Federal IT leaders discussed the ways their organizations are tackling the proliferation of more and more endpoints on Federal networks at MeriTalk’s Cyber Security Brainstorm Thursday.
In particular, ever-increasing mobile connectivity is creating the potential for further headaches, but the officials advised that next-gen technologies and proper network and data governance provide avenues to expand the ways employees work without compromising security at the network edge.
“Mobility is oftentimes the antithesis of security,” declared Col. Frank Snyder, chief of the Cyberspace Architecture and Capabilities division of the U.S. Army. “I would like to see greater control of devices at the terminal end. We have to be careful about those devices we allow to participate with our network.”
Neil Mazuranic, chief of the mobility capabilities branch of the Defense Information Systems Agency (DISA), hailed notable progress on that front. He’s seeing “rapid maturation of different ways in which we can monitor, control, and lock down devices.” This maturation goes beyond the device itself and to individual software applications and network segmentation, in addition to the hardware and device’s operating system, he said.
DISA is working to introduce next-gen technologies that could redefine identity and access management. Mazuranic said the agency is looking into single sign-on and innovative multi-factor authentication techniques. Phones “with development right into the chip that measures everything from the way that you walk, to the way that you hold the phone, to the heat signature from your finger, to the angle at which you hold it” could soon be used to accurately verify a user’s identity, and could automatically disable themselves in the event of compromise, he said.
“We’re looking at a lot of these kind of next generation things, and we hope to push a lot of those out over the next year,” the mobility expert said.
Jeff Wagner, acting chief information security officer at the Office of Personnel Management, discussed additional considerations needed when a government website or service is public-facing. Data segmentation, rather than network segmentation, becomes increasingly more important when you can’t account for the security of a public user’s device.
“I have to account for the fact that the endpoint is insecure, so my governance and my focus is strictly around protection of data and data segmentation,” he said.
Mazuranic provided a developer’s perspective, cautioning that when looking to secure endpoints, governance needs to be met with clear standards and clear strategy or else it may affect the ability to deliver an appropriate capability.
Federal Deposit Insurance Corporation CIO Howard Whyte said that governance should center on actively managing risk at every moment. He said that can be compounded by bring-your-own-device policies, which FDIC has yet to approve.
But he said he’d like to get there. Whyte is working on improving FDIC’s security posture through virtualization, segmentation, and configurations that wall off data, making the status of a device a less pressing concern.
But devices supporting mission-critical functions can’t be neglected, said Snyder. “I would actually also be remiss if I didn’t take the chance to make a plug for the importance of ensuring and maintaining an IT budget sufficient to life-cycle replace your items as they become unsupported by maintenance of the future. That’s been historically a problem at least for the Army, probably for much of DoD.”
Mazuranic echoed Snyder’s later comments that advocated a “defense in depth” strategy, but Mazuranic also stressed the importance of “investing in your network so you’ve got the right sensors in the right places to detect the right data with really good analytics, so that those folks in those network operations centers will get those alerts, and the governance is in place, the techniques and procedures are in place, so they know what actions to take.”