The federal government dedicates roughly 80 percent of its entire information technology (IT) budget to maintaining existing legacy systems. Given that the proposed IT budget for 2018 is approaching $96 billion, you can see the impact that legacy technology, systems and approaches are having on agencies’ ability to effectively deliver on the mission.
This legacy approach trickles down to the cyber world as well. In order to protect systems that were developed long before something like advanced persistent threats were even an issue, agencies have been applying essentially a band-aid approach to security. Identify a hole or vulnerability and buy a product to “fix” it.
The White House’s American Technology Council recently delivered the “Report to the President on Federal IT Modernization” that brought together public and private sector technology leaders with the goal of providing a roadmap to improve government technology, and the approaches referenced above.
At its core, the report envisions a modern federal IT architecture where agencies can maximize the secure use of cloud computing, modernize government-hosted applications and securely maintain legacy systems. The key component of each action is security.
The federal government dedicates roughly 80 percent of its entire information technology (IT) budget to maintaining existing legacy systems.
A Changing Paradigm
The report highlights the changing security needs of federal agencies. The majority of federal technology systems were built with an emphasis on protecting network perimeters. That architecture made sense at the time as federal employees were tied to work stations inside a government office. If the perimeter, and everything inside it, remained secure then there was no threat of a larger breach. But, applying protections at the perimeter layer only, has proven to be inadequate.
Highlighting the inadequacies of the old approach is the growth of cloud services and mobile workers. This transition has broadened the environment and is adding additional elements to this new virtual border. The results of ineffective, patchwork security in this environment can be devastating.
The report calls for moving from protection of agency network perimeters and managing legacy physical deployments to a new security paradigm that focuses on the protection of federal data and cloud-optimized deployments. It’s about moving those protections closer to the asset itself.
The report, in particular, highlights a number of key cyber security initiatives:
- Prioritize the modernization of high-risk High Value Assets (HVAs). Prioritize the modernization of legacy IT by focusing on the enhancement of security and privacy controls for those assets that are essential to operations. The focus will be on protecting data no matter where it resides, whether that be in the cloud or on-premise. As a result, agencies need to ensure that they can see how data is used, where it is accessed and who is using it at all times.
- Modernize the Trusted Internet Connections and National Cyber Security Protection System Program to enable cloud migration. Agencies should focus on shifting to the cloud and will need to alter how they view security in order to do so.
- Consolidate network acquisitions and management.
- Consolidate and standardize network and security service acquisition to take advantage of economies of scale, while minimizing duplicate investments in existing security capabilities.
The IT Modernization Report aims to push federal agencies from a perimeter security model to one that takes a risk-based approach. Going forward, agencies need to look at how best to secure their data, not simply relying on a strategy of securing individual systems or networks. Continuing in this direction will only set agencies further behind.
As you would imagine, Symantec is following these government modernization efforts very closely, and applaud the government for placing security as a key focal area. We are developing a series of blog posts that will look at different aspects of the IT modernization report and how it applies directly to cyber security.
This document is an important step in moving federal technology forward. Cyber security needs to be a key part of that growth. While it will be a major shift in how agency leaders think about technology, it will ultimately provide a more efficient, sustainable and secure federal environment. Please check back for future posts in this series and we appreciate your thoughts and feedback along the way.
If you found this information useful, you may enjoy:
We encourage you to share your thoughts on your favorite social platform.