Future Security Priorities 

By Barbara DePompa

Regardless whether nations wage war over the internet, or hackers strike to gain access to electronic records online, federal agencies and departments must find a way to stay one step ahead, to adequately serve, protect and defend – and ensure critical operations remain safe.

In the 1105 Government Information Group’s 2009 Cybersecurity Survey, those who participated said there were several critical security issues that will continue to grow in importance in the coming months, including the following:



*Identity management was listed in multiple parts of the survey as a key area, in which agencies will most likely achieve success in the near term. While identity management tools, such as ID cards, readers and biometric technologies were ranked among the top five security investments that agencies will make this year, by 37% of survey respondents, also important to survey respondents will be investments in intrusion detection software, mentioned by 33%, and physical security investments to protect hardware and prevent intrusion, mentioned by 26% of respondents.

* Continuing emphasis on access control was mentioned repeatedly by respondents, as the most critical cybersecurity threat to be addressed in the short term.In their comments, respondents said agencies must adopt single sign-on technology to consolidate security management and minimize password abuse. Others stressed the need to authenticate and validate users, and train users about access control to increase both awareness and protection. Still others expressed concerns about penetration and malware, which must be addressed via firewalls, IDS/IPS, antiviral software and enterprise node scanning. The need to automate access control functions was also mentioned by respondents, including the need to standardize detection and protection, and to push patches and updates to users automatically. Some respondents said while technological solutions are readily available, the ‘people’ issues related to improving intrusion detection and prevention will be much harder to accomplish. “The end user is the problem and lack of concern for security is the biggest threat.  Even after repeated training, many still have an ‘it won’t happen to me’ attitude,” said one respondent.

* The security of mobile devices was also ranked in the ‘top five’ for agency security investments to be made in 2009, by 33% of survey respondents.

*Training of agency personnel, which already made the cybersecurity top ten list, was also ranked by government executives among the top five future security investments by 37% of survey respondents. Respondents stressed the need for greater user awareness, education and training. “Our staff is being caught in phishing attempts,” which indicates more education is needed, one said. Another respondent probably summed up the need for more and better training best, by saying, “IT security training and awareness is the quickest and easiest to implement and the best way to gain the most advantages [from security investments].  Technology is only a part of security. The individuals using technology are the most important link, and must be made aware of their part in securing systems.”

*More and better virtualization security was repeatedly mentioned in comments from respondents in this online survey. Among their suggestions for improvements – the need to group ‘like servers’ from a security perspective, so that high-security virtual machines don’t occupy the same physical box as less secure servers. Others stressed the need for security monitoring tools to help to distill information. “Monitoring is required for inter-process communications within the virtual machines or between a virtual infrastructure that spans multiple physical machines,” one respondent said. One respondent  mentioned said access rules must be made consistent across physical servers and guest operating systems. Another said IT security teams must have policies in place to audit configuration and deployment. As the use of virtualization has grown, it’s clear that government organizations are struggling to keep pace with security requirements for this newer technology. As one respondent pointed out, “organizations can set group policies to prevent the installation of virtual machines, which can help stop developers, testers and other technically adept users from putting up unauthorized virtual machines.” Finally, some respondents expressed concern about configuration management, which they said must evolve to factor in the scalability required for virtualization. Industry experts agree there is a need for greater understanding of the configuration management challenges as the use of virtualization expands throughout government agencies. According to Jorge Fuster, Principal for VirtualFedTeam, a federal IT staffing organization, “when ten or 100 virtual devices are placed on each physical server, this can put strain on an existing configuration management infrastructure.”