Doing more with less in the age of sequester
While meeting with a couple of my regular contacts at a recent AFCEA event, their conversation veered sharply from their normal assessments of recent cyber attacks into today’s prevalent motif of Beltway pundits -- the sequester.
Normally, I wouldn’t heed current events banter between colleagues taking a break at a trade show, but these guys aren’t blusterers. They’re top information security insiders at some of our nation’s most well-known federal agencies.
And, according to their forecasts, agencies like the DoD may not be prepared to cope with the streamlined IT operations being generated by sequestration. Here’s what they meant: How can federal agencies maintain regulatory compliance and stay abreast of the latest security threats while operating with a reduced IT staff? And how can these agencies secure access to their most sensitive files and applications from former employees and contractors recently furloughed or laid off?
A reduction in staff
Even though the $85 billion sequestration is now several weeks into existence (as of this writing), its affects on military civilian IT workers and contractors -- as well as federal IT employees in general -- remains to be seen.
However, we do know that because DoD is the largest employer of government workers in the nation, its civilian employees are facing the economic brunt of sequestration. Roughly half of the spending cuts are hitting defense programs. To cope, the Pentagon announced in March that it will furlough most of its civilian workforce -- nearly 800,000 employees -- one day per week, without pay, for the remainder of the fiscal year.
For military contractors, it may still be months before the full impact of sequestration is realized. But, as Pentagon Comptroller Robert Hale said, there is no doubt that sequestration “will affect the private sector.”
One case in point: for the duration of the fiscal year, the federal government will not enter into new contracts or exercise options on existing contracts, except for high-priority initiatives. And, from what I’ve seen up close in the defense sector, service contractors are already feeling the affects. I expect weapons manufacturers to experience the impact soon.
These budget and staffing reductions certainly filter down to the systems administrators and information security staff manning the IT controls at federal agencies. And I find myself in agreement with my “security insider” contacts mentioned at the start of this article. Maintaining regulatory compliance and controlling privileged access are likely two of the first areas to be overlooked following a staff reduction.
Does reduced staff equal reduced compliance?
FISMA, NIST and DIACAP are some of the best known examples of regulatory mandates that require federal agencies to demonstrate proactive security measures around issues such as access control, audit and accountability, and identification and authentication.
If you’ve ever been involved with one of these audits, you know well the mad scramble among personnel at all levels of the IT chain to verify and document compliance with the multitude of audit points in advance of the auditor’s arrival. Now, imagine this same scenario, only with a significantly smaller IT team. How would regulatory compliance continue to be met?
By adapting to a practice of “continuous compliance,” IT groups can ensure a level of efficiency that not only allows them to achieve their regulatory compliance mandates, but also to handle the latest cyber-attacks as they occur. Continuous compliance, in simplest of terms, is ensuring that IT processes and controls are constantly in a state of compliance, as opposed to the reactive “firefighter” mode of point-in-time compliance so common in most IT environments. Basically, a federal agency that is in a state of continuous compliance is ready for an audit at any time, without preparation.
This isn’t to suggest that attaining continuous compliance is a simple act. It requires the IT group to always probe for weaknesses and close security holes as soon as they are verified. That involves established methodologies and advanced technology to test controls and provide immediate alerting and remediation to identified vulnerabilities.
One important tool to facilitate the move toward continuous compliance is an automated privileged identity management product that can constantly locate, track and lock down privileged accounts, with little or no human interaction. After implementing this approach an organization can much more easily meet a number of major regulatory requirements, such as maintaining minimum complexity and change frequency standards for privileged passwords; providing authoritative audit trails of privileged access requests; and documenting a strict need-to-know policy for privileged access. And, as a side benefit, with automated privileged identity management, overburdened IT administrators don’t have to stress about accomplishing all of this in time-consuming, manual fashion.
Security amidst IT turnover
In the unfortunate event of contractors or employees having to leave an agency due to sequestration, the reduction in productive manpower is only one consequence. Often overlooked in the commotion of downsizing are the security secrets that can walk out the door alongside former workers.
It’s never sufficient to simply revoke user credentials when an employee leaves. When IT personnel in particular depart, they’re likely taking with them knowledge of what I refer to as the “keys to the IT kingdom.” These keys are the shared passwords to powerful privileged accounts that grant access to an agency’s most confidential data, and enable system configuration changes, the ability to un-install and modify programs, and more.
In large organizations, like federal agencies, there are thousands of such accounts. On every server and workstation, on hardware appliances -- from routers and switches, to load balancers -- and on almost every type of software that exists -- including line-of-business applications, Web services and databases.
So, how can an agency ensure that former IT admins aren't taking access to secret data when they leave? Once again, with automated privileged identity management technology. After being deployed to the network, such a solution ensures that there are no known passwords that someone could memorize, store on a spreadsheet or simply write down on a sticky note and affix to a monitor.
Instead, with privileged identity management, each password is changed frequently so that every privileged account has unique and complex values. Access to privileged accounts is delegated and audited, meaning there is no sneaky and anonymous use of “secret” passwords, with unlimited access to IT resources -- either from inside or outside the network.
The next time I run across my government “security insider” contacts, I’ll see what they have to say about the sequester, now that we’re further along the process. But, even if it all turns out to be more hype than substance, I'm convinced that continuous compliance and securing privileged access against former employees are two practices that will always reap benefits.
Derrick Dickey is strategic accounts manager, federal, for Lieberman Software Corp., a developer of privileged identity management and security management solutions. Dickey can be reached at: