It is no surprise that cybersecurity is a growing concern for the federal government. The most recent FISMA report reflects 77,000 successfully executed cyber incidents occurring in 2015, a number that has increased each year. Part of the growing challenge is due to the diverse and ever-expanding number of endpoints and data sources for agencies to secure, especially on government campuses. With this landscape as a backdrop, campus environments require a tailored approach to security and encryption due to their varied department needs and multiple physical locations. Here are traits to look for:
Built-In, Not Bolted-On, Security
Traditionally security is bolted on to specific points on the network, an approach that works best when perimeters are clearly defined and catered to solve a specific problem. In many cases these point-product deployments are administered and modified in a silo that has no applicability to end-to-end information delivery that varies based on task and overall mission effectiveness. To protect data-in-flight on today’s government enterprises, encryption and other security services need to be built into the network for pervasive security no matter where information travels. Overlooking this critical element of security means cyber criminals can compromise one security measure at the network edge and have full access to sensitive resources.
Security Without Performance Degradation
Previously, implementing enterprise wide inflight encryption services has been a high-cost, low-performance proposition. In many cases, due to performance issues, administrators refuse to enable encryption to insure a more optimal user experience. In a survey of federal IT decision makers, 39 percent of respondents cited network performance as a top reason not to encrypt data, potentially leaving sensitive information vulnerable. Today this way of thinking is no longer valid. Inflight switching/routing solutions are available today that provide integrated hardware encryption services at rates up to 44Gbps and higher. In many cases this capability aligns well with enterprise consolidation efforts where a single device can support both switching/routing plus encryption that scales in parallel as bandwidth requirements increase.
Micro-segmentation to Accommodate Varying Security Needs
In a campus environment multiple departments share the same network, complicating security. Sensitive data should only be accessible to the individuals who need it, especially as insider threats grow as a concern. IP security services can address this challenge with multiuser segmentation, applying tailored security protocols based on individual department needs. This secure micro-segmentation can be leveraged either via physical or virtual deployments. Today we have capabilities to apply encryption measures as close to the application as possible using hardware-forwarded software containers that co-exist with local compute resources or resources administered within the cloud. These capabilities are mature and should be part of an enterprise security strategy.
What’s Next: SDN
What’s next for security on campus networks? In many cases, the future is software-defined. The objective is to leverage software abstraction to enable operators to make adjustments through comprehensive security policies. These policies can be deployed manually or automatically to optimize information delivery in a secure fashion. Administrators should not focus their attention on point-product features that prohibit standardization and choice. Software defined abstraction, from a security standpoint, enables policies to be applied enterprise wide within heterogeneous environments. The next step will be for agencies to incorporate a software overlay that allows them to apply encryption instructions and changes across the entire campus - or multiple campuses - with just one step. Software will enable encryption as a service, making it possible to manage network products from numerous vendors through one application.