After serving 45 years in Federal service, it still amazes me that cybersecurity is treated as an add-on, focused on preventing access to the network, rather than as an integrated part of the foundation, working at every level of our systems to protect the data.
We have said for decades that security can’t just be a bolt-on feature and that it needs to be considered as part of the architecture and foundation. Part of the problem is that security implementation is still way too hard. It is still treated by vendors as an option that has to be turned on and integrated, and the default is to install software without security turned on. This is just plain wrong.
This may have made sense years ago, when implementing full security for classified systems could consume 20 percent to 30 percent of your resources, which might not work for high-performance systems. Nowadays, the security impact tends to be 2 percent or 3 percent, and no CIO is going to risk their carrier by turning it off without a lot of thought.
We have also discovered that security is needed in virtually all systems to protect privacy, financial, and commercial data, not just classified government data. Systems should be installed with security options turned on by default. CIOs and system administrators should have to choose to turn off security.
Vendors also need to simplify security implementation, so that it is much more plug-and-play, based on major security categories. Start with options for highly classified Security Technical Implementation Guides (STIG), then government restricted, financial, and health care/privacy, and other; and last, give an option for NO security (not recommended). That is around five options, not thousands of variables.
Installations should start by looking for the Identity and Access Management (IDAM) software and then inheriting security settings from it. Then move on to Role Based Access Management/Attribute Based Access Controls (RBAC/ABAC). All systems should have Privileged User Management Access (PUMA) controls in place, and database administrators should be able to see data only by exception. We have to stop relying on edge protection at the network level and build security in at every level.
Data should be protected at rest as well as in flight by encryption and dynamic Virtual Private Networks (VPN) at every level. Why do we continue to treat the network like an open party line that any device can listen in to? If the packet is not for you, then only the packet header should be visible, not all the data.
We also need continuous security monitoring that validates that the security is on and that it continuously meets security standards, not just when it is installed.
Security should also be baked in at the chip level, as Intel is starting to do. To make our systems secure and protect our digital futures we need to bake security in at all levels, simplify the installation and maintenance, and protect our data by default. Why do we build security so that it is so complex that almost no one can get it right? Remember the DVRs that constantly blinked the wrong time because few average people could figure it out? Now they install correctly by default and take the time from the power line. What we need is security for dummies, so that we can all get it right.
Let’s fix browsers so they are secure and can’t let in malware. Let’s stop the insider threat by limiting access and constantly monitoring usage. Let’s secure the Internet of Things (IOT) by building security into everything to include sensors, peripherals, devices, appliances, and vehicles.
My plea to vendors is “enough already”: Stop making security hard to implement and build it into the foundation of your systems. To government and commercial CIOs, start holding vendors accountable. If they do not build security into the DNA of their products, find a different vendor.
Always consider the cost of installing, maintaining, and operating your security as part of the total cost of ownership. How long are you going to keep your job if you have a major data breach? Don’t skimp on security, demand it as a starting point. It is time we all got serious about cybersecurity.
About the Author
Kenneth M. Ritchhart is vice president of Business Development & Strategic Planning at Oracle Public Sector.