An inside-out digital defense by the feds against digital raiders is needed. Are they ready?
Right about now, the idea that federal-government data systems can be protected with perimeter-defense tactics is looking as quaint as castle walls.
Agency leaders are beginning to adopt an inside-out perspective when it comes to protecting the jewels, according to a new report published the by technology publication FedScoop and paid for by the two-factor technology vendor Cisco Systems Inc.
They are also returning to what the report refers to as a zero-trust mentality when it comes to traffic, people and devices interacting with their information-technology systems.
Every wave of new data technology, from the arrival of personal computers to smart watches, has been viewed by savvy CIOs throughout the economy as a ship-sinking threat. Their instinctive (and generally successful) reaction has been to keep the new class of devices off the property until the smoke cleared.
Organizations have met cyber threats in much the same way, by patching, erecting fences and cementing walls. A more integrated, mesh-like defense, such as deploying biometric systems broadly, still seems hard for corporate leaders to grasp.
FedScoop’s report and survey point to an “identity-centric, perimeter-less data environment” that the authors say can be created with “a combination of policy, investment and technology decision.”
There already is some movement — albeit unsteady and uneven — toward creating this environment among federal agencies and departments, according to the survey.
It finds that 48 percent of decision makers in federal-government information technology feel their unit is “substantially on their way to adopting an identity-focused defense.
Asked about the data-security areas that they plan to spend more money on over the next two years, decision makers listed multi-factor one-time password schemes, passwords and PINs that are randomly chosen and out-of-band authentication, a kind of two-factor confirmation in which a secondary verification method is mandated through a separate communications channel.
Biometric authentication was a good bit further down the list. Only 17 percent listed it as a priority, perhaps a reflection of how old federal government IT systems are and how difficult it would be to graft new systems on to them.
Yet, 30 percent of survey takers say their agency “still relies heavily on perimeter defense tools or policies.” Almost half of respondents say they remain “in the early stages” of inventorying the people and devices that access their networks.
Still more troubling, the survey found that 38 percent of respondents said, “I don’t know” when asked, “(i)s your agency planning to implement a password-less” scheme? A quarter said, yes, within the next year or two. Another 11 percent said within three to five years.
Unsurprisingly, 42 percent of federal IT decision makers said a lack of staff experience is a big hurdle to implementation. A third blamed a lack of standardized IT capabilities.
But they are not without some tools. The survey found that 58 percent of respondents said that their units can at least automatically provision and remove access rights for workers who come aboard, move between agency groups or leave the agency altogether.