It used to be protecting your network meant keeping track of the desktop and laptop computers that access it. Then, smartphones came onto the scene, and now wearables and other IoT devices as well as the cloud computing are making it harder than ever to keep up.
IoT and the cloud have both become hot-button issues in the world of information technology as good security practices are no longer just a matter of securing a single system, but every third-party system that it has connected to it, as well.
“Government institutions are seeing digital transformation at an unprecedented scale, but those changes come at the price of ever-evolving security risks,” said Maria Horton, CEO of EmeSec and former CIO of the National Naval Medical Center.
This challenge becomes increasingly critical with a rise in inter-connected systems between agencies, where users are given access to databases and networks outside of their base network. Contractors, each with their own set of system requirements and security procedures, are often given access to controlled yet unclassified information (CUI) that requires compliance with government and agency standards.
“Government leaders need to outline new processes for authorizing digital identities for individuals or devices across different platforms so partner agencies can better understand access in the context of each user and technology,” said Horton.
Agencies will need to set new rules and guidelines
Doing this will take a lot of work on the part of the government to establish a new set of rules that incorporate this new generation of connected devices and cloud services. One way it is doing this is through the Einstein program and the Department of Homeland Security’s Trusted Internet Connections Reference Architecture, but even this stringent set of guidelines fails to prevent possible third-party attacks which are more indirect, yet equally as damaging.
The answer to this growing problem may well be in how risks are prioritized and addressed.
“Agencies can’t take an all or nothing mentality. Compliance isn’t security, and security isn’t compliance. Rather than claiming one or the other, government cybersecurity leaders should use the NIST and FISMA guidelines, and then align specific security controls based on risks,” Horton said. “Many governance, risk and compliance tools focus on mitigating reported risks instead of tackling them in real time. In-the-trench risks will be what IT leaders see exclusively from now on.”
Comprehensive coordination between agencies and contractors is key to building a plan that takes these new technologies into account, protecting CUI and safeguarding networks from unwanted intrusion.