Minimising the damage caused by a breach

Protecting data is a significant task faced by security managers every day. Paul German discusses creating cyber-security strategies for government agencies.

 Paul German, VP EMEA, Certes Networks
Paul German, VP EMEA, Certes Networks

Government agencies around the world, at all levels, need to take action. From passport records to drivers' licence numbers, tax information to credit card data, government agencies hold a treasure trove of critical and sensitive data. And, without the correct security measures in place, hackers are able to take what they please once they break through the perimeter defences.   

Unfortunately, government agencies do not have the best track record when it comes to cyber-security protections. The US Office of Personnel Management breach is best known as one of the largest data breaches in history. Shockingly, it was reported that it took around six months for cyber-security professionals to identify the intrusion; six months where the hackers could move laterally throughout the system and make the network their playground. And many, many other examples of government breaches have recently made headlines, such as revelations of hacking at the NSA.

So if the United States government cannot prevent data breaches, what does this say about the safety of corporate networks in the private sector?

Taking a proactive approach to security and using a software-defined strategy are steps in the right direction for creating “bulletproof” strategies for government agencies (or at the least, greatly strengthening defences). Breaches are occurring all the time – and organisations need to accept that it is more than likely a breach has either already taken place or is currently underway within their environment and that this can and will happen without any notification. With that understanding comes a recognition that the emphasis is no longer solely on building walls to keep people out but on containing that breach and minimising the extent of it by segmenting the IT environment, essentially building firedoors between different parts of the infrastructure.

Government agencies need to step back and look at this from a true business perspective. To do this, instead of focusing on perimeter defences, cyber-security strategies need to focus on software-defined security controls that separate security policy enforcement from the network or other parts of the infrastructure. This enables organisations to align their cyber-security functions around applications and users, without worrying about each device or network element.

Building on the existing policies for user access and identity management, security managers can use software-defined cryptographic segmentation to ensure users have access to only the applications they specifically need to do their jobs. Each cryptographic segment has its own encryption key, preventing a hacker from moving from one compromised segment into another. To put it simply, a health commissioner does not need access to drivers' licence numbers, so therefore should not be able to access the segment of the applications in which the numbers are stored. By carefully controlling which users can access which applications in all internal and external locations, the attack surface is reduced.

With this approach, government agencies can shrink the number of targets at which a hacker can aim. Software-defined segmentation also narrows the scope of a breach to a small, contained area rather than system wide and, critically, does so in a way that removes the need to build new security policies into the network infrastructure. Furthermore, as and when a breach is detected, the segmentation policy means the organisation has immediate visibility into the extent of the breach – enabling both targeted rather than system wide lock down and a far more confident and measured response to media, shareholders and customers.

Protecting government agencies from the fate of more data breaches is possibly one of the biggest tasks being faced by security managers today. But the reality is, taking six months to detect that a breach has occurred is not tolerable and if immediate action isn't taken, the situation will only get worse. What's more, traditional cyber-security tools won't solve the problem. Security strategies that focus on containing breaches will make the breach manageable, as even when a breach does occur, the hacker is limited as to what damage can be achieved. Cyber-security doesn't need to be complicated. The tools are there for the taking but a change in mind-set is needed, and it is only when this is realised that this critical data will be kept secure.

Contributed by Paul German, VP EMEA, Certes Networks