by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : May 2016
EDERAL IT MANAGERS, CISOs and security professionals are often overwhelmed and confused with the seemingly endless volume of security threats, warnings, solutions and vendors. Firewalls, intrusion detection and prevention, APT, threat intelligence, compliance, cloud security, DLP---the list goes on and the "cyberscape" grows more confusing. Amid all this confusion and uncertainty, there are three imperatives---the underpinnings of any sound cybersecurity implementation---federal agencies should focus on now. 1. Zero trust means zero trust. An analysis of recent attacks on federal IT systems reveals the vast majority have resulted from users handing over some level of trust to an attacker. The trend in application access is to trust no one, no connection, and no traffic flow; and relying on advanced encryption and identity management to establish trust. This means securing network infrastructure devices that are almost always overlooked when it comes to strong, multi-factor authentication. The DoD Cybersecurity Discipline Implementation Plan, from October 2015 and amended in February 2016, prescribes Four Lines of Effort (LoE) to better secure DoD networks and applications. LoE 1 is Strong Authentication involving PKI/CAC-enabled authentication for all applications, accounts, servers and network devices. "The connection between weak authentication and account takeover is well-established," the plan notes. "Strong authentication helps prevent unauthorized access, including wide-scale network compromise, by impersonating privileged administrators." Implement strong authentication for not just users and applications, but also devices. 2. You can't secure what you can't see. Data encryption (SSL and TLS) has traditionally deterred malfeasance on websites with high-value assets. Over time, SSL adoption has extended to everyday websites to protect user information. While approximately 30 percent of popular websites currently use SSL, this trend is growing 20 percent annually. At the same time, the bad guys are using the same technology to encrypt their conversations that federal agencies are using today. The point is federal agency IT network managers must inspect inbound and outbound traffic. This includes encrypted traffic. When using a traditional firewall or IPS device, users can expect a 70-90 percent performance tax. If there's no inspection, agencies are blind to about 50 percent of all traffic. Agencies must deploy purpose-built SSL inspection devices to eliminate security blind spots. 3. Strong security must scale across all modes. The security world has typically been described in rigid or structured ways. Defined perimeters are drawn across network boundaries. Today's perimeter is based simply on two things: access and applications. This is independent of time, space, and even device type and consumption mode (cloud, on-premises, or hybrid). The challenge for federal security professionals is to implement strong security that scales across all access modes, while not impeding the application experience. That's a tall order. For applications and systems access, federal security professionals must deploy access and identity architectures based on full user, application, and network context awareness to ensure single-sign on and application access federation. Finally, consider that 90 percent of a typical federal organization's security investment has been on threats to the network. Nearly 75 percent of attacks have been targeted at the application. It's time to make application security a priority. Federal agencies must create and deploy consistent, tailored policies and services---on an application-by-application basis---based on risk, context and visibility at the application level. Randy Wood is Vice President Federal, F5 Networks. RANDY WOOD VICE PRESIDENT FEDERAL, F5 NETWORKS MAKE APPLICATION SECURITY A PRIORITY To truly defend against evolving threats, federal IT leaders must apply security at the application layer. S-16 SPONSORED CONTENT
March and April 2016
June and July 2016