It's easy to say that network security has evolved because hackers have become more sophisticated. But networks themselves have changed significantly, causing agencies to rethink how they protect themselves.
“There's a lot more access to government IT resources from outside the network,” says Simon Szykman, CIO of the Commerce Department. “You can look at it as the endpoints of the network moving outside the perimeter.”
Whether workers use mobile devices or telecommute — or they need to access information that resides in cloud systems or contractor-operated infrastructures — security solutions must go beyond firewalls and intrusion detection systems. “There's the need to protect the endpoints outside the network,” Szykman says. “Intrusion protection is no longer just a perimeter defense. There's now host-based protection that sits on the hosts themselves. And there's a need to protect information while it's in transit through encryption.”
Tony Sager, chief operating officer for the Information Assurance Directorate at the National Security Agency, says mobility presents a major challenge. “Having access to information empowers you to do things, but it also brings you into high-risk environments.”
Addressing the challenge requires deliberate, multidimensional planning. “You can't solve this problem at any one place,” Sager says. “It's not about building a secure iPad or iPhone. You have to think about the transport mechanism. Is it coming through the cell phone system? What handles it along the way? What about the back-end databases and infrastructure that allow us to manage all this and control it? You have to think through the whole lifecycle in order to give people the means to get what they want.”