A moat and castle approach to security is incongruent with today’s cloud environments, but this approach has still been widely used across the U.S. government, even as it moves more legacy systems to the cloud, and consolidates federal data centers as part of broader IT modernization initiatives.
The final Federal IT Modernization Report, released this week, recommends a multi-layered approach to security with increasing emphasis on application and data-level security, which will not only be more effective at protecting valuable information, but also remove barriers agencies face when adopting commercial cloud. Federal agencies say security challenges and immature procurement models are preventing them from adopting cloud, a key component of the IT modernization strategy.
“Current policy, agency prioritization, and associated investments prioritized through the budget process have emphasized perimeter network-based security protections,” the report says, calling these security implementations “well-intentioned” despite their negative effect on performance.
The government has required agencies to reduce external connections to a target of 50, and route their traffic through this limited number of secure gateways, known as the “network trombone”, which impacts service performance while undermining the value proposition of distributed cloud architecture, the report says.
Along with being a barrier to commercial cloud adoption, the perimeter-based architecture is unable to “combat the full spectrum of advanced persistent threats.” The architecture includes a sensor suite, called EINSTEIN, which capture and analyze network flow information, provide intrusion detection, and detect and block malicious activity through DNS sinkholing and email filtering.
In order to better equip the architecture to mitigate evolving threats, the report lays out a number of recommendations, including the prioritization of security resources from lower-value assets to higher-value assets, and the consolidation of network and security service acquisitions, which will help smaller agencies get the managed security solutions they need. The IT modernization recommendations include feedback from 100 companies and individuals, which was collected over a three week public comment period.
“Significant contract duplication means that agencies award multiple contracts for similar goods and services, often leading to hundreds, if not thousands, of contracts for the same requirement with the same vendors,” the report notes. “Additionally, there are huge price variances for the exact same item, sometimes as much as 300 - 400 percent. Agencies work highly autonomously, with only occasional collaboration across organizations and little sharing of information, standards, and best practices. This degree of fragmentation, lack of common standards, and lack of coordination drives costly redundancies and inefficiencies in procurement actions, contracting vehicles, and customization of common information technology solutions.”
Another element to improve cybersecurity across agencies is by accelerating the adoption of cloud-based email solutions, an initiative which is already underway, but the report says could minimize exposure to spear-phishing attacks while improving productivity. The Office of Management and Budget says that agencies who have moved to cloud-based collaboration experienced cost savings ranging from $500,000 for a smaller agency to $10 million per year for a larger agency such as the Department of Justice.
The 61-page report goes into detail around the IT modernization plans, breaking down priorities into 30-day, 60-day, 90-day and 180-day timelines. The plan is set to start taking shape on Jan. 1, 2018.