Security is Critical, but Compliance is Required: How Agencies Can Address Both
Last year, the National Institute of Standards and Technology (NIST) released an updated set of digital identity guidelines called Special Publication (SP) 800-63-3. The updates provide recommendations to agencies for preventing fraud, unauthorized network access and, most importantly, cyber risk.
By June 2018, agencies are expected to increase and enhance their use of multi-factor authentication among other identity- and access-focused standards.
But this isn’t the only situation where government agencies are expected to be security compliant. NIST’s Risk Management Framework (RMF) is the information security guideline for federal agencies and government contractors alike. And through RMF implementation, agencies can also garner compliance with policy directives including the Office of Management and Budget (OMB) Circular A-130 and Federal Information Security Management Act (FISMA).
While each of these initiatives prove government recognizes the growing importance of securing critical data, many agencies still struggle to take action to implement security best practices fully—or at all.
To start, there are a number of questions agencies must be able to answer in order to claim a secure network. They include: Who has access to our files, folders and mailboxes? Which of our files contain critical information? What data is overexposed? What data is underutilized?
In the past, security has typically been viewed from the perimeter, with the idea that protecting the border protects a system in its entirety. Bearing in mind today’s growing number of insider threats, there has been a recent shift in focus toward securing data within the network, as simply safeguarding the edge isn’t enough.
High-profile data breaches and compliance deadlines are increasing the pressure on agencies to ensure critical data is secure today and in the future. Companies like Varonis enable this level of security through automated continuous monitoring and enhanced access management, so agencies are aware of what’s happening with their data at any given time—ensuring the right people have access to the right information.
Through better identity and access safeguards that allow for detection, prevention and sustainment, agencies can meet NIST and other security expectations.
Agencies must know their data. In understanding what data is being used and by whom, agencies can establish a baseline of normal activity for a user, executive, administrator and service accounts. Agencies can only detect threats by collecting this information in full and then scanning for sensitive and critical data—particularly where it is and where it’s overexposed.
The next step in ensuring data within the network is safe from potential bad actors is prevention. Agencies must take what they’ve learned in detection and lock down sensitive and stale data, reduce broad access and simplify permissions in order to secure data from the inside out.
Finally, these measures must be sustained, ensuring network access and activity is consistently monitored, using automation to look for sensitive data and regularly reviewing access controls and providing alert and remediation of suspicious behavior and potential security risk.
These solutions monitor and analyze agency file systems, active directory and email activity, automatically detecting and triggering alerts. In response, solutions like Varonis’ can then quarantine and mitigate via an automated security policy.
Iron Bow is the only federal reseller going through our certification to sell and provide Varonis Professional Services. We’re partnered together to help you not only meet federal compliance, but also ensure your sensitive information remains protected. Get a free risk assessment to learn more: https://info.varonis.com/start?ref=home