2013 started with lots of promise around cybersecurity and how the government was going to ensure that critical data running our country – from the legislative branch and civilian agencies, as well as the defense department – is truly protected. President Obama issued an Executive Order in February on improving critical infrastructure security and NIST (National Institute of Standards and Technology) initiated several workshops on how to address cyber threats with a cybersecurity framework. While these are steps in the right direction, 2013 is drawing to a close and there is still much work to be done.
This week, Federal Computer Week reported that Senator Jay Rockefeller wants to add his cybersecurity legislation to the $625B defense authorization bill currently under review in the Senate. While this measure is likely to be considered important on a bi-partisan basis, it is just one of 500 amendments in the proposed defense bill and 2013 could well come to a close without a defense bill in place.
Given that government projects are increasingly moving to the cloud and involve Big Data implementations, it is vital that attention be paid to both data security and cloud security. Moreover, since today’s sophisticated attackers are typically already within the network itself, encryption has become an increasingly important piece of any defense-in-depth strategy.
The reason is that data at rest is a high-value target for national interest-oriented hacking, criminal intent, and people with an agenda against government. They are most interested in the exfiltration of data repositories with personally identifiable information (PII), intellectual property and/or critical mission data. Insight into our defense strategy as well as our critical infrastructure could have a devastating — and potentially disastrous — effect on America’s way of life. Similarly, compromised PII can wreak havoc with an individual’s financial and even physical well being. The question is: how can federal procurements address these issues when they’re typically awarded to the lowest priced, technically acceptable solution?
With budget constraints and the mounting pressure to do more with less, government cyber acquisitions must be more vigilant in ensuring that the selected solution includes data protection as a core objective, not just a checkbox item. For instance, encryption is often a feature in government project requirement sets, but encryption without validation of proper processes and user access rights has little promise of addressing the looming threats facing our nation. Encryption alone addresses only one use case: the physical theft of devices and data storage units.
Given that stolen and compromised credentials are a primary method used to gain entry into systems to steal valuable information, we must make the infrastructure (and those responsible for maintaining it) “blind” to the data itself so that system administrators and database administrators can do their jobs without actually seeing valuable data. In the face of government data center consolidation and cloud migration, data protection is a critical imperative.
I’d like to challenge our federal agencies to gain a broader view of the solutions available in this area. Our opinion at Vormetric is that the best way to stave off Insider Threats is to take a multi-layered approach that protects the data from the inside out. There is promise of a strategy from the work at NIST and there is a growing chorus of voices demanding that government entities do more to protect our critical data, but it is still just a promise at this point. Hopefully, government agencies of all types and profiles will see fit to invest in advanced data security solutions that are equal to the task of protecting one of our country’s most valuable assets, our data.