Professional Documents
Culture Documents
Relieving The Pain Points of Federal It Modernization PDF
Relieving The Pain Points of Federal It Modernization PDF
of Federal IT Modernization
Securing democracy through democratized security.
Relieving the Pain Points
of Federal IT Modernization
Securing democracy through democratized security.
35,277
F E D E R A L I N F O R M AT I O N S E C U R I T Y
I N C I D ENTS R EP O RTED TO D H S I N F Y2017
14%
I N C R E A S E I N F E D E R A L I N F O R M AT I O N
SECU RIT Y INCIDENTS
96.6
AT TA C K S P E R D AY
1
Federal and government IT and security professionals The DHS sums it up this way:
face a unique challenge: they’re charged with
modernizing aging systems to embrace cloud and “Cyberspace and its underlying infrastructure are
mobility, yet they’re expected to do so with shoestring vulnerable to a wide range of risk stemming from
budgets, burdensome legacy systems and a buying both physical and cyber threats and hazards.
process rife with fits and starts. It’s an uphill battle, Sophisticated cyber actors and nation‑states exploit
for sure. vulnerabilities to steal information and money and
are developing capabilities to disrupt, destroy, or
Navigating this shift is complicated further by the threaten the delivery of essential services. A range of
relentless attacks and threats aimed at government traditional crimes are now being perpetrated through
bodies. According to The Washington Business cyberspace.”
Journal, federal agencies reported 35,277 information
security incidents to the Department of Homeland
Security’s U.S. Computer Emergency Readiness Team Summarizing that statement:
in fiscal 2017, which is up 14 percent from 30,899 there are risks to protect against
reported the prior fiscal year. That breaks down to and vulnerabilities to shore up.
about 96.6 attacks per day.
Hence, the push for IT
modernization in government.
2
1.0
Why Modernize?
Reduce Risk,
Prepare for the
Future
3
Simply put, the push for IT
modernization is fueled by two
key advancements: the cloud
and mobility — both of which are
forcing a pivot on how we think
about protecting government
data, applications and networks.
On top of the need to adopt new technology Federal agencies, which for years had been expected
to accommodate the shift in how users access to adopt a cloud-first mindset, are now making the
information and applications, the old model has move to zero-trust frameworks to accommodate
become a maintenance headache, introduces deperimeterization. Zero trust is a model in which
vulnerabilities and offers a poor user experience. application access is granted based on trust in the
Not to mention that it’s costly to run, update and identity of the user and the device. It verifies trust at
replace aging legacy gear. the time of access and assumes no one person or
device is inherently more trustworthy than another, as
opposed to the old perimeter-based mantra of trust
The secure perimeter of anything that’s inside the corporate walls.
the past has crumbled.
For agencies, modernization starts in earnest with
stronger authentication controls to verify the identity
Accessing cloud applications from anywhere on any of users accessing agency assets and then moves to
device and at any time has pushed that perimeter to ensuring the devices accessing those assets meet an
wherever the user is, and it’s up to security teams agreed upon set of security requirements.
to ensure those complex individual mini-perimeters
are all secure, accessible from within, protected and It sounds like a pretty easy way to modernize, but it’s
frictionless. not without its challenges. In this ebook, we’ll examine
the pain points government agencies are likely to
encounter during their modernization efforts and how
to relieve them.
4
FARS-CUI
DFARS-CUI
PIV/CAC
NIST SP 800-171
NIST 800-63-3
FIPS 140-2
5
2.0
Compliance
Confusion
FedRAMP, FISMA,
FIPS 140-2, DFARS/FAR and NIST
SP 800-63-3 AAL/FA.
Phew. That’s a lot of numbers and
letters to navigate. And they’re
all important. For agencies,
compliance is not an option.
6
FedRAMP, FISMA, FIPS 140-2, DFARS/FAR and NIST Maintaining the necessary protections to ensure
SP 800-63-3 AAL/FA. Phew. That’s a lot of numbers privacy and security are a lot for a small team or
and letters to navigate. And they’re all important. individual to contend with, and can carry a costly fine
For agencies, compliance is not an option. if not followed.
7
There are dozens of laws, policies
and standards that government
organizations must follow.
It’s often so confusing that they
hire consultants to help them
wade through the alphabet soup of
compliance regulations to determine
which IT initiatives can help (or hurt).
8
3.0
Poor Device
Visibility
9
As mobility infiltrates federal agencies and other When you enforce device‑level security policies, you
government bodies, keeping tabs on those devices, give your users freedom while you remain in control.
what they do and what they can access becomes You have visibility into which devices are accessing
increasingly difficult. The private sector is currently which applications and the security posture of
living in the era of bring your own device (BYOD), those devices.
but federal agencies aren’t quite ready to embrace it
(maybe it’s due to policy, maybe a bit of paranoia?).
But to keep pace with their enterprise counterparts, Duo helps you face BYOD head
agencies must understand that end users want to use on. With Unified Endpoint
their own devices – smartphones, tablets, laptops, Visibility, government IT admins
watches, you name it – to access data and solutions can have insight into what
that were once only accessible via a government devices are accessing which
owned and issued device. apps and from where. From
there, admins can set strict
For admins this shift will create a dilemma: do you device policies to ensure that
restrict the use of personal devices or do you install only trusted devices that meet
some kind of agent or client, like mobile device their security requirements
management (MDM), on users’ personal devices can access anything.
and deal with the blowback? Neither sounds like the
perfect option.
Duo takes it one step further, with features such as
Visibility without intrusion is key to Self-Remediation, which notifies users directly if their
identifying at-risk devices before device software is out of date and helps them update
they gain access to your systems. it immediately before they can gain access.
But when it comes to IT in the
government, freedom is somewhat When you can enforce strict device and application
of a foreign concept. access policies and have visibility into the security
health of every device authenticating to your
Federal agencies must determine their comfort environment, at the time of access, you strengthen
level with BYOD and user-owned devices and set your overall security posture and can support modern
security policies reflective of that. Do you want to approaches to mobility, like BYOD. Oh, and it keeps
restrict access to certain operating systems? Do you your users happy.
want to ensure devices have a screen lock in place?
How about ensuring that encryption is turned on? With Duo, federal agencies can get over the
Or, perhaps most importantly, do you want to ensure BYOD hump and better embrace modern mobility.
that devices adhere to a Comply to Connect (C2C)
framework that enforces that patches and hardened
configuration are applied to a device before it is
allowed to connect? And that the device is updated
continually? All of these are considerations.
10
4.0
The PIV/CAC
Card Conundrum
Let’s address the elephant in At the same time, PIV/CAC cards can’t be
the room: Common Access Card used to authenticate to cloud and SaaS
(CAC) and Personal Identity applications or from mobile devices, which
Verification (PIV) deployments. severely limits an agency’s mobility and cloud
options. Attempts have been made to make
PIV/CAC requires a very heavy lift in supporting this easier with the introduction of the derived
a full-blown PKI (public key infrastructure), which credential (SP-800-157), otherwise known as
is incredibly difficult to set up and maintain. Not PIV-D, but this only solves half of the problem.
to mention, each workstation requires a card Due to its limitations, the derived credentials
reader, which pushes the cost and maintenance approach has not really been widely adopted.
headaches even higher. While the physical card requirement goes away,
you still need to stand up, and maintain a very
Admins can’t stand them. Cards are hard to issue, complex, proprietary PKI. And contactors, which
challenging to replace when they’re lost and the make up a good portion of the workforce, can’t
process of revoking and renewing certifications always use them for all of their functions.
and recovering users PINs is thorny.
11
PIV/CAC cards are so deeply
ingrained in the federal workflow
(roughly 95 percent of the federal
workforce uses them) that we’re
sort of stuck with them.
12
So where does
that leave us?
13
This method helps admins push Meanwhile, for admins it offers much lower total
toward IT modernization while cost of ownership (TCO); and it's easy to deploy,
giving users a fresh and frictionless administer, manage and support. Duo’s Device Insight
trusted access method. also gives admins the ability to support BYOD while
ensuring both government-issued and user-owned
While PIV/CAC cards serve several key functions, devices are trusted, which enables contractors
most government agencies would consider access to the applications they need when working
an additional technology to complement card with agencies and government bodies.
deployments as an alternative for logical access and
authentication. Replacing PIV/CAC altogether would
be too complex, too costly and wasteful of previous Duo makes it so users can use
investments, but replacing the authentication and their phones as a second factor
application access function of PIV/CAC cards is an for authentication, instead
attractive compromise for agencies. of their PIV/CAC cards.
14
5.0
Lingering in
Legacy Limbo
Much like PIV/CAC cards’ stranglehold on federal Duo can integrate into federal
agencies and government organizations, their infrastructure smoothly and without
infrastructures are often built on legacy systems. the need for agencies to rip and
replace their legacy gear, helping
them meet modernization needs
There are a lot of contributors while protecting their IT investment
to agencies being stuck and not breaking the budget.
in legacy limbo.
This also helps agencies prepare for the future and
lay the groundwork for zero-trust security, as MFA
For example, they operate under a high level of risk is a building block to a zero-trust model. And when
aversion. That, combined with the uncertainties of the time comes to replace legacy gear, Duo will
funding, unbearably long buying cycles and often tight integrate seamlessly with new vendors, as well.
budgets, tends to make government organizations This is especially important as agencies prepare to
very slow to adopt new technology. move applications to the cloud. Duo protects both
on‑premises applications supported by legacy gear
Agencies are also restricted mostly to solutions that and cloud applications, which are a key component of
have been formally approved for use in government, modernization effort.
limiting their freedom to source and buy a solution
that fulfills their use case. This results in a higher level Duo’s trusted access solution works with what
of expectation that new technologies integrate into you have and will work with what you get in the
their existing IT investments. future, meaning agencies can start fortifying their
security posture now as they embark on their
Federal agencies often must maintain original legacy IT modernization journey.
equipment that significantly lags behind the private
sector market in technology usage and updates.
They’re not early adopters, which has made the push
toward IT modernization appear daunting, despite
its necessity.
15
16
6.0
Get Modernizing
Cloud and mobility are pushing federal agencies Duo helps you:
and government organizations to modernize their
IT – think of them as a forcing function for several • Overcome the compliance confusion
necessary updates to accommodate modern • Gain deep visibility into devices
workflows and alleviate the hassles of outdated • Solve the PIV/CAC conundrum
infrastructure. • Escape from legacy limbo
17
Duo is democratizing security
so you can secure our democracy.
18
19
Access
Trusted Users. Trusted Devices. Every Application.
Duo Access takes everything in Duo MFA and Duo Access packs intelligence to check devices
supercharges it. It delivers detailed visibility into the for secure, up‑to‑date software; enabled security
security hygiene of every device, gives your users settings on mobile devices; and location and network
a seamless and secure single sign‑on experience data – actionable data that’s available through the
and lets you quickly conduct phishing vulnerability Device Insight dashboard. You can set policies
assessments and simulations to determine where for groups to allow or restrict access and secure
phishing risks exist in your organization. BYOD environments by encouraging users to update
their software. It’s complete visibility without the
need for agents.