Can Einstein and TIC keep up with the cloud?

As agencies reimagine their networks, key security tools are showing the strain.

abstract network security
 

The move to the cloud brings unprecedented flexibility and scalability, but agencies' new network architectures are prompting some growing pains as well.

"The idea of having access to any data, anywhere, with the cloud means you have to look at data protection differently," Sara Mosley, the Department of Homeland Security's acting CTO, said at ACT-IAC's Executive Leadership Conference on Oct. 31. While "you still need the perimeter protections," she said, "you've gotta look at it from a data-protection perspective -- that's really where network security is going." 

Two industry panelists, Yubico's Jeff Frederick and Zscaler's Steve Kovac, put the emphasis on the user, but agreed increasingly hybrid networks demand a different approach. "If you put policy around the user," Kovac said, "the network just becomes a form of transit."

Or as U.S. Digital Service Engineer Andy Brody put it, "the boundaries are less physical and more logical. That requires a different way of looking at it."

"The network-based defense," he added, "has already been stretched to the breaking point."

The Trusted Internet Connections that agencies are required to use to access external networks are a particular friction point. Originally conceived to protect the perimeter of government systems, TICs now need a different model. "You're not going to look at it as protection of the network," Mosley said. "You're going to look at it in terms of protection of the data."

Modernizing the TIC infrastructure has been a key element of discussions driven by the IT modernization report, Mosley said. "There are lots of ways to virtualize or implement similar, TIC-like security," she said, but "the biggest hurdle is really the Einstein piece -- that's something we're working on internally. How do we get similar capabilities in the cloud, that we have now with the Trusted Internet Connection?"

Agencies have their own limitations to overcome, Mosley added. Much of the cloud-security focus has been on Federal Risk and Authorization Management Program compliance, she said, but "from an operational security standpoint, is your [security operations center] ready to take on the types of security challenges in the cloud? Do they have the tools? Do they have the skillset? Are you outsourcing that?" 

And while data- and user-centric solutions are available, the panelists said, none offer full fixes.

Some large agencies are looking to microsegmentation, Mosley said, and future phases of DHS' Continuous Diagnostics and Mitigation program will include such solutions, but "the biggest challenge there is scalability."

Similarly, encryption can't serve as a panacea, Kovac said. "If you're going to encrypt and decrypt at every single hop … you've just compounded your problem."

But beyond the technical obstacles, the panelists agreed, the biggest challenge is getting program and mission owners to understand why changes are in order. While the IT shop could be held accountable for perimeter security, Mosley stressed, responsibility shifts when the focus is on users and data.

"Ultimately, the data owner owns the risk," she said. "We have to make sure they have a good comprehensive plan."