Cryptzone Federal User Meeting Showcases Need for Network Security and Access Controls
Security risks to government come in many forms these days – it could be the person sitting in their basement seeking network access to break your security or another government. The reality is it doesn’t take a whole lot to break into many systems. Combined with the human factor i.e. people doing the ‘best we can do’ to secure resources, and inside and outside predators have the arsenal to do a lot of damage to federal organizations.
This was the general feedback at our recent Federal User Meeting where Cryptzone invited many prominent security personnel to discuss the risks associated with network security, access controls and data. Here is a glimpse into some discussion points.
Securing the Network is Ever Changing
Risks change daily and one of the associated challenges with this is that security technology has gaps. Agencies need to constantly patch their systems, put controls in place and then test and monitor these to see what is working and what isn’t. Security is a constant requirement and with new threats from outsiders and insiders combined with requirements like the NIST framework, government agencies need to aggressively secure the network.
Is encryption enough these days? Many agencies and companies think their encryption policies are enough, but hierarchical encryption is when it starts to truly protect data. Why? Well if you can crack the outside encryption layer, you’ll still have multiple layers of encryption defense before accessing sensitive information. And even if you access one database, you won’t necessary be able to access others. You do not want a single view of data, instead you want a multi-layer defense with the ability to watch your critical data, monitor where it is going within and outside the agency. Together, you can improve your data security strategy.
Can Agencies Better Protect Themselves?
The resounding feedback throughout the event was ‘of course’. There is no one answer to security. But, the aim for all agencies is to ensure the security in place is as difficult to crack as it possibly can be. Threats will come from multiple places, but if you make it hard to get in, they’ll look for an easier victim. This also applies to systems outside your internal network. Ensure the people accessing your systems are doing everything they can do to protect themselves because every weak link is a weak link into your system.
The Risk Posed by Privileged Users
Who within your agency has a ‘god view’ of everything? That right there is a serious risk to the security of your network and data. One answer is to take away all privileges from users and wait and see what happens. They will let you know what they need to do their job. Based on this, you can grant access as and when a need arises. That however might not be a sustainable approach for most organizations. Every person has a mission to accomplish and that mission might change at a moment’s notice and be time sensitive. At the same token over-privileged users pose a significant threat so putting proper controls in place for privileged access is vital to an agencies security strategy.
What to do with Legacy Systems?
Legacy systems present a problem for most government agencies. These systems are still around because the information in these systems is still valuable and someone has determined the cost-effectiveness of keeping them alive. So how do agencies go about securing these legacy systems? Many of the IT decision makers find it easy to say lock these systems down; put a wall around it to secure it. The truth however, is locking it down completely isn’t the answer; people still need access to the information. Legacy system security needs to include access controls that take into consideration – who is using the system, when are they using it, how are they using it, what is the context in which they want access? Monitoring who is sharing information and what they are doing helps management make informed decisions on privileged access controls. It is an essential part of security because organizations need to share and protect information to help prevent risks.
You Cannot Transfer Risk
New challenges from the cloud and BYOD are a reality for many government agencies, but the important thing to remember is you cannot transfer risk. If data is stored in the cloud with a third-party provider and it is breached, it is still the responsibility of the agency.
If any of the above topics worry you (and they should), security solutions that help you guard the doors to your systems and protect the data stored within are an essential part of an IT security arsenal needed to keep an agency safe. To learn more about Cryptzone’s network security, privileged user access and securing data, visit our product pages. We help government agencies as part of a comprehensive strategy to protect critical systems and information.