How State & Local Government Can Navigate the Cloud Generation
Industry Perspective
Executive Summary
Technology has transformed the way state and local governments serve constituents, enabling access to key services such as healthcare, public safety and transportation. Government has entered the cloud generation, a time when an array of connected devices power government/constituent interactions and data is readily accessible through cloud platforms. Although the proliferation of apps and devices has enabled state and local governments to better meet constituent demands, security remains a challenge. Determined hackers, coupled with the expanding adoption of cloud applications and mobile workforce devices, are forcing state and local governments to find new ways to protect their systems and information from increasingly sophisticated cyberthreats. In the cloud generation, state and local agencies need holistic cloud security strategies to protect data and respond quickly to breaches. To learn how state and local governments can create a stronger cyber posture with improved cloud security plans, GovLoop sat down with these experts from Symantec, a leader in cybersecurity solutions: •
John Barrett, Manager of System Engineering, Public Sector, SLED
•
Renault Ross, Strategist for State and Local Education
•
Fred Unterberger, Senior Director, Systems Engineering, Public Sector
In this industry perspective, you’ll learn how state and local agencies can combine threat intelligence, holistic solutions portfolios and managed security services into a complete cloud security strategy. With the right plan, state and local governments can not only defend themselves against evolving cyberthreats, they can also thrive in the cloud generation.
INDUSTRY PERSPECTIVE
•
1
The Challenges Facing Generation Cloud
For state and local governments, the cloud can be a chaotic place. As citizen demands increase, so do governments’ need to provide openness and accessibility. At the same time, this opens government up to new complexities and vulnerabilities. First, employees demand flexibility and access wherever they are. They want their workplaces to provide mobile desktops and bring-your-owndevice policies that allow them to easily work from anywhere using their personal smart devices. Additionally, agencies must provide contractors and consultants with access to re-
2
•
liable and automated systems, even as they work offsite. But such mobility puts an agency’s most sensitive data at risk, especially when contractor systems have a weaker security posture than government. At the same time, cyberattacks are growing in both volume and sophistication. Symantec’s latest
HOW STATE & LOCAL GOVERNMENT CAN NAVIGATE THE CLOUD GENERATION
Internet Security Threat Report indicates that the public sector is at high risk of targeted attacks, and that the average number of user identities exposed per breach in the government sector is approximately 1.6 million. That makes it even harder for agencies to protect their networks’ increasing diversity.
To address security issues, agencies often turn to individual cloud platforms and tools for each challenge. For instance, they may identify a cloud solution to meet their employee mobility needs while considering a separate approach for their security needs.
But this leads to management issues for agencies. Information technology personnel have to monitor multiple systems to maintain network visibility and security, even as they face dwindling labor and budgetary resources. Moreover, these systems often don’t tell the full story of what’s happening in a network because they aren’t
effectively integrated. Integration, however, would take significantly more resources, when it’s possible at all. Agencies simply need a better way to maintain performance standards, meet user needs and secure their infrastructure.
INDUSTRY PERSPECTIVE
•
3
The Answer: A Holistic Cloud Security Plan To survive and thrive in the cloud generation, agencies need a holistic cloud security plan. This comprehensive strategy can deliver an integrated set of compliance and security services to unify access governance while also protecting an agency’s enterprise. That way, state and local agencies can ensure that they are not only protecting vital information, but also enabling their employees to keep up with citizen demands while delivering efficient and better services.
A holistic cloud security plan comprises three critical components: threat intelligence, a well-rounded portfolio of services and managed security services. First, to address and understand the cyberthreats in the landscape, cyber professionals need context for where and how those threats evolve. In other words, they need threat intelligence – organized, analyzed and refined information about potential or even current attacks that can threaten an organization.
4
•
The primary purpose of threat intelligence is to help organizations understand the most common and severe cyberrisks while identifying internal threats and external threats, such as malware or phishing attacks. Such information gives cyber and IT teams the understanding and context they need to identify cyberattackers and cyberthreats that can harm state and local agencies.
But threat intelligence alone does not address the challenge of disparate cloud solutions. In addition to securing networks, agencies have to worry about unifying access policies and cloud standards, making sure cloud solutions comply with strict government regulations. That’s why a comprehensive solutions portfolio is an essential part of a holistic cloud security plan. Rather than purchasing different cloud solutions for each security need, agencies can create a single solutions portfolio that meets all their cloud needs.
HOW STATE & LOCAL GOVERNMENT CAN NAVIGATE THE CLOUD GENERATION
Finally, agencies may need extra guidance on using threat intelligence and cloud portfolios. Instead of leaving agency personnel to figure out their new cloud products and services on their own, managed security services from third parties can provide real-time guidance from subject-matter experts. This makes agency cyberteams better equipped and prepared to identify cyberthreats and counter any potential cyberattacks through their cloud solutions. By integrating threat intelligence, a holistic portfolio of services and managed security services, state and local agencies stand a better chance of keeping information secure while reaping the benefits of the cloud generation. Each component, however, requires further analysis to understand how they can enhance an agency’s cloud security plan.
Component 1: Threat Intelligence Networks & Data Loss Prevention The ideal holistic cloud security plan requires a threat intelligence network that helps agencies automatically detect and analyze evolving cyberthreats and weaknesses in an agency’s cyber posture. Threat intelligence networks, combined with data loss prevention (DLP), can protect an agency by detecting suspicious human behavior or cyber incidents and quickly recovering lost or stolen data. To put it simply, threat intelligence networks can help an agency monitor and combat external, malicious cyberthreats, while DLP can help with malicious or unintentional insider threats.
Global Intelligence Network Traditional security solutions often identify threats only as they hit the enterprise. Trying
to keep pace with evolving cyber techniques and aggregate threat data from numerous sources makes identifying relevant threats and prioritizing mitigation actions difficult. A global intelligence network (GIN) enables agencies to implement a more proactive security policy while helping better mitigate cyberattacks. “Imagine an adversary was instituting an attack but you have your vendor with a GIN sitting side-by-side with you,” Symantec’s Barrett said. “You’re able to put up defenses as attacks are happening. Since the GIN allows you to know the adversary, you can already predict the types of attacks and how many times they will attempt to breach your agency. It gives you a real edge.” Symantec’s GIN provides a massive archive of security data that can help personnel monitor, analyze and process security events in real time, rather than
running damage control against already-executed cyberattacks. The network offers visibility into empirical, real-world customer data from enterprises, other consumers and other cloud users. This helps agencies identify the most common forms of external cyberattacks so that cyber personnel can better tackle them.
Data Loss Prevention Threat intelligence can also inform your data strategies because you’ll know what data needs protecting from which types of attacks. But data use and handling policies for meeting regulatory compliance requirements, privacy regulations and intellectual property protection are ineffective without a means to enforce them. For state and local agencies, there’s no room for error in compliance. By automating the process, DLP can help agencies secure networks, meet compliance standards and address insider threats. INDUSTRY PERSPECTIVE
•
5
“Technologies like DLP help automate the analysis of huge amounts of data for these security systems,” Symantec’s Unterberger said. “This helps a human analyst query the data from all those different systems without having to manually dig around as much.” DLP suites are solutions that cover data at rest, in motion and in use. They address multiple channels of data loss (e.g., email, endpoints, network, cloud and mobile). DLP coupled with the cloud can help agencies discover sensitive data in cloud apps and gain visibility and control over all types of content. Additionally, agencies can leverage existing DLP policies and workflows for cloud apps without having to rewrite rule sets. A single DLP console allows control of multiple policies and workflows whether they’re from cloud apps, endpoints or data centers. This means even agency case workers can have peace of
6
•
mind when working with vital information in the field using mobile apps or devices. The ideal DLP suite in the cloud allows agencies to: •
Discover shadow IT. Agencies can identify and audit cloud services in use and analyze application risk levels.
•
Detect and mitigate risky user activity. Governments can leverage user behavior analytics to control potentially malicious actions and threats.
•
Protect against risk of exposure. Officials gain granular visibility and control over user access and transactions with data in cloud apps.
•
Investigate cloud incidents. IT workers can monitor cloud events through log data and intuitive user interfaces.
HOW STATE & LOCAL GOVERNMENT CAN NAVIGATE THE CLOUD GENERATION
Combining a GIN with DLP in the cloud can help state and local agencies address many cloud security incidents and automate the analysis of them. Most importantly, this means agencies can take a more proactive approach to security.
Component 2: Holistic Solutions Portfolio The federal government has enough of a challenge finding the most comprehensive and cost-efficient solutions to manage their cloud security needs. For state and local agencies, integrating threat intelligence, proactive threat response and a variety of features into one holistic strategy while finding supportive solutions can be an even larger feat. Governance, risk and compliance (GRC), a coordinated strategy for managing those three broad issues at once, is another consideration. That’s where a holistic solutions portfolio can help.
By managing governance, risk, and compliance holistically, agencies can reduce risk and drive efficiency. Renault Ross
Strategist for State & Local Education, Symantec
“By managing GRC holistically, agencies can reduce risk and drive efficiency,” Symantec’s Ross said. “It also makes it even more difficult for bad people to get into your systems.” The Symantec Control Compliance Suite (CCS), for example, delivers several integrated solutions and core assessment technologies to enable security and compliance programs, and to support IT operations in the data center. CCS offers features such as asset auto-discovery; automates security assessments across procedural, technical and third-party controls; and calculates and aggregates risk scores according to business-defined thresholds. State and local agencies can use risk scores for operation and mandate-based reporting and to prioritize remediation and risk education in their data centers. There are five CCS modules that can be used independently or as part of a broader suite:
Standards manager Assesses the security of technical controls. Agencies can discover and identify rogue and misconfigured assets, detect configuration errors and evaluate whether systems’ security meets standards.
Assessment manager Assesses the procedural controls. Agencies can use this feature to automate the evaluation of controls governing employee behavior, improve employee awareness and address security training.
Policy manager Delivers security policy lifecycle management. Agencies can map assets to controls, standards and regulatory mandates, and make sure their security features comply with regulations.
Vendor risk manager
onboarding and off boarding of critical suppliers, execute a sustainable security assessment program for third-party suppliers and enable program management of data breaches and incident response.
Risk manager Calculates and aggregates risk scores for remediation and risk reduction. Agencies can better align security and compliance operations with business priorities by defining risks according to business thresholds; mapping risks to assets, controls and owners; and calculating and aggregating risk scores. A solutions portfolio, such as Symantec’s CCS, unifies cloud solutions to make a cloud security plan more holistic. With a cloud suite, agencies don’t have to worry about securing and regulating disparate solutions and services.
Assesses third-party service providers and applications. Agencies can use this feature to secure
INDUSTRY PERSPECTIVE
•
7
Component 3: Managed Security Services State and local agencies may have an especially difficult time managing and understanding their cyber solutions and strategies in the cloud. “Some of the smaller states and localities suffer from not being able to acquire the talent or the budget needed to support the right solutions,” Barrett said. “Managed security solutions are a great way to supplement where agencies lack.” A team of third-party vendors can help manage the newly acquired cloud products and platforms, and identify agency weaknesses and vulnerabilities. Because these professionals hold in-depth knowledge about the products, they can help agency staff use them
8
•
most effectively. Managed services can help agencies prevent data breaches and even prioritize where they need to spend funds to strengthen their cyber posture. With solutions such as Symantec’s Managed Security Services, agencies can minimize the effect of a cyberattack using 24-hour monitoring by threat landscape experts. When bringing on a team for managing security services, agency leaders can work closely with service managers and their analyst teams to: •
Get personalized service within the security environment.
•
Discuss security strategy, goals and cybersecurity posture.
HOW STATE & LOCAL GOVERNMENT CAN NAVIGATE THE CLOUD GENERATION
•
Correlate alerts from the environment with insights from the global threat landscape.
•
Proactively hunt for threats.
When you combine threat intelligence with a holistic portfolio of services, managed services are key to helping your agency correctly and efficiently use the tools and data at your disposal. Rather than addressing cyberattacks after they happen, agencies can combine the trio as part of their cloud security plan to proactively identify cyberthreats and risks, and address cyber incidents in real-time.
Conclusion The cloud generation can be a chaotic place for state and local governments. Cloud apps and devices have strengthened government/constituent interactions, but security remains a challenge. A holistic cloud security plan can help agencies navigate this new generation. This plan entails threat intelligence — including a Global Intelligence Network and Data Loss Prevention suite in the cloud — a holistic portfolio of services and managed security services to help staff properly use such tools. Symantec offers the three critical components to help your agency deploy a comprehensive cloud security plan to make the most of the cloud generation while protecting against the most advanced cyberthreats out there.
About Symantec
About GovLoop
Symantec helps federal agencies develop and implement comprehensive and resilient security strategies to reduce risk and meet Cross-Agency Priority Goals, the NIST Cybersecurity Framework, the Joint Information Environment and other federal mandates.
GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government.
Learn more at www.symantec.com
For more information about this report, please reach out to info@govloop.com. INDUSTRY PERSPECTIVE
•
9
1152 15th St. NW, Suite 800 Washington, DC 20005 (202) 407-7421 www.govloop.com @govloop