< ? php //If there is analytic campaign data, attempt to get the campaign_guid from that cookie if ( 1 === preg_match( '/pk10mkto-([0-9]+)/', $_COOKIE[ '__utmz' ], $match ) ) { $campaign_guid = $match[ 1 ]; } ?>

A Lesson from the Government: Take Data Security Beyond the Perimeter

June 17, 2015

It happened again.

One week after the Internal Revenue Service (IRS) revealed hackers had accessed approximately 100,000 tax accounts, another government agency was attacked.

Some four million current and former government employees may have had their personal information compromised due to a cyberattack on the U.S. Office of Personnel Management (OPM). Exploiting a “zero day” security hole, the perpetrators sneaked past the government’s multimillion-dollar Einstein 3 anti-hacking system.

With all the resources available to the U.S. government, how could this happen — and what does it mean for private sector companies trying to ensure data security?

It’s a complex situation with no easy answers.

What Went Wrong

There’s a tendency to think that government networks are — or at least should be — better protected than those of private businesses. The fact is that the government is like many large corporations. It’s a massive organization comprised of numerous entities, each with their own priorities, budgets and processes.

Not surprisingly, the government’s highly touted Einstein 3 system has been the victim of red tape and inter-agency fights over privacy, control and other issues. Different iterations of the system exist, each with varying functionality.  It is unclear what agencies have which, if any, version on their networks.

It all also makes for slow adoption and implementation of newer data security technologies. The Einstein 3 system’s perimeter-based approach is outdated. With the growing sophistication and frequency of cybercrime; the evolution of the Internet of Things (IoT); and the rapid adoption of mobile and other disruptive technologies, it’s clear that perimeter-based defenses alone cannot prevent cyberattacks.

Layered Security

Many within the security industry have moved on to a “defense in depth” approach. It addresses both internal and external threats by using multiple layers of security — physical, network, computer, application, device,  people acting as human firewalls — and applying appropriate controls to address the risks that might arise in each.

Trust No One

Others advocate a “zero trust” strategy that assumes the perimeter, including all “defense-in-depth” security layers, will be breached. By establishing zero trust boundaries that compartmentalize different segments of the network, critical data can be protected from unauthorized users and applications. There is no default trust for any entity, including users, devices, applications or packets.

Adaptive Perimeter

There is also the adaptive perimeter approach, which re-defines and re-configures the perimeter around new attack surfaces such as mobile devices and cloud infrastructure. An example is application wrapping, which enables an administrator to apply security policies to an application or group of applications. This could include requiring user authentication for an app or prohibiting the use of certain APIs such as “copy and paste.”

Time for a Change

It is doubtful that any of the aforementioned security approaches, alone, can completely stop cyberattacks. A new data security approach is needed — one that is adaptable and multi-faceted to protect at the perimeter and anywhere else. It must enable disruptive technologies without increasing the risk of data loss. And it’s something we can’t wait for the government to address.

Here are a few tips for developing a more multi-faceted security strategy:

Fine tune your content search

About Peak 10

"Our values are the foundation for everything we do at Peak 10, and are ultimately what enable us to earn our customers' business and their trust."
David H. Jones,
Board Member, Peak 10 + ViaWest