IT professionals in the federal government face an uphill battle of securing sensitive information while allowing employees to be productive – all within an environment of limited spending. In the midst of this monumental task, Dell Software recently published a survey to shed light on cybersecurity practices within the federal ranks.
“Dell was motivated to survey IT and security professionals in the federal government in order to examine how these conflicting goals are managed and reveal opportunities to enhance federal cybersecurity,” says Paul Christman, executive director of federal sales for Dell Software. And the results? Read on to find out.
WashingtonExec: What do recent security breaches at the IRS and OPM suggest?
Paul Christman: Recent incidents at agencies from the IRS to OPM have made it clear that passwords and insufficient access management efforts are at the root of many of government’s security issues. Though the public sector has made strides when it comes to strengthening its security posture, these incidents attest to the fact that identity is at the heart of the issue when it comes to cybersecurity, suggesting that agencies need to prioritize identity and access management.
WashingtonExec: What did the survey reveal? What was most surprising about the survey results?
Paul Christman: The survey revealed that common security processes often limit employee productivity and force employees to find workarounds that expose organizations to greater risk. This is particularly problematic in the federal space, where robust security is of utmost importance.
Results also pointed to a need for context-aware security. Context-aware security enhances common access management practices by using previously unrelated points of risk data to evaluate risk and inform real-time decisions and security enforcement. Though nearly all survey respondents acknowledged the benefits associated with a context-aware approach to security, among the most surprising findings was the fact that lack of awareness of the need for context-aware security was identified as the greatest barrier to implementation.
WashingtonExec: Can you explain in more detail what context aware security is and why agencies should implement this approach?
Paul Christman: A context-aware approach to security replaces static access processes by evaluating the context surrounding each access request, and adapting security requirements accordingly, delivering the level of security necessary in an ever-changing threat landscape. Context-aware security empowers organizations throughout government to prioritize and address security threats in real time and improve worker productivity without sacrificing security, allowing agencies to more effectively meet their missions.
According to the survey, 97 percent of federal respondents expect to benefit from replacing static access processes with a context-aware security approach. Anticipated benefits included the ability to address changing security needs in real-time (61%), assess threats based on potential level of harm (58%) and gain visibility into the context when assessing risk (58%). In the same vein, 97 percent of respondents stated that a lack of context-aware security makes it difficult to quickly address changing security needs (68%) and unnecessarily impacts employee productivity (47%).
WashingtonExec: What are the teachable moments/practical next steps for agencies and contractors, respectively, based on the survey’s findings?
Paul Christman: It’s undeniable that federal IT professionals and the federal government as a whole continue to struggle with security. If I had to distill the entire survey into a single, practical takeaway I would say that it revealed that a context-aware approach to security has the potential to vastly improve security and productivity within the public sector.
According to survey respondents, lack of awareness surrounding the need for context-aware security is the greatest barrier to implementation. In light of these findings, agencies and contractors alike should work to understand how a context-aware security would benefit their organization and talk to their security providers about implementing such a solution.
WashingtonExec: According to the survey, 89 percent of respondents say security is prioritized over employee convenience. Why do you consider this to be an issue?
Paul Christman: While security is undoubtedly important, overlooking employee convenience can actually have a negative impact on security. If security is onerous and burdensome, too often necessary practices are avoided and worked around, opening agencies up to a countless number of risks. In response to the survey, 97 percent of federal respondents indicated they have to deal with multiple login/password combinations on a daily basis, creating a productivity barrier, particularly when they forget those logins.
To move forward and enhance security, organizations need to balance the right level of security and employee productivity. Context-aware security resolves issues caused by the use of multiple passwords and mismanagement of access by focusing on the context of the access request to ensure it is appropriate in real time. For example, if a user is accessing information they regularly use to do their job from their office at 2:00 p.m., a low level of security will be required in a context-aware security environment. However, if a user is attempting to access information from a foreign location at 2:00 a.m., the action will be flagged and additional layers of security can be added.
WashingtonExec: What areas of security improvement do you view as encouraging signs? What work is there left to do?
Paul Christman: There have been many encouraging signs of security improvement in the federal space. In the wake of federal CIO Tony Scott’s 30-Day Cyber Sprint, 14 major civilian agencies surpassed the goal of 75 percent strong authentication and several agencies hit 100 percent for privileged users alone. Such significant progress in just one month is impressive and it points to agencies’ abilities to successfully put effective security measures in place.
In order to keep up the pace, federal agencies need to look beyond IAM and implement a context-aware approach to security and increase end-to-end security capabilities from immediately patching vulnerabilities to taking advantage of next-gen firewalls.
While cyber threats cannot be eliminated entirely, context-aware security and a holistic, end-to-end approach can go a long way in mitigating risk and preparing for threats.