Dispelling the myth of 'perfect' security

Shutterstock image: connecting individuals to one another through an access point.

Because governments are the most-attacked organizations in the world, there has been broad recognition that the old approaches to security, based on the impossible premise that security must be perfect, aren't working, and a new approach, based on the premise that security doesn't have to be perfect to still be successful, is needed.

The Defense Department in particular has depended on physical segmentation to protect itself. DOD workers often have multiple workstations on their desks -- one for each level of sensitivity of data they access. A workstation for highly sensitive data is physically isolated from networks used by a broader base of users. Although such an approach was useful in the past, it has become cumbersome and expensive. And it blocks the use of efficient new technologies such as mobile and cloud.

Enter micro-segmentation, a new approach to security that uses software to create a series of cryptographically smaller networks much as we used to do by housing them in separate buildings or boxes. The identity-driven solution allows administrators to create smaller and smaller "communities of interest" -- groups of people who need to access and share specific types of information for short or extended periods of time.

For instance, a segment of users established to access human resources data could be further segmented to restrict access to data on U.S-based employees. It could then be further segmented for access only to information on employees based in a particular U.S. state. And so on.

By enforcing segmentation with encryption at the packet level, we can ensure that those outside a given micro-segment cannot access it or even see that it exists.

If adversaries are able to infiltrate a micro-segment -- as they inevitably will -- the damage would be contained to that small part of the organization. Adversaries would be unable to move laterally and attack other segments. That breaks the "kill chain" and could mean the difference between a manageable incident and a national catastrophe.

The micro-segmentation approach offers numerous advantages for DOD agencies, which must respond to constantly changing mission requirements and conditions.

Think about the following scenario, for example: The White House authorizes a joint military operation with Russia in Syria. Military leaders are told only hours ahead of time that they must have the capability to share critical data with Russian forces, but only for the one-day duration of the mission.

A software-based micro-segmentation approach would allow them to set up identity-based communities of interest quickly and efficiently, and then just as easily pull the plug when the mission has been completed.

And the benefits extend beyond DOD. In the case of a natural disaster, an agency could create a micro-segment that includes its own first responders and those from civilian rescue agencies, local governments and medical facilities. When the operation is over, the community of interest can be terminated.

Aside from the security benefits, the approach saves money by eliminating the need for separate networks, infrastructure and hardware. It can also mitigate insider threats by ensuring that employees' access to data and systems is restricted to the communities of interest to which they belong.

Micro-segmentation will not eliminate the threat of cyberattacks, but it will ensure that when bad actors find their way in, their access is limited to a small segment of the organization's data. And that can keep a problematic incident from becoming a headline-grabbing catastrophe.

In other words, micro-segmentation is built for today's environments -- and tomorrow's.

About the Authors

Maj. Gen. Jennifer Napper (retired) is group vice president for the Department of Defense and Intelligence group at Unisys Federal.

Tom Patterson is chief trust officer at Unisys.

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.


Reader comments

Tue, Aug 9, 2016 Unisys Security

"How does your micro-segmentation plan deal with retention of essential records and data?"

Thanks for your question Fred. Unisys Stealth implements microsegmentation such that any essential records and data can be protected on any system, by limiting access to all but authorized individuals. Stealth can hide and protect both databases and database instances, which is important since essential records today are often copied and replicated in far flung reaches of an enterprise. Since Stealth works at the packet level, it augments any application level security which may be employed specify for a retention plan (fingerprinting, checksumming, etc). In short, Stealth limits the access from both external and internal vectors, thus greatly strengthening any retention plan. In fact, just last week Stealth was used to protect and retain data in a University sponsored ‘Capture the Flag’ contest with most law enforcement and military groups serving as attackers, and despite offering the highest prize, the Stealth protected data was untouched throughout the contest.

Thu, Jul 28, 2016 Fred GREVIN New York City

How does your micro-segmentation plan deal with retention of essential records and data?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group