Technology’s risky. Can this security solution help?

Lloyd McCoy Jr.The recent media coverage about data leaks and breaches  and government surveillance has so much to do with privacy, security and access. We might as well as get comfortable with security as a major challenge given that people aren’t ready to part with their mobile devices and the convenience of being able to work wherever they want.

At the same time, business interest in the internet of things, especially in government agencies is growing.  But security in IoT is still a major hurdle, causing some agencies to pump the brakes a bit.

So where does that leave the tech sector? There may be a continuing stream of risk, but there’s also opportunity, especially for companies with Identity Access Management (IAM) solutions that can address some of these valid security concerns.

Here are three challenges to consider in public sector IAM strategy:

Focus on reducing risk over eliminating threats

The recent story on the CIA’s secret hacking tools to break into computers, mobile phones and smart TVs was interesting but not all that surprising. These stories should make us all aware of how vulnerable connected devices are.

Security risks will always be a part of our lives with technology. Especially since consumers and corporate users aren’t willing to cut out smart and mobile devices despite the continued threat of hacks and surveillance by government agencies or even competitors.

So what’s the solution? Government agencies now realize that the focus is better suited to reducing risk, versus the pipe dream of totally eliminating cyber threats. For consumers, passwords on smart TVs, cameras and other connected devices should be changed as often as they change computer passwords.

For government agencies and enterprises, the solution could be as simple as workforce training on passwords and covering laptop cameras to IT solutions that create a layer of protection somewhere in the connected device’s gateway.

Where industry can help is with getting the government to achieve, or at least approach 100 percent multi-factor authentication and single sign-on. Network segmentation, just-in-time privilege access and the need for VPN access are other areas of risk reduction where government agencies have said they need assistance from industry.

Mobile workers increase risks

President Trump’s federal budget proposal includes spending increases for defense and homeland security but cuts to most other government agencies. We don’t know yet how the spending proposal will eventually affect the federal workforce. Agencies may turn to bigger telework programs in order to reduce real estate costs.

With telework comes bigger risk for breaches and other security concerns. Many remote employees have security software set up on their computers and devices, but how effective are they? Are they too cumbersome or do they protect enough?

This is another insertion point for IAM tools that protect mobile devices. As government agencies seek to take distance out of the equation, they will need uncovering and protecting against all the threat vectors that come about as agencies move their networks further out and into people’s homes. The growing use of classified mobile computing, particularly in the Department of Defense, makes the importance of credentialing and privileged access greater than ever.

IoT is great, but is it secure?

The public sector has slowly been implementing IoT projects even though the technology has been deployed without thinking of security first. The truth is anything with a chip that’s connected to the internet is vulnerable to hacking.

State and local governments seem to be further along than the federal government in implementing IoT solutions and tackling the security implications. Some states like Washington are migrating to IPv6 to be able to centrally manage its internet protocol addresses. That step will open the door for a more secure IoT strategy for the state.

But Oakland County, Mich., has been extremely cautious when it comes to IoT because of the risk of hacking. State and local governments worry about a range of potential threats, from a hacker shutting down the air conditioning in a data center to an adversary taking control of a city’s internet-connected lights. Oakland County is installing a new building management system that will be centrally controlled, with the connection over a secure fiber-optic network. IT managers can dial in remotely via the internet but it will be through a secure “tunnel” connection requiring two-factor authentication.

State and local IT leaders are admittedly nervous about IoT because of the security aspects. Many industries like HVAC for instance, have little experience dealing with the cybersecurity threats that IoT can pose. State and local governments need better engagement with industry to ensure the right security is in place.

This post originally appeared in the Arrow ECS e-magazine

About Lloyd McCoy Jr.
Lloyd McCoy is the Department of Defense Consultant on the Market Intelligence team. Prior to working for immixGroup, he worked in the public sector as a senior analyst with the Defense Department. Lloyd primarily monitors and analyzes issues relating to the Navy/Marine Corps, Defense Health Agency, and the Defense Information Systems Agency

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: