Shawn McCarthy 150x150 image

COMMENTARY

Services-focused IT calls for renewed security push

As agencies cut their IT budgets, security is one thing that they still have to get right, and that might mean boosting investments to get it right the first time.

The security situation for government IT systems is about to get more complex.

As agencies continue to consolidate multiple older systems, they're already making decisions on which security solutions to keep or eject. Meanwhile, as they close data centers, they need to make choices about where security solutions will reside and how such solutions should be licensed or leased. And as agencies move multiple applications into the cloud, they need to make choices about how user authentication will work across multiple domains.


Related coverage:

Congressional websites crash amid public response to budget impasse


If that's not complicated enough, there's also the question of funding. 

Each year, as agencies set their annual IT budgets, they face a series of security-related decisions. Are they dedicating enough funds for all types of security? What level of business continuity should they set for each system, and what is the right level of risk vs. cost of protecting systems and data? Budgeting might be one the toughest issue to address.

Based on recent Office of Management and Budget data, agencies spend an average of 8 percent of their total IT budget on security solutions. Some spend as little as 2 percent. But across all other industries, spending on security usually hovers around 19 percent of total IT budgets, according to IDC surveys. To be fair, it's not apples to apples when comparing security budgets across industries. Some government security solutions are shared across multiple agencies. However, the size of the spending gap, by percentage, does indicate that federal agencies might need to re-examine the funds they currently dedicate to system security.

Hopefully, that effort will also lead to enterprise standardization, when possible, across multiple security categories. There are products and services associated with each of the categories listed in the accompanying box. By working through their chief security officers (CSOs), agencies already should be doing a full audit of all security solutions, making decisions on which ones perform the best, which are most easily ported to new systems, which are most affordable, and which are likely to have long-term vendor or open-source community support. With that information, they then can start weighing which ones are the most likely candidates to set as their enterprise standards.

As more systems are consolidated off-site and more cloud solutions are plugged into your network, it's increasingly likely that security as a service will be part of your future. Of the categories listed, security and vulnerability management and identity and access management are the ones most likely to be outsourced to a third-party provider or systems integrator. Those might include authentication and access control management as a separate system. Employees can log in to the authentication system, which in turn enforces role-based access to multiple other IT resources on your networks, including cloud solutions hosted by third parties.

The National Institute of Standards and Technology has some tips on how to set up identity management  and user account provisioning systems when working with multiple cloud providers.

Other issues that need to be reviewed in this new world of cross-jurisdiction security include:

  • Loss of governance.  Organizations might no longer have direct control of all facets of their infrastructure. Levels of trust need to be built for all providers. 
  • Compliance risk. Will all cloud providers be able to meet requirements and deadlines of regulations, reporting and privacy?
  • Data protection. Business continuity is a security issue. When organizations cede control over systems and data, they must have clear and enforceable service-level agreements on how data is to be kept secure and available. That should include rules about what is kept, what is deleted and when.

Security management is clearly becoming increasingly fragmented. As agencies cut their IT budgets, security is one thing that they still have to get right, and that might mean boosting investments to get it right the first time.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above