Comment

Dispelling the myth of 'perfect' security

Shutterstock image: connecting individuals to one another through an access point.

Because governments are the most-attacked organizations in the world, there has been broad recognition that the old approaches to security, based on the impossible premise that security must be perfect, aren't working, and a new approach, based on the premise that security doesn't have to be perfect to still be successful, is needed.

The Defense Department in particular has depended on physical segmentation to protect itself. DOD workers often have multiple workstations on their desks -- one for each level of sensitivity of data they access. A workstation for highly sensitive data is physically isolated from networks used by a broader base of users. Although such an approach was useful in the past, it has become cumbersome and expensive. And it blocks the use of efficient new technologies such as mobile and cloud.

Enter micro-segmentation, a new approach to security that uses software to create a series of cryptographically smaller networks much as we used to do by housing them in separate buildings or boxes. The identity-driven solution allows administrators to create smaller and smaller "communities of interest" -- groups of people who need to access and share specific types of information for short or extended periods of time.

For instance, a segment of users established to access human resources data could be further segmented to restrict access to data on U.S-based employees. It could then be further segmented for access only to information on employees based in a particular U.S. state. And so on.

By enforcing segmentation with encryption at the packet level, we can ensure that those outside a given micro-segment cannot access it or even see that it exists.

If adversaries are able to infiltrate a micro-segment -- as they inevitably will -- the damage would be contained to that small part of the organization. Adversaries would be unable to move laterally and attack other segments. That breaks the "kill chain" and could mean the difference between a manageable incident and a national catastrophe.

The micro-segmentation approach offers numerous advantages for DOD agencies, which must respond to constantly changing mission requirements and conditions.

Think about the following scenario, for example: The White House authorizes a joint military operation with Russia in Syria. Military leaders are told only hours ahead of time that they must have the capability to share critical data with Russian forces, but only for the one-day duration of the mission.

A software-based micro-segmentation approach would allow them to set up identity-based communities of interest quickly and efficiently, and then just as easily pull the plug when the mission has been completed.

And the benefits extend beyond DOD. In the case of a natural disaster, an agency could create a micro-segment that includes its own first responders and those from civilian rescue agencies, local governments and medical facilities. When the operation is over, the community of interest can be terminated.

Aside from the security benefits, the approach saves money by eliminating the need for separate networks, infrastructure and hardware. It can also mitigate insider threats by ensuring that employees' access to data and systems is restricted to the communities of interest to which they belong.

Micro-segmentation will not eliminate the threat of cyberattacks, but it will ensure that when bad actors find their way in, their access is limited to a small segment of the organization's data. And that can keep a problematic incident from becoming a headline-grabbing catastrophe.

In other words, micro-segmentation is built for today's environments -- and tomorrow's.

About the Authors

Maj. Gen. Jennifer Napper (retired) is group vice president for the Department of Defense and Intelligence group at Unisys Federal.

Tom Patterson is chief trust officer at Unisys.

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Tue, Aug 9, 2016 Unisys Security

"How does your micro-segmentation plan deal with retention of essential records and data?"

Thanks for your question Fred. Unisys Stealth implements microsegmentation such that any essential records and data can be protected on any system, by limiting access to all but authorized individuals. Stealth can hide and protect both databases and database instances, which is important since essential records today are often copied and replicated in far flung reaches of an enterprise. Since Stealth works at the packet level, it augments any application level security which may be employed specify for a retention plan (fingerprinting, checksumming, etc). In short, Stealth limits the access from both external and internal vectors, thus greatly strengthening any retention plan. In fact, just last week Stealth was used to protect and retain data in a University sponsored ‘Capture the Flag’ contest with most law enforcement and military groups serving as attackers, and despite offering the highest prize, the Stealth protected data was untouched throughout the contest.

Thu, Jul 28, 2016 Fred GREVIN New York City

How does your micro-segmentation plan deal with retention of essential records and data?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group