The Government IT Problem: Your Security Perimeter Has DisappearedDownload Case Study
Government work has fundamentally changed. Critical data needed for employees to fulfill the mission has moved to the cloud, and needs to be accessible from any device, wherever employees are located.
Spurred by federal legislative and administrative activity, government agencies are launching significant modernizations of their cybersecurity systems, going on the offensive with hackers and taking a more strategic approach to risk. Prominent among these are the NIST Cybersecurity Framework and the Modernizing Government Technology (MGT) Act.
However, none of these necessary initiatives will ultimately succeed without recognition that we live in a post-perimeter world. In this world, work devices are now personal as well. Social media apps, messaging apps, and others create an environment where employees can be phished and agency credentials can be stolen through personal activities.
Enabling mobility and the ability to access data seamlessly is a great development for accomplishing the mission, but it also causes a serious challenge to agency security teams who currently rely solely on perimeter provisions such as firewalls and secure web gateways.
Recent survey results from a poll conducted by the Government Business Council, and sponsored by Lookout, bear out the need for a post-perimeter approach to security. The poll focused on employee use of mobile devices accessing government databases:
- 45% of respondents accessed work data when connected to external networks – i.e. not the agency network.
- The number was even higher for state and local employees - 75%.
- 47% of respondents have encountered a phishing attack while conducting work via a mobile device.
- Of that 47%, 29% received the phishing attempt via text, and 15% via social media.
The reality is, there no longer is any “there” anymore when it comes to where government data lives. Data now is fluid, moving, and accessible. With this ecosystem shift, two new security requirements emerge:
Move key security functions to the endpoint
Instead of stashing endpoints behind traditional security perimeters, security itself must move to the endpoint. It doesn’t make sense to put guards in front of your castle when the castle walls don’t exist anymore. Security needs to be everywhere the data is.
Establish a zero trust access model
Federal CIO Suzette Kent has stated that zero trust network pilots were well underway, and that these changes go hand in hand with a forthcoming update to the Trusted Internet Connections (TIC) Initiative, TIC 3.0. Even with security residing on the endpoint, the agency should never assume the device is innocent until proven guilty.
Government employees are bringing their devices into work whether their agency allows them to or not. Agencies are not only facing how their employees use their GFE phones, they’re tackling the issue of personal device usage as well. Any effective security solution needs to work with - not against - this fundamental premise.
Lookout enables post-perimeter security for the government
Using Lookout Mobile Endpoint Security, agencies can deploy continuous conditional access to their employee endpoints. This ensures that two things happen: policies are enforced at all times and device health checks are happening before authentication to access corporate resources is granted. This is critical, because some of the most flagrant government data breaches happened because once a malicious actor gained access inside the firewall, they were able to move laterally through the network without resistance.
Agencies have the opportunity to select, based on their risk tolerance, policies that help ensure devices stay compliant with internal and external mandates. If a device exceeds the acceptable level of risk, as defined by the agency, Lookout will send a remediation message to the employee, flag the issue to the admin in the Lookout Mobile Endpoint Security console, and log the employee out of any agency resources. That’s what post-perimeter security looks like.
The perimeter, as we know it, has disappeared and threat vectors are multiplying. Legacy security technologies just don’t work anymore. The devices themselves cannot be trusted, but there is a way to secure government data despite this new fluidity. Post-perimeter security is the necessary and central architecture for this new, increasingly mobile world.
Download our whitepaper to learn more about securing government data in the post-perimeter world.