For today's government data security, trust no one
- By Bill Rowan
- Oct 16, 2015
The fallout continues from the massive data breach at the Office of Personnel Management this summer. Sensitive, personally identifying information including fingerprints, Social Security numbers and addresses of over 20 million Americans were compromised. Understandably, agencies are rushing to adopt technology that will put them in a stronger position to withstand such cyberattacks, without breaking the bank.
There are three lessons to be gleaned from recent, high-profile cyberattacks on government networks:
- The attacker, once inside the perimeter security, has been able to move freely around the agency’s network.
- Perimeter-centric cybersecurity policies, mandates and techniques are insufficient to protect government cyber assets.
- Cyberattacks will continue.
But agencies can greatly increase their ability to prevent cyberattacks and limit their damage and severity with network virtualization.
Virtualization is an important part of better cybersecurity, and now the networking component of an agency’s infrastructure can be virtualized, just like the storage and computing components. Unlike perimeter-based security, virtualized networking allows for segmenting the data center, firewalling off various sensitive areas without the need for external hardware.
Forrester Research describes this new approach to cybersecurity as the “zero trust” model, in which all network traffic is untrusted, and every packet on the network has to be inspected and analyzed in real time. By adopting a zero-trust mindset, state, local and federal agencies can protect all resources regardless of location. They can deploy a least-privilege strategy with strict access control and inspect all log traffic on a network. With zero trust, government at all levels can be confident that their networks are secure and prepare to mitigate the impacts of an attack when one occurs.
Zero trust can be achieved by creating “micro-segmented” network environments within the data center. Micro-segmentation prevents unauthorized lateral movement within the data center by establishing automated governance rules that manage the movement of users and data between business systems and/or applications within the data center network. When a user or system “breaks the rules,” the potential threat incident is compartmentalized, and security staff can take appropriate actions.
To build on this analogy, compartmentalization is equivalent to locking not just the front door, but all the interior rooms in a house. Only those with the appropriate keys can move from room to room. This segmentation mitigates the magnitude of a perimeter security breach by limiting the intruder’s ability to move around freely within the house. While many entities have “network segmentation” initiatives underway, they taking legacy, hardware-based approaches to their network segmentation initiatives, which can be expensive.
Fortunately, the move to more secure data centers can be made possible through software, not expensive hardware.
An example of what this could look like is the city of Avondale, Ariz. Avondale wanted to boost its security posture by segmenting the network, putting firewalls between servers to secure traffic moving between virtual machines or apps. Taking a legacy approach would have required significant overhead and time, which the city could not afford. Instead, Avondale’s IT leaders opted for a software-defined approach to zero trust, and used a network virtualization platform built into the hypervisor at the kernel level, eliminating the need to buy extra hardware.
While a zero trust approach via compartmentalization is a new way to understand cybersecurity, the technology is well proven. There are clear best practices and established providers, such as Brocade, Juniper, CheckPoint, Symantec and Palo Alto Networks, that offer virtualized network security.
The timing is right for this new way of understanding cybersecurity. Government networks are in the midst of a transition to software-defined networks, which promise huge gains in performance, flexibility and efficiency. But the transition can’t be considered complete without adopting the zero-trust approach to protecting government databases.
Bill Rowan is vice president federal, VMware Public Sector.