or based on a commercial product.”
Haber added IT modernization is crucial for government agencies, but so is understanding the cybersecurity requirements necessary for technology asset protection.
“When you consider the layered approach, regardless of COTS or custom, you must consider which ones you’re going to modernize first, and which will be cost effective and provide effective layers of security, based on risk,” he said. “They all tie together. After all, two identical resources, one plugged into the internet and one air gapped on a raised floor, have two completely different risk profiles and two different layered security models. They must be prioritized and modernized differently.”