A recent refugee crisis abroad and the incumbent hybrid workplace have led the State Department to uphold a more iterative and collective approach to cybersecurity.
The key to securing its distributed workforce, who not only work remotely and in the office, but domestically and internationally as well – was to work with stakeholders from the beginning on cybersecurity priorities and iteratively build their strategy.
The big takeaway in the agency’s recent use case was this: By focusing on building cybersecurity upfront in the business and technical architecture, it was able to mitigate a lot of risk.
The agency’s latest use case was centered on processing refugees through leveraging on-premises and cloud solutions overseas.
“It’s a dangerous world, and obviously our agency is a huge target,” said Brian Merrick, the State Department’s Acting Deputy Chief Information Officer of Operations for the Bureau of Information Resource Management.
“It’s easy to go down separate rabbit holes,” Merrick said. What agencies need to do is create a holistic “security fabric” that can respond to and address the complexities of a hybrid environment. Rather than getting lost in the complexity, starting with a high-level perspective will help you get an idea of what is most important, most foundational or of highest risk. Then, you can prioritize resources.
“[By] starting that security conversation early, getting the policy pieces moving early and being transparent between the operations, security and business folks, we were able to fix a whole lot of problems early on that led to successful deployments and ultimately mission outcomes,” Merrick said.
One of the foundational pieces to your hybrid security strategy is a single identity mechanism. This is where the implementation of zero trust starts — or the first iteration, one can say. A single identity mechanism allows you to know who your user is, which will allow you to know what they’re connecting to and which data to protect.
Multifactor authentication (MFA) is a critical piece to identity management. And it’s relatively simple to implement. MFA is a security method that requires users to verify their identity through two or more pieces of evidence. The State Department tends to rely on MFA rather than passwords. The goal is to slowly but surely move away from them.
“People are so busy and connected, they’re going to end up doing bad password practices,” Merrick said. In the meantime, a basic line of defense is to use complex, phrase-based passwords.
“We’ve seen the 1234 password many times. Don’t do that. That’s one of the best ways to reduce your risk profile,” Merrick said.
This article is an excerpt from GovLoop’s e-book, “The Policies That Enable Hybrid Teams: Cyber Tips & Takeaways.” Download the full e-book here.