How to leverage networks to boost security
- By Joel Dolisy
- Jul 29, 2015
The breach at the Office of Personnel Management has put security top of mind for nearly every government IT manager.
Many agencies are already practicing excellent cyber hygiene; others are still in implementation phases. Regardless of where you are in the process, it is critical to understand that security is not a one-product solution, and it requires constant attention. Having a solid security posture requires a broad range of products, processes and procedures.
Networks, for example, are a critical piece of the security picture; agencies must identify and react to vulnerabilities and threats in real time. By optimizing network performance, you can implement automated, proactive security strategies that will increase network stability and have a profound impact on the efficiency and effectiveness of the overall security of the agency.
How can agencies leverage their networks to enhance security? Below are several practices you can begin to implement today, as well as some areas of caution.
Standardization. Standardizing network infrastructure is an often-overlooked method of enhancing network performance and security.
Start by reviewing all network devices and ensure consistency across the board. Next, make sure you’ve got multiple, well-defined networks. Greater segmentation will provide two benefits: greater security, as access will not necessarily be granted across each unique segment, and greater ability to standardize, as segments can mimic one another to provide enhanced control.
Standardization also allows you to bring new team members up to speed quickly on specifications and provides tighter control when rolling out new implementations and designs. And, finally, standardization reduces configuration errors and automates deployment.
Change management. Good change management practices go a long way toward enhanced security. For example, change management software – specifically, software that requires a minimum of two unique approvals before changes can be implemented – prevents unauthorized changes at any time of day or night, including 2:00 a.m. when an intruder might assume nobody is watching.
In addition, make sure you fully understand the effect changes will have across the infrastructure before granting approval. Analyze and understand, for example, the consequences on the network as a whole in terms of capacity, performance, risk, cost and more.
Configuration database. Once infrastructure is standardized and sound change-management practices are in place, it’s important to have a configuration database for backups, disaster recovery, etc. If you have a device failure, being able to recover quickly can be critical; implementing a software setup that can do this automatically can dramatically reduce security risks.
Another security advantage of a configuration database is the ability to scan for security-policy compliance. With all configurations in one location, that otherwise cumbersome task can be far less time consuming and far more efficient.
Compliance awareness. Compliance is one of any agency’s primary security concerns – and trying to comply with security technical information guides from the Defense Information Systems Agency, the Federal Information Security Management Act and more can be a complicated business.
That said, increased awareness and, in turn, increased security does not have to be difficult. Consider using a tool that automates vulnerability scanning and FISMA/DISA STIG compliance assessments. Even better? A tool that also automatically sends alerts of new risks by tying into the National Institute of Standards and Technology vulnerability database, then checking that information against your own configuration database.
Areas of caution
Most security holes are related to inattention to infrastructure. In other words, inaction can be a dangerous choice. Some examples are:
Old inventory. Older network devices inherently have outdated security. Update as often as possible to ensure the newest security features are in place. In fact, invest in a solution that will inventory network devices and include end-of-life and end-of-support information. This also helps forecast costs for new devices before they quit or become a security liability.
Not patching. Patching and patch management is critical to security. Plus, the cost of getting a new software version is often higher than the cost of patching. Choose an automated patching tool to be sure you’re staying on top of this important task.
Unrestricted bring-your-own-device policies. Some agencies have broad BYOD rules, some do not. Having no rules or having rules so strict that workers will try to circumvent them both invite breaches. The solution? Allow BYOD, but with restrictions. Separate the unsecure mobile devices on the network and closely monitor bandwidth usage so you can make changes on the fly as necessary.
While there is an increasing focus on enhancing agencies’ security posture, there is no quick-and-easy solution. That said, tuning network security through best practices will not only enhance performance, but will also go a long way toward reducing risks and vulnerabilities.
Joel Dolisy is the CIO at SolarWinds.