3 Steps to Breaking Through the Federal Security Status Quo

Curt Kolcun is vice president of U.S. public sector at Microsoft Corp.

It’s hard to miss the headlines broadcasting the latest cybersecurity breaches, from last summer’s hack of the Office of Personnel Management to this year’s ransomware attacks of Hollywood Presbyterian Medical Center and MedStar Health, where data and thousands of connected devices were held hostage.

For 20 years, public sector data has been guarded as if inside a moated castle: a “defend-against-breach” approach. But such defenses, exacerbated by legacy systems, are now easily circumvented. Making matters worse, attackers today stay within a network for about 146 days before detection.

To counter this, we must adopt an “assume-breach” position that presumes bad actors are already inside the gates — or about to break them down — and embrace modern and secure IT that leans in to the advanced detection capabilities of the cloud.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Big data solutions, machine learning and advanced analytics may seem like a bridge too far for some public sector agencies, but time is not on their side to maintain the status quo. With its ability to gather security intelligence from trillions of signals, cloud computing is a powerful cybersecurity tool and a critical component to enabling a complete, end-to-end agile security platform.

Through an assume-breach approach that takes advantage of the cloud and hybrid solutions, public sector agencies can tap into three critical security attributes:

1. Identity as the new firewall. Compromised credentials make up a large percentage of all network intrusions. Advanced cloud solutions allow real-time management of authorized access to digital information. Security measures include two-factor authentication, which requires a PIN or biometric key (such as a fingerprint) to gain access, forcing an attacker to have both a physical device and its access code. 

2. The power of intelligence and automation. On-premises systems typically must be manually updated against security threats, meaning they lag well behind the speed of attacks. With the cloud, system monitoring is constant, and updates to block attacks or repair vulnerabilities are automated. Moreover, cloud-based machine learning continually improves a system’s ability to discover and thwart cyberthreats and anomalies difficult or impossible to detect manually.

3. Device integration. We live in a mobile-first, cloud-first world where a “bring your own device” approach is common. Employees need to be productive on the devices and apps they’ve come to rely on virtually anywhere and at any time, without compromising security. In this reality, only a cloud-based solution, backed by an ecosystem of security-enabled partner solutions, can protect data in transit, at rest or wherever it’s stored, while enabling productivity, guarding privacy and maintaining compliance.

Many in the industry have noted they’re not in a position to move to the cloud, because other system solutions aren’t using the most modern technology. This will be a constant and legitimate challenge. I regularly talk with chief information officers and chief technology officers who know the value of moving to an intelligent cloud-based infrastructure but are similarly stuck. 

Microsoft faced this same challenge a few years ago. It took an orchestrated modernization and application rationalization process to create a modern hybrid IT infrastructure. We determined we’d move 2,100 apps to Infrastructure as a Service cloud solutions and 10 percent to Platform as a Service cloud solutions, while virtualizing 62 percent of apps by 2015 and eliminating some apps altogether.

A growing number of public sector organizations are balancing these tradeoffs, assessing resource allocation priorities and developing an “assume-breach” security stance to help them better protect, detect and respond to cybersecurity threats.

Earlier this year, the Defense Department announced it will standardize on Windows 10 to help improve its cybersecurity posture — a move that can help the agency take advantage of a trusted cloud platform. In addition, state and local government agencies like the Alabama Medicaid Agency and Dallas Area Rapid Transit are adopting a cloud-centered infrastructure approach that provides the security and resiliency needed to support citizen services.

Much more needs to be done. As countless agencies begin the hard work of developing a comprehensive 3-to-5-year road map for transforming their IT environments, some will find a hybrid option more realistic. Many will move to the cloud entirely. 

It won’t be easy, but bolt-on solutions that “almost” offer the intelligence and security of the cloud aren’t good enough. By leaning in to the cloud and working together to modernize systems, we can make a difference. The security and safety of our citizens depend on it.