Government Infrastructure Security Management

  • June 2020
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Government Infrastructure Security Management as PDF for free.

More details

  • Words: 3,776
  • Pages: 8
Part 3

Custom Custom supplement supplement to to Federal Federal Computer Computer Week Week

GOVERNMENT

INFRASTRUCTURE SECURITY M ANAGEMENT

Security Starts With You, page s2 • Endpoint Security Management Software, page s5 8 Keys to Securing Your Mobile Workforce, page s6 • The Security Roadmap, page s8

Custom supplement to Federal Computer Week

Security Starts With You Security is one of the only endeavors where success is measured by nothing happening. And that nothing starts with you. For those professionals in charge of government security management, being proactive is a way of life.

mean finding 10 attributes that can be shared across the community and they become the universal core of focus.

As managers, they lead their organization’s efforts on a variety of fronts. It starts with authenticating staff and contractor identities so they can access agency sites, systems and networks.

You might get advice to not focus on the ID management piece, but focus on the business of establishing identity and then working the standards which in turn causes your agency to deal with the ID management piece.

At the same time, these managers must make sure data is secure both in motion and at rest; so there is a need for more physical and cyber authentication, encryption standards and procedures. This translates into security policies and governance procedures that must work with an increasingly mobile workforce.

The key to making that work is to separate the idea of identity and personas. Use the attributes to establish a universal core and then make rules about how to handle attributes.

There is evolution happening moving Further, in this world where information sharing is becoming the norm rather than the exception in government, the need for authentication and security between machine-to-machine communications is paramount. And, of course, these security managers must protect your network. The Goal Is Better IT Security Now, as the transition to new leadership grows closer, there is more and more focus on who now is going to provide the strong executive leadership and vision that supports CIOs and CSOs on IT security issues. The government is finally responding to the cyber threat with a major infusion in funding for cyber security efforts. Cyber security is now a major initiative in intelligence with DHS taking the lead. And if you were able to talk with security pros off-therecord during a “Networking Reception”, here is a sample of what you might hear them talking about. You might hear them talking about needing a better understanding of what Identity Management really means. After all, sound security starts with sound identity management practices. You might hear an idea such as that ID management could

s2

from protecting networks first to protecting the data first. At conference after conference, government security leaders have talked about how our governance model creates tension between access and security. And that we do not have tools and technologies where security is seamless. That is where identity management has to be the foundation. You need to know who is on your network with strong authentication processes. If you have that, then you can get into network access by attribute and other network access control activities. The CAC card is progress; it is a foundational element but governance and ID management are the keys. TIC and CAC You would certainly hear talk of the TIC (Trusted Internet Connection) implementation: OMB has mandated the need to quickly reduce the amount of agency internet connections. Plans for reduction are in progress. You would hear about the need for stronger governance when it comes to security issues. You can have all the HSPDs and NIST standards you want, but it still comes down to implementation. continued on page s4

Custom supplement to Federal Computer Week

Security Starts with You, continued from page s2

They would also talk about training and the need for more and better education on how to use the CAC cards and finding ways to make security seamless across all agencies. They would talk about having a better infrastructure that builds in a more secure physical and logical access solution. They would be talking about recent OMB FISMA guidelines and NIST C&A guidance and talk about how government is doing a better job on C&A and identifying risks, while FISMA scores are also better in some cases. You might also hear them say industry is doing a better job of taking government requirements in house and “working the issues”. Protect The Data First But you would also hear them talk about barriers that still exist because some in senior management do not view cyber security as a national security threat, despite the hacking and the increased investment in cyber security. You would hear them talk about the need for even better encryption for laptops. Theft of laptops and unauthorized remote access are two mobile workforce issues that must be dealt with. Encryption is a big issue especially with telework. Privacy is also big along with web application security. There also might be talk of how effective HSPD-12 really is. And what they are really supposed to do? Is there a plan? Many look to GSA. It could be years before using the card for physical and logical access control and to leverage the benefits of using the card. Finally, you might hear them talk about the ever present need for more funding for specific security issues and needs. The fact is: there is an evolution happening from protecting networks first to protecting the data first. The new administration needs to focus all the security on the data. People need to get serious; and make sure data is not compromised if a machine disappears. Some would say that we need to radically adjust our thinking because within the next 5 years data will become the center of gravity for operations and networks won’t be that important. The new concept could be the data center is not a data warehouse, but the center of computing. It is in the data center that the transactions of government will be taking place.

s4

Manage the risk Security risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset). A manager’s role in managing risk depends on his or her organizational responsibility. IT infrastructure managers have a different role than finance managers. But, both need to engage in some level of organizational risk management assessment of one or more of the following: • Security policy • Organization of information security • Asset management, human resources security • Physical and environmental security • Communications and operations management • Access control • Information systems acquisition • Development and maintenance • Information security incident management • Business continuity management • Regulatory compliance Managers should identify the value of the IT and information assets that might be impacted. Then a threat and vulnerability analysis should be conducted to identify the potential effect of an occurrence and the probability of that occurrence. This type of analysis should rely on both quantitative and qualitative measures. Finally, risk mitigation controls should be identified and implemented in proportion to the cost and potential severity of the risk. Managers can accept, mitigate, transfer, or, some cases, deny the risk. These decisions should be made in concert with a multidisciplinary team that includes finance, IT and security specialists. Security risk management is not a one-time process. On-going review of identified risks and periodic assessment of potential new risks are essential for continued security risk management.

And proactively securing that data will be the security manager’s Number One priority then as it is now. ❑

Custom supplement to Federal Computer Week

What Your Endpoint Security Management Software Should Do There is a strong case for investing in as much automation as possible to manage and perform everything related to endpoint data protection. There are lots of security related tasks. There are not a lot of people to do those tasks. That’s a strong case for investing in as much automation as possible to manage and perform everything related to endpoint data protection. Many of these security requirements can be met using COTS solutions designed to mitigate evolving threats and enable compliance. COTS solutions also are available for mandated encryption of sensitive and classified data. So, what are some other areas you should look for automated help in addition to securing your endpoints? Look no farther than: • Secure Digital Communication – protecting missioncritical data sent over high-speed WANs as well as remote access VPNs. • Secure Login & Authentication - providing authorized users with secure access to sensitive information, applications and facilities while keeping the bad guys out. • Application Security Solutions – providing the security foundation for mission-critical applications. This includes using PDF software that allows for electronic delivery options that include certified documents, multistep digital signatures and rights management. The Evolving Endpoint Defending the network perimeter – the endpoint – has always been at the core of an organization’s security strategy. Today the endpoint is no longer the desktop or even the laptop. For today’s mobile workforce, portable mass media (e.g. flash drives, cell phones, Blackberrys, memory sticks and PDAs) represents the next generation of endpoints; and new opportunities for data loss, introduction of malware and data theft. So, while fortifying the outer barriers of the network remains a vital component to overall enterprise security efforts, it is no longer an effective last line of defense. Security managers are equipping themselves with solutions designed to protect against attacks on PCs,

Security managers are taking a proactive approach and developing a clear, in-depth policy regarding the use of devices within the enterprise. laptops, servers and portable mass media endpoints. They are shifting their enterprise endpoint security efforts to address today’s realities by taking a proactive approach and developing a clear, in-depth policy regarding the use of devices within the enterprise. And they are deploying proactive software solutions to support these policies and help gain a decisive advantage by taking an offensive approach to protecting their enterprise endpoints, no matter how frequently they evolve. Blacklist or Whitelist? Take all the known threats and create your blacklist. That’s what firewall, anti-virus software and intrusion detection systems do. And they require constant updating. You can do the same with device use. But every day a new device comes on the market. Keeping an up-to-date blacklist is tough. Some might say impossible. You could do the opposite. Create a whitelist. Your whitelist is a pre-defined list of devices or applications that are allowed to run on enterprise hardware while blocking everything else by default. This concept shelters administrators from the laborious task of maintaining blacklists of all known devices. According to security provider Lumension, “while blacklisting only accounts for devices that a company knows it wants to deny, the whitelist approach prevents even unknown devices from harming the network. With a blacklist-based solution, any device that is not continued on page s7

s5

Custom supplement to Federal Computer Week

8 Keys To Securing Your Mobile Workforce You’ve got a mobile workforce and they are going to carry data with them. Here are 8 things you can do to get them to them work securely. 1. Embrace The Technologies, They Are Here To Stay There are the smart phones, the PDAs and the Blackberry and iPhone. They have become indispensable. At the same time, removable storage media is at the center of a variety of new ways we can share and use information from the small cards used in PDAs and cameras to the thumb drives used to move files between PCs and personal entertainment devices, such as iPods, which may have as much as 160 Gigabytes of storage capacity. And most personal media devices can be connected to a PC via USB connections. They are going to be used to access agency resources. New devices will be continually introduced. So who is going to have access? Are you going to blacklist or whitelist devices? 2. Establish Realistic, Workable Governance Policies Make a case for case for workable device and application control polices which establish what devices and applications can be used, by whom, when, and how. Flexibility is needed to embrace personal devices that have become the way a user personalizes the way they work and share data. Management buy-in is essential to succeed. Communicate with stakeholders. At the same time, establish a new security policy, or modify an existing one, to encompass any new authentication system. It should include policies related to remote access by all parties: employees, contractors, business partners, and customers. It should also cover user privileges; encryp-tion; password and privacy guidelines; and e-mail and instant messaging practices. There is far more likelihood for minimal impact on end users and infrastructure alike. Once policies are developed, tuned and communicated, they must be enforceable. If you don’t already have an enforcement plan for your security policy, develop one. Enforcement practices should detail what happens when individuals fail to comply with company policies.

s6

3. Encrypt, Encrypt, Encrypt If information must be encrypted at all times in a steady state, this can be done with nearly all forms of removable media. Some encryption mechanisms can tie individual users directly to the data and/or to the media itself, preventing anyone else from using it. When this type of device management is paired with application control, you’re not only securing the device itself, but you’re also preventing those devices from launching dangerous executables, which may endanger your data. Encryption can be used in conjunction with enforement. If you can track who had confidential data, how they used it, and were assured that they could not share it outside of the enterprise, then that fulfills the need for a comprehensive audit trail that may be required. 4. Employ Two Factor Authentication Usually, two-factor authentication involves “something you have,” such as a CAC, and “something you know,” such as a PIN or password. Most two-factor authentication authenti-cates users of remote access solutions such as VPNs, Citrix applications, Webmail, Outlook Web Access and other Web applications, plus Windows and Unix log-ins, for compre-hensive identity and access management. 5. Educate Staff Educate staff on the new security technologies and processes. Keep in mind that remote users are likely to need more extensive training than employees who work in your office facility. Make sure everyone understands that remote workers face greater risks from security threats. 6. Maintain Your Identity and Access Management (IAM) System Keep track of vulnerability assessments, backup requirements, and comprehensive incident response, disaster recovery and COOP plans.

Custom supplement to Federal Computer Week

7. Choose A Good Authentication Solution Things to look for are: ease of installation and use; low TCO; scalability; web-based self-enrollment capability; the ability to manage user information with existing Microsoft tools; no additional software needed on the client’s workstation; minimal impact on end users; and the system should not require altering user behavior in order to achieve a successful log-on.

8. Taking it a step further with digital signatures Digital signatures are much more difficult to imitate or forge because the technology authenticates the identity of the sender or signer of an electronic document. Digital signatures also add assurances that the content of an electronically delivered message or document hasn’t been altered since its creation. ❑ Sources: Lumension, Adobe, Ziff-Davis

Management Software Should Do, continued from page s5

specifically listed as a threat will be able to connect to the network, allowing users to pilfer data or inject malware into the systems.” What the whitelist approach does is place control of policy squarely in the hands of the IT administration staff. Only devices that are authorized as having a viable business use will work on endpoints. Software Solution Two things your software should do are: 1. Provide policy-based application and device control that proactively secures your organization from data threats, including data leakage, malware and spyware. 2. Enable only authorized applications to run and only authorized devices (portable mass media) to connect to a network, laptop or PC – facilitating security and

systems management, while providing necessary flexibility to the organization.

As a result the software prevents data leakage via removable media, malware or spyware; protects against malware, viruses and spyware; safeguards against zero-day threats; controls proliferation of unwanted applications and devices; assures and proves compliance with regulations governing privacy and accountability; and maximizes benefits of new technologies and minimizes risk. The software should also be used to encrypt removable media so that it can be safely used and transported without the fear of exposing your confidential data to unauthorized users. ❑ Sources: Lumension, Adobe

s7

Custom supplement to Federal Computer Week

The Security Roadmap Should you get a certification? An advanced degree? What about specific training? There are a wide range of options for security professionals. As a manager, if you surveyed the trends in security related academic degrees for those in government and the private sector, you would notice three trends: 1. There are a lot of focused courses specifically targeting Information Assurance and Homeland Security topics. 2. Many educational institutions are offering advanced degrees with specific concentration in these areas. 3. Many courses are available that teach to certification and software requirements such as A+, Network+, SSCP, CISSP, GSLC, CISM, Security+, GISF, GSEC, SCNP, SSCP SCNA, CISA and GSE. In government that translates into DoD mandating vendor neutral baseline IT security certifications; the State Department mandating vendor neutral entry level certifications; providing incentives for, but not mandating, other certifications; OPM surveying the federal government to identify certifications being used; and DHS developing its IT Security Essential Body of Knowledge to make sure everyone in the 22 components is on the same page. A large part of security management is providing a roadmap for professional advancement and making sure security professionals have a common body of knowledge. In today’s security landscape, education can be divided into three areas. Certifications Test Professionals What certifications (e.g. CISSP) do is to provide established criteria and a benchmark from which to test professionals. That means having a baseline of tested knowledge/skills (validated minimal level of knowledge in the functions required for a specific job). These can be used to build organizational-specific training, which can be used to leverage independent 3rd party review of processes and procedures and maintain current content. Certifications can also establish baselines that can be met across domains, e.g. DOD, NIST and private sector. Certifications also provide a good tool for attracting and retaining the best talent. They create a pool of knowledge that boosts an organizations overall security posture.

s8

It’s Academic More and more colleges and universities are developing curriculum so that managers can attain an academic degree (Master’s, Ph.D.). To attain the degree involves the usual minimum of 2-4 years of college courses, taken with a wide-range of general education credits that result in: Academic Certificates 18 credit hours; 2-4 year degrees with concentration in Information Assurance; and Advanced Degrees (Master’s, PhD. and Doctorate).

Security management is focused on providing a roadmap for professional advancement and making sure security pros have a common body of knowledge. These courses are gaining popularity especially those with focus on Homeland Security as candidates must demonstrate skills such as human interaction skills, research, problem solving and critical thinking skills. Specific Training The goal of training is to teach knowledge and skills that allow a person to perform a specific function. Form is usually topic based or role based. Different developers use different delivery methods and can tailor existing courses to meet specific needs. The advantage of targeted training is that it allows agencies to keep current on new areas of needed knowledge and skills. There is more emphasis on this area than the others when updating or maintaining skills and knowledge that are job-related. Trends in training are being driven by the tendency to use as a metric the number of people provided training and the cost associated with that training and not performance improvement. A Symbiotic Relationship Management and employees inevitably view the world through different lenses. Each has expectations of the other. When it comes to security and education, these differences in expectations are what make the relationship work for all.

For management, certification means an employee who has been “vetted” by a third party as to proof of ability, thus reducing hiring risk. An academic degree means the employee has demonstrated an ability to learn and persevere – a foundation for all training. They also will probably have a good knowledge of new technologies and have a “bigger picture” view. For management, training such as the VA’s role-based training program is an expense/investment that has immediate payback and is tailored to the unique needs of VA. For the individual, certification removes an entry barrier and provides a license to operate. This license should translate into increased pay and networking opportunities with others holding similar certifications. For the individual, an advanced degree is the foundation of a career which can greatly advance their domain knowledge and job track potential.

distribute and support information security solutions; and leverage existing workforce resources and attract and retain supplemental workforce resources. Recently the ISS task force made these recommendations: establish common solutions in 4 key areas; close security gaps by establishing Shared Service Center (SSC) model to drive better performance, increase expertise through specialization and reduce cost by providing common products and services. The task force also recommended leveraging a governance structure, use a phased implementation approach and the update of NIST SP 800-16 “Information Security Training Requirements: A Role- and Performance-Based Model”. Learn more about IT certification and training at www.fissea.org and www.nist.gov. ❑ Source: Federal Information Systems Security Educator’s Association (FISSEA)

For the individual, role-based training teaches them how to do current job and can be used as a stepping stone for advancement. ISS LOB A backdrop to all of this is OMB’s Information Security Systems LOB, which was chartered to support the President’s Management Agenda for expanded E-Gov. Its value proposition is to improve the level of IS Security across government; eliminate duplication of effort; increase aggregate expertise; and reallocate resources for missions. It initially identified common IS Security needs across all branches of government. Driving the ISS LOB are closing security training gaps; defining Federal-wide standards for ISS skills; the lack of common ISS career path; the lack of common criterion for credentialing ISS professionals; and the duplication of effort as agencies individually develop and procure baseline content and sustaining distinct infrastructure to support ISS. What this is supposed to do is support performance of the government’s mission through improved information systems security; establish a mechanism to acquire,

s9

Related Documents