It's time for the public sector to move past the password. Federal IT professionals and government as a whole continue to struggle with security, and although the public sector has made tremendous strides to enhance and strengthen cybersecurity, effects of recent incidents at agencies from IRS to OPM are still being felt throughout government.

There's a light at the end of the tunnel, however, and we're moving towards it. During the course of Federal CIO Tony Scott's 30-day cyber sprint, significant progress was made in terms of improving authentication methods and privileged access management. In fact, numerous agencies were able to reach 100 percent compliance for authentication goals set for privileged users.

Though this progress is promising, two-factor authentication is simply not enough, and other elements of identity and access management (IAM) and privileged access management must be integrated if the government is to better position itself to mitigate the risk of cyber breach. Government understands the need to continue efforts started by the Sprint, and is launching follow up initiatives like the Cybersecurity Strategy Implementation Plan (CSIP). A holistic approach to security will be necessary to fully meet these goals, and this needs to start with a focus on IAM.

In a recent Dell Software security survey, 50 percent of federal respondents indicated they depend on at least six different login/password combinations to do their job. Considering that respondents also identified employees finding workarounds to avoid IT-imposed security measures as a top concern, it is clear that an excess of passwords both impacts productivity and creates unnecessary risk for federal agencies. If security is too burdensome, users will find ways to opt out, exposing vulnerabilities hackers can exploit.

Agencies need to take two-factor authentication a step further with a robust approach to IAM — one that takes context into account. If government is to further strengthen its security posture, static processes must be replaced by an adaptive approach to security. Context-aware security can help balance the right level of security and employee productivity by reducing the overuse of multiple passwords and mismanagement of access, instead focusing on the context of the request to ensure access is appropriate in real time.

The benefits of context-aware security are numerous. In fact, if a federal agency were to implement a context-aware approach, replacing traditional, static access processes, 97 percent of federal respondents in the same Dell survey indicate they would see benefits, including the ability to address changing security needs in real-time, assess threats based on potential level of harm and gain visibility into the context when assessing risk. Without content-aware security, respondents anticipate challenges within their organization, including difficulties quickly address changing security needs and unnecessarily impacting employee productivity.

Context-aware security is critical to create a more secure IT environment, but agencies can't stop there. They need to approach security holistically, focusing on a broad range of efforts from immediately patching vulnerabilities and deploying indicators to scan systems and check logs for cyber activity, to taking advantage of next-gen firewalls. Similarly, the move beyond two-factor authentication and privileged password management needs to extend to actual privileged session management, incorporating the ability to replay sessions in which privileged accounts are used, improving incident resolution and forensics.

Though cyber threats cannot be eliminated, they can be more effectively managed. As our world becomes increasingly hyper-connected, agencies need to be on guard 24/7/365 to thwart today's security threats. Moving forward, adaptive, holistic, end-to-end security is the name of the game.

Paul Christman is vice president of federal for Dell Software.

Share:
In Other News
Load More