Protecting data has always been a core objective, but doing so has become much more challenging since the advent of the cloud. Today, applications and infrastructure are routinely hosted in the cloud, away from the control of federal CIOs. As such, the protective perimeter that once existed around agency data has given way to a boundaryless environment in which data is widely distributed, dynamic and difficult to contain and protect.
This massive data sprawl is creating fundamental problems for cybersecurity managers. First, it’s hard to defend against what you can’t see, and highly dispersed data creates a lack of visibility.
Second, traditional security technologies — firewalls and endpoint protection solutions, for example — are not as effective in this environment, considering the fact that they were primarily designed to protect a perimeter that no longer exists and keep people away from data. Today’s agency employees need access to information, uninhibited by cybersecurity controls, to ensure the success of their missions.
All of this adds up to a rich landscape for potential exploitation. Adversaries don’t see confusion; they see opportunities at intersection points where employees interact with data as it passes between their on-premises and hosted environments.
Employees Are the First Line of Cybersecurity Defense
The upshot of all of this is that just as we have evolved from exclusively on-premises infrastructures to cloud-based ones, so must agencies now make the next leap in cybersecurity. Government organizations would do well to shift their focus away from the security architectures they’ve used for years and move their efforts toward their own people. In a perimeterless world, employees can be the ultimate bulwarks that stand between hackers and their agencies’ data.
People are the beating heart of every organization, but they’re particularly important to federal agencies. People are the instigators of innovation, necessary cogs in the wheels that drive agencies forward, but they need access to information, nearly at machine speed, to accomplish their goals.
Therein lies the rub. How do you protect data without inhibiting access, especially when that data is in the cloud, beyond your immediate control?
One way is by adopting a more targeted and personalized approach to cybersecurity than traditional measures were ever designed to accommodate. Instead of focusing on implementing more perimeter defenses, agencies need to begin focusing on their users’ actions and behaviors, particularly as they pertain to their interactions with sensitive information.
Why an Automated, Risk-Adaptive Approach to Security Works
People tend to behave in very predictable ways. An average federal worker might come into work every day, sit at his or her computer, check email, and access the same files and information. This is all very normal, all very stable.
A change in that pattern can indicate that something is wrong. Perhaps the employee’s credentials have been compromised. Whatever the case, it’s incumbent upon the agency’s security team to respond in a targeted manner that ideally does not impact the work of other employees.
This is possible through what’s known as a risk-adaptive approach to security. In this scenario, employees are evaluated and assigned a baseline score for their own “normal” behavioral patterns.
They’re then monitored for any deviation from this baseline. A deviation triggers an alert that security administrators can react to quickly as well as a relevant automated enforcement response based on the anonymized digital identity’s elevated risk score.
Based on a deviation in behavior patterns, security teams know exactly where the problem lies and can focus automated or manual enforcement efforts on observing or blocking specific activities based on the level of risk the activity represents.
This is far different from the “zero trust” proposition that traditional security solutions typically offer. Traditional solutions aren’t exactly subtle. They tend to slam the door for the entire organization, and when someone is compromised or makes a mistake, everyone pays. Operations are curtailed, security policies are changed and employees get frustrated — causing them to find workarounds that not only lead to friction between IT and an agency’s users but can also compromise data security.
An automated risk-adaptive approach is the better option. Automation increases the speed of determinization and requires less human interaction. Monitoring each user’s behavioral patterns — and streamlining managers’ response to only those incidents that exhibit anomalies in baseline patterns — can keep systems secure without penalizing everyone. In many ways it is delivering a one-to-one security model versus the one-to-many approach commonly used today.
That’s important, because everyone is different. There may be instances where employees regularly require access to sites or technologies that are not typically authorized, for example. Security needs to be more personalized, both to be more effective and to allow people to work in today’s environment.
Feds Are at a Cybersecurity Crossroads
That environment has led us to a crossroads in our cybersecurity journey. Traditional security measures still have their place in today’s world, but at the same time we can no longer simply put up a firewall to defend our agencies’ infrastructures. We must find new ways to protect data, wherever it exists.
People are the most sensible solution. After all, the data is literally in their hands. By focusing their security efforts on monitoring user behaviors, agencies can effectively enlist users in the fight to protect that data. In doing so, they can turn the users that hackers may see as a vulnerability into their organization’s greatest cybersecurity assets.