ANOTHER VIEW—Guest commentary
Rob Wilson | The elements of a secure temporary network
Lessons learned from setting up a secure temporary network for the presidential transition
- By Special to GCN
- Jan 30, 2009
If you followed news of Web site defacements and network intrusions this past campaign season, you know that every candidate was affected – either directly or indirectly. Last spring, then-candidate Barack Obama’s site was hacked and visitors were redirected to Sen. Hillary Clinton’s Web site. Hackers also penetrated Sen. John McCain’s Web site, allegedly stealing files, and news accounts say Alaska Gov. Sarah Palin was shocked to learn that her personal Yahoo e-mail account had been infiltrated.
Securing a network is never an easy task. There are a lot of variables to manage – the sensitivity level of the data, adding layers of security during the installation phase, managing risk and continuously monitoring the network.
Since November, Telos has been performing these tasks and more in support of the Presidential Transition System Infrastructure – a temporary government network set up to bolster the day-to-day operations of the Obama/Biden presidential transition team. Specifically, we are responsible for completing the security assessment testing and risk assessment on the entire temporary network – which is still operational though less utilized since the inauguration – including all network components, servers, workstations and applications. We established the parameters for operation and validated that the appropriate controls were implemented to protect the data that was processed and stored on the system. This protects highly sensitive information and keeps it from unauthorized access.
There is a checklist of items to complete when establishing a secure network for a temporary government organization, in much the same way as there would be a list of items a heating and air conditioning specialist would check for if water started dripping from a person’s furnace.
To set up a secure network, you must provide multiple layers of security – what is known in the Defense Department as a defense-in-depth approach. You must also implement secure engineering, compliance and determination of threat/vulnerability vectors, defining risks and implementing countermeasures.
First and foremost, an organization must determine the level of information to be processed, as this determines the level of security needed. There are government guidelines, including the National Institute of Standards and Technology’s 800-53, which assist an organization in establishing the level of required security controls for a particular government system.
Before full operation of the system, a third party validates the compliance of the system with the required security controls. The results of this assessment are included in the overall security documentation for the system.
The final stage is operation and continuous monitoring of the network. As the temporary government organization continues to enhance the overall security posture of the system, the system also undergoes routine assessments and third-party validation to ensure continued compliance.
All of these steps are extremely important and are critical in implementing a fortified system that employs firewalls, intrusion detection systems, virtual LANs and additional security mechanisms to protect the sensitive data that resides on government networks.
Defense-in-depth is the best approach for designing and monitoring a secure network. In this case, it helped bolster the temporary transition team network, keeping sensitive information out of the wrong hands.
Wilson is a director for the Secure Solutions division of Telos, a provider of secure IT solutions located in Ashburn, Va.