Cybereye | The core challenge
Commentary: Cybersecurity must become deeply embedded in daily operations, rather than bolted on as a separate technology.<@VM>Sidebar | Data breaches: An unnecessary expense
- By William Jackson
- Jul 17, 2008
GOVERNMENTS, LIKE corporations, are becoming more globalized as supply chains spread worldwide and coalitions form to address global challenges.
'There is always a need for allies,' said Samuel Chun, director of EDS U.S. Government Solutions' cybersecurity practice. And dealing securely with allies can be almost as difficult as dealing with enemies.
At a recent conference hosted by the Digital Government Institute, Chun outlined the top cybersecurity trends agencies face. His conclusions are not surprising, but they illustrate the need for cybersecurity to become deeply embedded in daily operations rather than bolted on as a separate technology.
The first challenge he identified is perimeter diffusion. As users become more mobile and devices more interoperable, there are fewer physical controls on those devices and no geographical boundaries. That makes the concept of perimeter defense inadequate. In many ways, the other information technology challenges facing governments stem from that diffusion.
Because the perimeter is no longer an effective line of defense, administrators must decide where to put their security. The trend is toward protecting data and resources in the core of the enterprise. 'Application security is going to be a big deal,' Chun said. More security features are going to be embedded in applications themselves.
The need for cross-domain collaboration is another trend. There has always been a need to communicate with allies, neighbors and even enemies. But communications are not just government-to-government, they often are person-to-person in theaters of operations around the world. As digital communications become more tightly integrated with our basic business processes, securing these communications becomes more important and more complex.
The key to cross-domain communications is federated identity management based on reliable identity proofing and trusted, verifiable credentials. 'Everybody is working on federated identity management,' Chun said. The Security Assertion Markup Language is emerging as the standard for enabling these strategies.
Consolidation and virtualization present different security challenges.
Consolidated IT resources require less management and give a quick return on investment. 'But you can consolidate to a point that you lose resiliency,' Chun said. Rather than letting economics alone drive consolidation, administrators must balance efficiency and redundancy, he said. 'Virtualization is cool,' he said, and it is a powerful tool for consolidating resources. However, IT administrators need to take a disciplined approach by deploying virtualization only where needed and resisting the temptation to use it just because it's cheap.
None of these challenges will come as a surprise to anyone who is paying attention to IT security. However, they all illustrate the trend toward incorporating security into systems. Implementing security before hardware and software is deployed adds a degree of complexity to our systems, but addressing security at this point will eventually make the systems more manageable and more valuable.
I received a letter from my alma mater a few weeks ago, not asking for more money this time but informing me of the theft of a laptop PC that contains information about donors, including me. The files did not include the kind of personally identifiable information or account data that would have triggered a mandatory notification, I was told, but the school was taking no chances and were letting me know anyway.
I appreciate the institution's caution, but I can't help wondering why the information was sitting on an unattended laptop if it was even a little sensitive. In the first place, that was just plain careless. In the second place, what was the school using that information for?
Organizations soliciting donations often prefer that you contribute with a credit card rather than writing a check, and this incident makes me hesitant about entrusting the school with credit card information. I'm not too sure about letting it see my checking account information, either. In fact, this incident could lead me to rethink donations of any kind.
At a time when schools are increasingly strapped for money, this could prove to be one expensive laptop.
William Jackson is freelance writer and the author of the CyberEye blog.