Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/4/2016
01:27 AM
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

The Balancing Act: Government Security In The Cloud

The cloud offers great opportunities and challenges to public sector security teams defending critical systems against advanced threats. These 7 strategies will help you avoid a worst-case scenario.

Like many of you, I was there at the birth of the cloud. I watched the evolution in the private sector and have supported adoption in the public sector, which is taking much longer, due to the time it takes government to innovate and implement new technology. Few government CIOs have been able to overcome this challenge.

Contrast that to the experience in the private sector, where cloud computing has resulted in in cost savings and increased efficiency for many industries. Early adopters’ ability to change and adapt quickly to the cloud fueled their success but that same process has stymied many large government IT organizations.

Opportunities and Blind Spots

For government, there is a great opportunity in having a common architecture that propels intelligence integration and big data analytics. It starts with the flow of intelligence from collectors, people, satellites and sensors into the cloud(s).  Authorized personnel with the right credentials can check out the applications from a library of applications to interrogate, analyze and enhance the data. Products can then be developed, hosted and consumed, with usage tracked for value. The integration that happens in the cloud is a tremendous value. But as this shift takes place, governments often find themselves in the middle of a balancing act trying to manage both cloud and legacy systems that remain.

Years ago, when my public sector organization was preparing for an external assessment, I wanted to ensure the two large enterprises received a minimum rating of excellent based on the criteria that had been established for the review. My director also wanted to know the outcome in advance of the inspection. I’ll call the two enterprises, Enterprise A and Enterprise B. As I pushed for compliance on Enterprise A the metrics improved, but at the same time, the metrics for Enterprise B dropped. I pushed for focus on Enterprise B, and voila, Enterprise B improved, however Enterprise A metrics worsened. The reason? The same manpower was responsible for patching both enterprises and could only keep up with one at a time.  At the time this was a very manual process. Lesson learned: managing risk, the continuous evaluation of the security posture of systems and the cloud, often use the same resources.

Vulnerabilities to the Persistent Threat

As more government organizations migrate to the cloud, the balancing act  of protecting, monitoring and testing thousands of legacy systems will increase, along with the advanced persistent threats from the bad guys -- nation-states, cyber criminals, and hacktivists. The threat is advanced, not because of technology but because of the way hackers perform reconnaissance, collect intelligence, and persistently go after very specific targets. Any organization touching the internet, including demilitarized zones (DMZs) that have not been compromised, will likely be compromised. Only the naïve believe they are impenetrable.

The Problem with Signature-based Technologies.

Legacy systems such as antivirus, firewalls, and intrusion detection systems face far more advanced threats now than when they were originally authorized to operate in the 2008 to 2010 time period. In 2008, these technologies were solid solutions for defense-in-depth strategies. However, the benefits no longer justify the cost, and public sector organizations will need to make trade-offs for a more modern platform that uses behavioral and heuristic signatures. Solutions for the threats faced today must also incorporate intelligence.

Budget and operational challenges

It’ no secret that government does not move quickly to implement new technology. The budget lifecycle is a long arduous process, typically 18 to 24 months. But in the real world, threats advance much faster, with little regard to the interval between a budget proposal, justification and its implementation. As a result, government security executives are put in the position of having to obtain approval for silos of capabilities that individually appear great at a given moment of time, but are hard and expensive to integrate and execute.

What’s more, especially for Security Operations Centers, (SOCs), the public sector needs a faster refresh rate to keep up with persistent threats because standard SOC technologies (IDS, AV, and firewalls) do not protect against new threats like 0-days or persistent threat actors. When you combine the issues of old or signature-based technologies and the unfortunate possibility that legacy system protection could be overlooked, the outcome could be devastating.  Here are 7 critical strategies and practices to avoid a worst-case scenario.

Follow the National Institute of Standards and Technology (NIST) guidance for continuously monitoring the security controls of the systems in operation. 

  1. Executive leadership must recognize that legacy systems and government clouds require robust and evolving protection. Measuring the security of both is critical.
  2. Deploying hosting security services in both the enterprise and cloud will make it easier for legacy systems to inherit the services and ensure that continuous monitoring is performed centrally.
  3. Within the SOC, develop a plan to protect legacy systems with a platform that can integrate signature-less (heuristic, behavioral) and signature tools.
  4. Allocate your resources wisely. Make sure you have both the manpower and technology, to cover both existing systems and the cloud.
  5. Analyze the effectiveness of your current SOC capabilities against the cost. Make sure you are getting the value you need and make trade-offs when necessary.
  6. Act with a sense of urgency and purpose. An 18 to 24 month budget cycle is too long to deliver adequate security capabilities against today’s threats.

 The cloud offers tremendous value for government, but only if organizations adopt measures that protect legacy systems and ensure that security solutions can defend against today’s advanced threats.

Related content:

Lance Dubsky, CISSP, CISM, is Chief Security Strategist, Americas, at FireEye and has over two decades of experience planning, building and implementing large information security programs. Before joining FireEye, he served as the Chief Information Security Officer at two ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15109
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the ship...
CVE-2020-16847
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
CVE-2020-15135
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
CVE-2020-13522
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.
CVE-2020-15943
PUBLISHED: 2020-08-04
An issue was discovered in the Gantt-Chart module before 5.5.4 for Jira. Due to a missing privilege check, it is possible to read and write to the module configuration of other users. This can also be used to deliver an XSS payload to other users' dashboards. To exploit this vulnerability, an attack...