Federal CIOs have been working to overhaul and consolidate their agencies' data centers, but a new report suggests that security concerns loom large in that process.
In a survey of 300 federal IT managers, two-thirds of respondents indicate that they have security concerns about their data-center modernization efforts, which include reducing the total number of facilities, virtualizing machines and moving systems to the cloud.
Yet there appears to be a disconnect in their responses.
Feds May Be Overconfident
While 72 percent of the feds surveyed give themselves an "A" or a "B" in their security posture, substantial majorities report that their agencies don't incorporate security tactics such as mobile device management and network segmentation.
"It seems like a pretty high rating given the complexity of the task and the amount of change that's happening," says Adam Geller, vice president of product management at Palo Alto Networks, the security firm that underwrote the study.
"That seemed like a pretty high rating, but it was a self-assessment," Geller adds. "You get a little bit of grade inflation."
MeriTalk, the government IT consortium that published the study, labels the gap between the federal IT managers' self-evaluation and the absence of critical security measures a "perception-behavior paradox," though it credits the feds with outlining steps to improve their security posture down the road, including increasing spending and improving employee training.
The overhaul of federal data centers is very much on the mind of CIOs and their IT teams, which for the last five years have been working under a White House directive calling for a dramatic consolidation of federal data facilities. That initiative that aims to cut costs associated with hardware, real estate and energy consumption, while at the same time tapping into more efficient technologies like virtualization and the cloud.
But those efforts present a distinct set of challenges. Overall, 67 percent of the government IT workers polled express security concerns relating to their data center modernization efforts.
Top 2 SecurityThreats Involve Data Center Consolidation, Virtualization, Cloud
Nearly equal proportions say they worry about security issues associated with consolidation, virtualization and the cloud. In each of those areas, the feds' chief worry is advanced targeted attacks (ATAs) or advanced persistent threats (APTs), along with zero-day attacks.
Government systems tend to be high-value targets, Geller says, and are subject to sophisticated, highly focused attacks where the perpetrators single out an individual within the agency and send them a spoofed email with a malicious attachment.
"I might spend months trying to understand who the HR person is or who the finance person is within the organization," he says. Then the email will come, maybe carrying a PDF that purports to be a copy of a message the employee received announcing a delay in benefits, and asking the human resources worker for an explanation.
"Now you've got a landing point and you're on the network and you're establishing command and control," Geller says.
Those types of attacks are hard to defend against, in part because the emails generally are becoming more convincing, and employee training efforts only go so far, according to Geller.
"It doesn't mean education goes away, because you need people to be aware, but education itself won't close the door completely on human nature. And in human nature people are not generally looking to be suspicious," he says.
In that light, the study recommends that feds step up their use of "entry traps" to keep malware from infiltrating the network, and segmentation strategies to prevent malicious applications from moving across the data center.
While the ATA/APT threats top the feds' list of concerns in all segments of data center modernization, malware checks in as their No. 2 worry in the consolidation process; in virtualization, their secondary concern is denial-of-service attacks, and, in the cloud, it's unauthorized device access.
All the anxiety associated with the government's data center transformation presents a tidy opportunity for would-be government contractors in the private sector. In a time of flat or contracting budgets, 67 percent of the federal managers surveyed say they plan to boost cybersecurity spending in the coming year.
Among the areas the respondents identify as priorities for their agencies include antivirus and antimalware applications, firewalls and encryption for data in motion and at rest.