Protecting data is not a simple task, especially when it comes to cloud computing environments. The pandemic accelerated a move to the cloud and now data is sprawled across multiple apps, networks, and endpoints outside the physical perimeter of organizations.
As a result of the move to the cloud and more people teleworking, traditional security tools have very little visibility or control over data. There are risks that come along with cloud environments and the use of personal devices, and a 2020 report found that 66% of IT professionals said that there have been more security incidents and requests due to telework.
For federal agencies, this issue should be top of mind. In 2021, the Biden administration issued a cybersecurity executive order, giving them a deadline to onboard a zero-trust architecture. That deadline is swiftly approaching: Guidance issued by the Office of Management and Budget asks U.S. agencies to comply with the five pillars established by the Cybersecurity and Infrastructure Security Agency’s zero-trust model by September 2024.
With the cloud comes complexity
Digital transformation happens quickly, which means that to stay secure, many agencies have quickly adopted additional security tools. In fact, according to a 2021 survey, the average organization has 76 security products deployed. But adopting individual point products to address individual security concerns creates unnecessary complexity.
In the case of cloud-delivered security, more products do not always mean better results. In fact, more products mean that IT and security teams don’t have the telemetry they need in one place. As a result, they must spend time consolidating data, energy they could be focusing on security strategy and improving user experience.
To meet the OMB’s deadline and onboard a ZTA, agencies have to take a step back from their point-product approach that lingered from when products were deployed on premises, and build a three-pronged data security strategy:
1. Consolidate and modernize IT infrastructure
Cloud-based apps should be secured with cloud-based security tools. But if agencies are still using a patchwork of specialized tools, even if they are cloud-delivered, visibility and control will continue to be limited. With multiple point products, it’s harder to enforce consistent policies and determine if an attack is underway — both of which can lead to data breaches.
Instead, security tools should be consolidated into a single platform. This ensures that agencies minimize policy underlap and overlap. It also streamlines operations with a single management console, which creates a better experience for both the administrators as well as the end users.
2. Empower telework with adaptive access
Agencies shouldn’t have to trade off productivity when they adopt new security measures. As employees telework, agencies need to be able to protect data in environments they don’t control and empower productivity. This includes the ability to provide users access to the data and apps they need with continuous monitoring of their risk level.
In order to provide this kind of dynamic access, agencies need to make use of rich telemetry that can help them assess end-user behavior and endpoint risk. Agencies also need to keep track of how their sensitive data is being accessed and should be able to enforce policies that track risk along with data sensitivity.
These are the key tenets of zero trust, the idea that no entities — user, device, or network — should be trusted; something that needs to be continuously verified as you provide your users with access to your apps and data.
3. Have a fine-grained approach to data security
Agencies should not take a simple allow-deny approach to data access. In addition to taking an adaptive approach to users and endpoints, they need to take a look at the data itself to provide fine-grain and dynamic access to its users. Granular actions like turning off downloading, redacting keywords or watermarking can be automated.
It’s also critical for agencies to maintain control over their data, even when it leaves their infrastructure. Sensitive data should be protected when it leaves an agency’s sphere of influence. By proactively encrypting data and requiring additional authentication, agencies can prevent unauthorized users from accessing data even if it’s accidentally leaked or purposefully exfiltrated.
Simplify security to achieve zero trust
A unified solution provides agencies centralized security insights and the ability to enforce dynamic policies. It also provides rich telemetry into users, endpoints as well as the sensitivity of data, ensuring that you can support remote productivity without putting sensitive data at risk.
With the OMB’s September 2024 deadline looming large, federal agencies need to embrace a unified approach to security to achieve a zero-trust architecture. Building a hodgepodge security solution from multiple tools is no longer feasible.
Tony D’Angelo is vice president, public sector at Lookout, a provider of integrated, endpoint-to-cloud cybersecurity services.
Have an Opinion?
This article is an Op-Ed and the opinions expressed are those of the author. If you would like to respond, or have an editorial of your own you would like to submit, please email C4ISRNET Senior Managing Editor Cary O’Reilly.