Create a Truly Secure Network
Large organizations across all sectors face real challenges in keeping their networks secure, and government agencies are no exception. In fact, a 2016 report from SecurityScorecard found government organizations had the lowest security scores of any sector.
It tracked 35 major data breaches among government organizations between April 2015 and April 2016. Along with malware infections and software patching cadence, government struggles most with maintaining network security.
One of the reasons government agencies are having such a difficult time securing networks might be because they have been using the same technologies and techniques for years. According to a report from 451 Research, relying too heavily on network and endpoint security technologies simply doesn’t cut it anymore, especially in fighting multi-stage attacks. While still useful, these technologies can’t handle the threats posed by the multitude of devices, WiFi, cellular and satellite communications. They also have problems protecting data stored in the public cloud—something 84 percent of federal respondents say they plan to do within the next 12 months.
Fully protecting federal networks requires a more comprehensive approach. And that approach must involve securing remote access for mobile and third-party users, securing data at rest, implementing network and host segmentation, and employing multilayer security to improve availability.
Requiring secure remote access is critical to network security, especially in today’s business environment. Users expect to be able to access applications, data and other resources from their own devices on their own time. It’s difficult to ensure all employee devices are fully secure. It’s equally difficult to detect employees who use insecure mobile devices.
A Ponemon Institute study found even if an organization uses controls, more than half of employees circumvent or disable required security settings. To ensure secure remote access, agencies must automate and enforce policies, require multifactor authentication, and configure remote access authentication methods and encryption levels. It’s also helpful to secure traffic between a remote access server and remote users via signing, encryption or tunneling (encapsulating and transmitting data).
Securing data at rest (stored data, as opposed to data currently traversing the network) is also critical. While most of the security risks apply to data in use, data at rest is still vulnerable if the network is compromised. Encryption at the file or folder level protects data not only on premise, but in the cloud. It’s also useful to employ application-level encryption, which helps secure data as it is created. Virtual machine encryption is another critical component.
Segmenting the network improves network security by limiting access to critical applications and data. Network segmentation typically involves configuring firewalls, virtual LANs and gateways, which lets agencies split the network into multiple zones. This way, each zone can have its own security policies, and data can be segmented based on its sensitivity or use.
Agencies that have adopted software-defined networking (SDN) can more easily achieve micro-segmentation. This helps facilitate a more advanced and flexible segmentation approach. Micro-segmentation uses virtualization and software-defined network technologies to segment data and workloads down to the individual user level if needed.
Finally, one of the best ways to thwart multi-layer DDoS attacks is by adopting a multilayer approach to network security. That means that in addition to on-premises protection at the network perimeter, it’s important to protect cloud-based resources. That includes defense at Layers 3, 4, and 7, network-based encryption, and packet shaping for specific data and applications traversing the network.