Federal CIOs Must Reframe Security Around Data, Access

An ambitious government IT push toward cloud, mobile and shared services stokes concerns about security challenges from insider threats and disappearing network boundaries.

Cloud computing security lock.
Credit: Thinkstock

WASHINGTON – In an era of cloud computing, increasing mobility and federal agencies outsourcing more functions to IT contractors, the traditional lines delineating a network perimeter have blurred beyond recognition, experts warn.

"I think best practices have to completely shift," Gus Hunt, operating partner at the private equity firm LLR Partners and the former CTO at the CIA, said this week at a government IT conference.

"We've entered into this world where there is no boundary," Hunt says. "The approaches which have gone at this in the past – of trying to protect the perimeter – are the ones that are actually failing in this case, because the perimeter doesn't exist and what constitutes an insider is also itself constantly changing."

In that fluid environment, a traditional security approach based on boundary defenses – what Hunt describes as "deeper moats, bigger sharks, sharper teeth, higher walls" – may have outlived its use.

[ More: Budgets, Security Misconceptions Slow Government Move to Cloud Computing ]

Officials at the highest echelons of government have been urging CIOs and security workers to move beyond approaching security as a compliance exercise and focus instead on continuous monitoring and addressing the most pressing vulnerabilities and defending the most valuable targets on the network.

"In the past, we've been very kind of control-oriented and threat-oriented, rather than being much more outcomes and risk-based in thinking," says Ari Schwartz, senior director for cybersecurity programs at the White House National Security Council.

Schwartz touts the ongoing efforts at the White House to elevate cybersecurity as a national security priority and to advance security standards both for government agencies and operators of critical infrastructure in the private sector. In February, for instance, the White House unveiled its cybersecurity framework, a voluntary set of guidelines and best practices geared for firms operating in 16 sectors (such as IT and financial services) that the Department of Homeland Security identifies as vital to the nation's infrastructure.

Government Tech Transition an Exercise in Change Management

Within the government, the IT community is juggling multiple priorities and initiatives. In addition to the heightened focus on security, agencies are developing policies to mobilize their workforces and are being pushed into closer collaboration with service providers in the private sector.

Vendors pitch federal CIOs on the simplicity and ease of management that their service offerings can deliver, whether that's in the arena of software, platform or infrastructure. That can be an appealing prospect for cash-strapped agencies looking to do more with less and free up IT staff to focus on mission-oriented project – but leaning more on an inherently fluid workforce also complicates the challenge of mitigating insider threats, according to Mary Ellen Seale, deputy director of the National Cybersecurity and Communications Integration Center at DHS.

"In the old days, you used to be able to know who your employees are, and those were the insiders," she says.

Looking ahead to 2020, when observers agree that the government will only become more reliant on third-party service providers, Seale sees more of a management challenge on the horizon than the simplification that vendors promise.

"It's going to actually be more complex," she says. "You're a CIO, as an example. You're going to really have to understand what you're getting in terms of services, what's that menu of services you're buying from a cloud service provider or an infrastructure service provider, and are they actually delivering?"

[ Related: Security Must Evolve to Be All About the Data ]

From a security perspective, Hunt urges IT leaders to focus on building controls that govern access to data. "That's what people are after, he says, calling data "the most critical commodity" within agencies.

Rather than build walls around data, he argues that security professionals must "imbue" the data itself with some level of controls. "No matter where it sits, no matter where it resides, that data is always under your control, as [you are] the author/generator/owner of that information," he says. "Then things begin to shift quite a bit."

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Download the CIO October 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.