How to Modernize While Meeting Multiple Mandates
An enterprisewide approach will not only secure systems but put agencies in line to meet several compliance regulations.
Over the past three years, IT modernization has seemingly been at the center of every conversation about federal technology.
With the passing of the Modernizing Government Technology Act as part of the last National Defense Authorization Act, federal agencies now have millions in additional funding over the next two years to modernize outdated technology systems. Not only will this modernization project improve security and reduce costs, it will improve agency operations and efficiency.
This project alone could consume an entire technology department. Of course, it is just one of many mandates that federal agencies must meet, some with conflicting goals and requirements. Along with pursuing IT modernization efforts, federal leaders must also consider the latest Trusted Internet Connection updates and cloud computing adoption requirements, among other issues.
As a result, many federal agencies find themselves in a bind when trying to meet too many requirements at once. Danielle Metz, a senior policy advisor at the Office of Science and Technology Policy, explained at a recent event that the Trump administration understands this dynamic.
“It’s going to be time-consuming, it’s going to outlast an administration, so we need to make sure we have the foundation in place so you can build upon that,” Metz said. “It’s not going to be a three-year plan, it’s going to be something significant, a decade or more.”
The Path Forward
As federal agencies begin the IT modernization process and continue to meet the other demands on their technology systems, they need to rethink their security strategy to focus on the data.
In the past, federal agencies could dedicate security resources to a hard network perimeter. Since employees primarily worked from a set workstation inside a government office the thought was if agency leaders could protect that perimeter, the internal network was trusted.
That has changed. Cloud computing and the mobile workforce has shifted the endpoint, increasing the scope of what agencies need to secure. Agencies now need to think about end-to-end security that protects data during every stage of its lifecycle. As a result, agencies can no longer focus on the traditional perimeter. They must instead protect the data that is flowing in and around that perimeter, as well as the users accessing the data, regardless of the device.
This change in philosophy is paramount to adapting to the changing cybersecurity landscape. As federal agencies institute this approach they will be better inline to meet the various compliance and regulatory rules put in place.
Programs like TIC effectively moved federal agencies to a standardized approach to perimeter security. However, the TIC architecture does not readily facilitate secure cloud adoption, and now must be re-architected to support a security environment that shifts the trust boundary to the data, application and user, not just the network edge.
An End-to-End Approach
The thinking must be about an end-to-end system that encapsulates the full enterprise. As agencies face these mandates they must keep the overall security vision within sight.
So what does an end-to-end approach look like? In short, it unifies cloud and on-premises security to provide advanced threat protection and, importantly, data protection across all endpoints, networks, email and cloud applications.
To provide this end-to-end, integrated cybersecurity approach, agencies need to incorporate:
- Endpoint security: Endpoints are seemingly everywhere in the enterprise, especially with the explosion of mobile devices. Agencies need a secure endpoint solution that can protect enterprise and mobile workforces regardless of operating system, device or network configuration.
- Network security: Cloud and on-premise network security solutions can provide superior defense against advanced threats. They are a critical part of an end-to-end solution to help ensure secure and compliant use of the cloud and the web.
- Email security: Email remains the most popular communication tool in organizations, especially government. Agencies need to ensure they have multiple layers of protection for email to guard against ransomware, spear phishing and email compromise. These solutions should work with advanced analytics to identify targeted attacks to protect email against user error and data leakage.
- Cloud security: Perhaps most important in today’s environment, agencies need to ensure that their cloud data remains secure. That includes secure cloud infrastructure and applications and solutions that can provide in-depth visibility, data security and threat protection to safeguard data.
IT modernization presents an opportunity to also modernize the approach to security. Most organizations built their security environments reactively: When new threats emerged, they bought and deployed new tools, resulting in a tremendously complex, inefficient and ultimately less secure environment. As agencies modernize their IT environments, move to the cloud and expand their mobile capabilities, they should also look to implement a platform approach to security. One that utilizes open standards to allow all security systems to communicate and take automated action to defend in real-time, whether on-premise, in the cloud, at the endpoint or as part of the internet of things. A comprehensive security policy will protect agencies and their data no matter where it resides.
Chris Townsend is a vice president of federal for Symantec.