Dispelling the myth of 'perfect' security

Shutterstock image: connecting individuals to one another through an access point.

Because governments are the most-attacked organizations in the world, there has been broad recognition that the old approaches to security, based on the impossible premise that security must be perfect, aren't working, and a new approach, based on the premise that security doesn't have to be perfect to still be successful, is needed.

The Defense Department in particular has depended on physical segmentation to protect itself. DOD workers often have multiple workstations on their desks -- one for each level of sensitivity of data they access. A workstation for highly sensitive data is physically isolated from networks used by a broader base of users. Although such an approach was useful in the past, it has become cumbersome and expensive. And it blocks the use of efficient new technologies such as mobile and cloud.

Enter micro-segmentation, a new approach to security that uses software to create a series of cryptographically smaller networks much as we used to do by housing them in separate buildings or boxes. The identity-driven solution allows administrators to create smaller and smaller "communities of interest" -- groups of people who need to access and share specific types of information for short or extended periods of time.

For instance, a segment of users established to access human resources data could be further segmented to restrict access to data on U.S-based employees. It could then be further segmented for access only to information on employees based in a particular U.S. state. And so on.

By enforcing segmentation with encryption at the packet level, we can ensure that those outside a given micro-segment cannot access it or even see that it exists.

If adversaries are able to infiltrate a micro-segment -- as they inevitably will -- the damage would be contained to that small part of the organization. Adversaries would be unable to move laterally and attack other segments. That breaks the "kill chain" and could mean the difference between a manageable incident and a national catastrophe.

The micro-segmentation approach offers numerous advantages for DOD agencies, which must respond to constantly changing mission requirements and conditions.

Think about the following scenario, for example: The White House authorizes a joint military operation with Russia in Syria. Military leaders are told only hours ahead of time that they must have the capability to share critical data with Russian forces, but only for the one-day duration of the mission.

A software-based micro-segmentation approach would allow them to set up identity-based communities of interest quickly and efficiently, and then just as easily pull the plug when the mission has been completed.

And the benefits extend beyond DOD. In the case of a natural disaster, an agency could create a micro-segment that includes its own first responders and those from civilian rescue agencies, local governments and medical facilities. When the operation is over, the community of interest can be terminated.

Aside from the security benefits, the approach saves money by eliminating the need for separate networks, infrastructure and hardware. It can also mitigate insider threats by ensuring that employees' access to data and systems is restricted to the communities of interest to which they belong.

Micro-segmentation will not eliminate the threat of cyberattacks, but it will ensure that when bad actors find their way in, their access is limited to a small segment of the organization's data. And that can keep a problematic incident from becoming a headline-grabbing catastrophe.

In other words, micro-segmentation is built for today's environments -- and tomorrow's.

About the Authors

Maj. Gen. Jennifer Napper (retired) is group vice president for the Department of Defense and Intelligence group at Unisys Federal.

Tom Patterson is chief trust officer at Unisys.

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.


  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Tue, Aug 9, 2016 Unisys Security

"How does your micro-segmentation plan deal with retention of essential records and data?"

Thanks for your question Fred. Unisys Stealth implements microsegmentation such that any essential records and data can be protected on any system, by limiting access to all but authorized individuals. Stealth can hide and protect both databases and database instances, which is important since essential records today are often copied and replicated in far flung reaches of an enterprise. Since Stealth works at the packet level, it augments any application level security which may be employed specify for a retention plan (fingerprinting, checksumming, etc). In short, Stealth limits the access from both external and internal vectors, thus greatly strengthening any retention plan. In fact, just last week Stealth was used to protect and retain data in a University sponsored ‘Capture the Flag’ contest with most law enforcement and military groups serving as attackers, and despite offering the highest prize, the Stealth protected data was untouched throughout the contest.

Thu, Jul 28, 2016 Fred GREVIN New York City

How does your micro-segmentation plan deal with retention of essential records and data?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group