After a spate of data breaches compromised over 6.6 million records from the U.S. Postal Service to the White House, media outlets dubbed 2014 “The Year of the Data Breach.”
Then, 2015 showed us that distinction was premature. Since early October 2015, a record 33.8 million records were exposed through numerous breaches, most notably the breach of the Office of Personnel Management (OPM). Although some of this may be attributable to user error, we must ask whether our dependence on legacy technology is to blame.
A perennial issue for the government, and one that directly contributed to the OPM breach, is its reliance on legacy technology well beyond its useful life. Since more than 70 percent of the total annual federal IT budget is spent on maintaining these legacy infrastructures, little room is left for innovation.
Federal data centers are rife with legacy three-tier architectures that require modern security capabilities to be bolted on, like accessories. How can we effectively protect our nation’s critical data by pasting a security façade on porous, brittle legacy technology?
How Did We Get Here?
Current procurement practices and budget cycle obstacles limit an agency’s ability to move away from the “norm,” leading to a cycle of doing and buying the same thing over and over. This is perpetuated by the now-annual continuous resolution period, which restricts agencies to purchase only what they’ve always purchased—to maintain the status quo—and prohibits new investments.
From a security perspective, agencies are often unwilling to integrate anything new into their environments, even though there are companies bringing innovative products to market that comply with Common Criteria, FIPS, TAA, among other certifications required for consideration in the federal marketplace.
Another contributing factor is the expensive and arduous certification and accreditation (C&A) process, which can take as long as six to nine months and cost hundreds of thousands of dollars in man-hours and lost productivity. C&A, by definition, produces a snapshot of compliance—a single point-in-time when all the dials were in the right places.
the thumbs-up? Does this process really have an impact on improving data and infrastructure security? Compliance checks similarly evaluate a point-in-time status of a system. We have essentially created a system of snapshot compliance, in a world where attacks are constant.
Finally, technology procurements are still evaluated and executed according to silos of compute, storage, networking and security, despite the availability of modern, proven technologies that converge these elements into a single platform. Purchasing and installing security as a separate line item on a PO is a major contributor to security vulnerabilities. This has been the approach for the last 25 years, but we cannot afford to let it continue—those that mean to do us harm are innovating like there’s no tomorrow.
Fixing The Problem
While there is no silver bullet solution to this issue, vendors have an obligation to be part of the solution by ensuring critical features are natively incorporated throughout the product development cycle.
By offering solutions that are secure by design, agencies can rely on the technology to function, as intended, with minimal oversight or time investment. Such would significantly reduce the time requirements associated with the C&A process and enable agencies to deploy mission-critical solutions—both emerging and traditional—much faster than ever before. Additionally, vendors should take the following steps to enhance security:
• Increase agility, decrease response time
The open disclosures of Common Vulnerability Enumerations (CVEs) have long been known to be the most exposed threats exploited by hackers because agencies are frequently not agile enough to address them. In many cases, vendors do not proactively monitor these disclosed vulnerabilities, and are unaware that such deficiencies exist until a breach occurs. Agencies should expect vendors to deliver solutions that are production ready out-of-the-box, addressing common vulnerabilities proactively to mitigate the threat landscape and continually monitor and address these vulnerabilities as new threats emerge. This is an inherent vendor responsibility that few, if any, accept as theirs to address.
• Native hardening of all code and dependencies
Rarely is a product or solution delivered with 100 percent natively written code that is hardened from the first boot. In almost every case, there are dependencies on open source and third-party components that comprise more than half of the code provided in a solution. Most development lifecycles never include the inspection and proper configuration of these dependencies to harden them for use in production environments, leading to agencies performing time consuming security testing and quality assurance for vendors in the field. Agencies should expect the technology they consume to inherently address the proper modifications and configurations of all open source and third-party components that are provided in generally available products.
• Benefits of a machine-readable Security Technical Implementation Guides (STIG)
The traditional C&A process requires an agency to manually verify compliance, line-by-line, against DISA STIGs, a time consuming process that’s vulnerable to human error. However, this pain can be avoided when vendors take a proactive security posture and work together with DISA to create an embedded STIG that ships out-of-the-box, fully compliant with DISA controls. Not only does an embedded machine-readable STIG turn many days of manual verification into a five-minute compliance report printout, but it also allows a continuously monitored security baseline. This inherent feature allows agencies to move past a point-in-time snapshot of security compliance to a continuously monitored and enforced security posture, helping to protect against real-time threats that are growing daily.
By working proactively to harden solutions before they reach a government environment, vendors have a real opportunity to positively impact the security posture of agencies, dramatically reduce the standard C&A time, and provide a continually compliant security baseline. Doing so would foster additional trust in the vendor community, and would have a compounding ripple effect across the government. The onus of security is a shared responsibility and should be addressed