Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/4/2016
01:27 AM
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

The Balancing Act: Government Security In The Cloud

The cloud offers great opportunities and challenges to public sector security teams defending critical systems against advanced threats. These 7 strategies will help you avoid a worst-case scenario.

Like many of you, I was there at the birth of the cloud. I watched the evolution in the private sector and have supported adoption in the public sector, which is taking much longer, due to the time it takes government to innovate and implement new technology. Few government CIOs have been able to overcome this challenge.

Contrast that to the experience in the private sector, where cloud computing has resulted in in cost savings and increased efficiency for many industries. Early adopters’ ability to change and adapt quickly to the cloud fueled their success but that same process has stymied many large government IT organizations.

Opportunities and Blind Spots

For government, there is a great opportunity in having a common architecture that propels intelligence integration and big data analytics. It starts with the flow of intelligence from collectors, people, satellites and sensors into the cloud(s).  Authorized personnel with the right credentials can check out the applications from a library of applications to interrogate, analyze and enhance the data. Products can then be developed, hosted and consumed, with usage tracked for value. The integration that happens in the cloud is a tremendous value. But as this shift takes place, governments often find themselves in the middle of a balancing act trying to manage both cloud and legacy systems that remain.

Years ago, when my public sector organization was preparing for an external assessment, I wanted to ensure the two large enterprises received a minimum rating of excellent based on the criteria that had been established for the review. My director also wanted to know the outcome in advance of the inspection. I’ll call the two enterprises, Enterprise A and Enterprise B. As I pushed for compliance on Enterprise A the metrics improved, but at the same time, the metrics for Enterprise B dropped. I pushed for focus on Enterprise B, and voila, Enterprise B improved, however Enterprise A metrics worsened. The reason? The same manpower was responsible for patching both enterprises and could only keep up with one at a time.  At the time this was a very manual process. Lesson learned: managing risk, the continuous evaluation of the security posture of systems and the cloud, often use the same resources.

Vulnerabilities to the Persistent Threat

As more government organizations migrate to the cloud, the balancing act  of protecting, monitoring and testing thousands of legacy systems will increase, along with the advanced persistent threats from the bad guys -- nation-states, cyber criminals, and hacktivists. The threat is advanced, not because of technology but because of the way hackers perform reconnaissance, collect intelligence, and persistently go after very specific targets. Any organization touching the internet, including demilitarized zones (DMZs) that have not been compromised, will likely be compromised. Only the naïve believe they are impenetrable.

The Problem with Signature-based Technologies.

Legacy systems such as antivirus, firewalls, and intrusion detection systems face far more advanced threats now than when they were originally authorized to operate in the 2008 to 2010 time period. In 2008, these technologies were solid solutions for defense-in-depth strategies. However, the benefits no longer justify the cost, and public sector organizations will need to make trade-offs for a more modern platform that uses behavioral and heuristic signatures. Solutions for the threats faced today must also incorporate intelligence.

Budget and operational challenges

It’ no secret that government does not move quickly to implement new technology. The budget lifecycle is a long arduous process, typically 18 to 24 months. But in the real world, threats advance much faster, with little regard to the interval between a budget proposal, justification and its implementation. As a result, government security executives are put in the position of having to obtain approval for silos of capabilities that individually appear great at a given moment of time, but are hard and expensive to integrate and execute.

What’s more, especially for Security Operations Centers, (SOCs), the public sector needs a faster refresh rate to keep up with persistent threats because standard SOC technologies (IDS, AV, and firewalls) do not protect against new threats like 0-days or persistent threat actors. When you combine the issues of old or signature-based technologies and the unfortunate possibility that legacy system protection could be overlooked, the outcome could be devastating.  Here are 7 critical strategies and practices to avoid a worst-case scenario.

Follow the National Institute of Standards and Technology (NIST) guidance for continuously monitoring the security controls of the systems in operation. 

  1. Executive leadership must recognize that legacy systems and government clouds require robust and evolving protection. Measuring the security of both is critical.
  2. Deploying hosting security services in both the enterprise and cloud will make it easier for legacy systems to inherit the services and ensure that continuous monitoring is performed centrally.
  3. Within the SOC, develop a plan to protect legacy systems with a platform that can integrate signature-less (heuristic, behavioral) and signature tools.
  4. Allocate your resources wisely. Make sure you have both the manpower and technology, to cover both existing systems and the cloud.
  5. Analyze the effectiveness of your current SOC capabilities against the cost. Make sure you are getting the value you need and make trade-offs when necessary.
  6. Act with a sense of urgency and purpose. An 18 to 24 month budget cycle is too long to deliver adequate security capabilities against today’s threats.

 The cloud offers tremendous value for government, but only if organizations adopt measures that protect legacy systems and ensure that security solutions can defend against today’s advanced threats.

Related content:

Lance Dubsky, CISSP, CISM, is Chief Security Strategist, Americas, at FireEye and has over two decades of experience planning, building and implementing large information security programs. Before joining FireEye, he served as the Chief Information Security Officer at two ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...