You may have heard the phrase “this is a marathon, not a sprint” used when discussing important programs launched by organizations. That might be the case with some business initiatives, but it doesn’t necessarily apply to Federal IT.
Last year, when U.S. CIO Tony Scott called upon Federal agencies to take steps to protect information and improve network resiliency, he named the initiative the 30-day Cybersecurity Sprint. The directive implied that government IT, as currently constituted, was too beholden to outdated legacy systems and ineffectual security policies, and was woefully unprepared to manage today’s increasingly complex networks.
Mobility is a driving factor behind these challenges. The mobile Federal workforce is using thousands of devices with different operating systems to access Federal networks through multiple end points. Data is being retrieved and shared via the cloud, and is at risk both while in flight and at rest.
There seems to be little that you, as a Federal IT professional, can do to stop this rising tide. You, who are used to maintaining control over every system and application operating over your network, have had to adjust to a new reality.
But there is something you can do.
Software and Hardware’s First Line of Defense
First, take heart that there are a number of new software and hardware features that help mitigate persistent threats derived from mobile devices such as laptops and tablets. Today we have operating systems and processors that work together to deliver tamper-resistant, lock-down security that can help prevent suspicious activity and compromised data.
New operating system (OS) features include virtualization-based security capabilities that make it possible to isolate critical data from the OS and restrict access to certain areas of the software. This isolation can prevent someone from being able to remotely gain control of a specific device.
On the hardware side, processors have also gotten some upgrades; software guard extensions can now be used by applications to set aside private regions of data and code. Here, legitimate software can be housed inside of an enclave and protected from attacks.
Together, these solutions form a solid first line of defense for these end-point devices–but even this is not enough to adequately protect against threats caused by mobile proliferation. Software and hardware security must be accompanied by policies regarding the segmentation of data and users, and the application of basic, common-sense security principles.
Segmenting data and users
Strong, two-factor authentication policies are a must in today’s mobile and cloud-based environment. These policies should be based on the identification of high-value assets that are classified as high, medium, or low impact. For example, data granted a “high” classification would receive the utmost level of security, and so forth.
Segmenting users into role-based profiles is also an effective tactic. This can make it easier to identify and choose devices for each individual, and allow for greater control over that individual’s access privileges. This approach gives you back a measure of control over your workforce’s mobility, while still allowing workers to use mobile devices to their benefit.
Common-sense Scurity Principles
The alternative is to simply let users bring in the mobile devices of their choice, but that can set you up for some serious risks. While it’s becoming increasingly acceptable to allow users to bring these devices into their agencies, you should still make sure that:
- All devices are patched and include up-to-date software.
- The only data that can be accessed through the device is the data the user absolutely needs (and only agency-approved applications should be allowed).
- The device uses a modern operating system, such as iOS, Android, or Windows 10.
This is a pretty straightforward checklist, but it can make the difference between a device that’s safe and one that can introduce unwanted risks to your network. Thankfully, many of today’s laptop and tablet devices include authentication built into the hardware and operating system, which can help make developing and managing rules-based access much easier for you.
It’s somewhat ironic that even though mobile usage has changed the way you handle many of your agency’s IT processes, managing security still comes down to a traditional combination of technology and policies. Today’s operating systems offer a powerful and unprecedented level of protection against mobile threats. When this technology meets sound, baked-in security policies, it creates an exceptional security posture that’s worth running toward.