COVID-19 Challenge Highlights Need for Changes in Government Cyber Security April 10, 2020

kpmg.com

COVID-19 presents an unprecedented challenge to our government clients. The spread of COVID-19 has created uncertainties in service delivery, supply chain continuity and employee engagement, but one thing that has not changed is the ever present cyber threat landscape. Government clients are performing triage activities to continue their current cyber operations and expand services to protect remote workers. And on top of these challenges, many government organizations must now look at how they transition their security operations offsite.

Over the last decade, technology has revolutionized our everyday life and transformed the way we interact with the world.

o Digital technology is now ubiquitous.

o Digital collaboration is woven into everyday life.

o AI is available at our fingertips, fueled by the availability of staggering volumes of data.

Government data is disproportionately valuable to our economy and for citizen services, and foundational to almost all government decision-making. These data are generated from millions of interconnected devices, and managed by thousands of government systems. Therefore, cyber security is a critical element of nearly every government mission. The government still needs Defense-in-Depth cyber security, to include endpoints, applications, the network, the perimeter, remote/mobile access, and its hybrid cloud environments. However, these layers of defense need to continuously evolve and move to zero trust. Zero trust is not a thing you buy, it is a security design approach. This paper examines how the government can begin zero-trust implementation through movement of their cyber security to commercial clouds.

Key Cloud Security Needs

Instead of compounding layers of various cybersecurity products on our perimeter, we need to rethink our architecture. We need to emphasize security at the development layers, on the data, and at system integration; and spend less time on transient security solutions. As an example, the government has had a heavy emphasis on endpoint security, but we need to rapidly mature our security around our data layer. The concepts of patching and continuous monitoring are modernized through use

of virtualization and containerization, which add security, agility, speed, and efficiency. At the core, automation must be incorporated at every layer of the defensive stack and tied to our mission and data, and in so doing creating a more sustainable security environment less dependent on scare resources and more focused on automated processes and analytical skills.

COVID-19 Crisis Highlights Need for Changes in Government Cyber Security

© 2020 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Organizations can no longer use traditional network devices as the security boundary; this does not take advantage of the agility of cloud services. Authentication is the new security boundary. We must overcome the inability to trust our senses. Encryption keys have become the new password in the cloud, and ensuring keys are properly managed throughout their lifetime is essential for effective cloud security. Challenges with encryption include:

— Key Management: if you lose control of your keys, you lose your data.

— Encryption at high speeds, both from the network and from vulnerability standpoints.

Quantum computing seems like a distant problem, but in 10 years, quantum computing may be able to crack today’s encryption. We need to incorporate quantum resistant encryption into our systems now if possible, and our solutions today must include crypto-agility baked in so they can be upgraded in 2022-2023 when NIST approves quantum-resistant encryption.

3April 10, 2020 | Federal Cyber

© 2020 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

As we evolve our cybersecurity architecture, we need to continue to move toward zero-trust architecture to help us to address an increasingly mobile workforce, authentication challenges like deep fakes, and increasingly complex cyberattacks. Implementing zero-trust must include:

— Strong Identity Management

— Modern, capable software defined networks

— Building a cyber-awareness culture

— Advanced analytics

— Zero trust must include the full supply chain—products, services, or companies, and we must effectively mitigate third-party risk. We can’t assume items out-of-the-box are necessarily secure.

Zero-trust will be implemented incrementally. The first step of this implementation is migrating on premise perimeter security technology to the cloud.

The next evolution in our security path is moving toward commercially available best practice threat-based security analytics frameworks to understand how adversaries will attempt to attack us. AI and ML are embedded in more and more cyber security products to detect anomalous activity and provides a lot of future value to reduce workloads,

prioritize human resources on high value activities, and eliminate human errors. However, additional AI/ML capabilities are needed. Only in a cloud environment do you have the elastic capability to bring together cyber data with AI/ML and sufficient compute to effectively combat the evolving cyber threats and potential AI-powered cyber-attacks.

As we build our hybrid cloud security architecture, it is clear that the cybersecurity services currently on the market are addressing the symptoms of outdated and legacy systems instead of the causes. Current products are too complex and lack continuous modernization, and we have too many agents/tools on any one endpoint; degrading the user experience. The cloud service provider becomes a partner in providing cybersecurity services along with the internal cybersecurity controls that are in place. Open standards for cloud service security APIs could reduce the cost of integration and focus efforts on better security features and real-time automated defensive actions. This agility is only possible in a commercial cloud environment.

Need to Move Security to the Cloud

5April 10, 2020 | Federal Cyber

Other Cyber Considerations

Your cyber security architecture should include implementation of micro-virtualization (application-level isolation from the OS) and micro-segmentation (dividing the network and reducing the number of users per network segment). We also need to eliminate all permanently elevated user accounts to minimize inside threats. Dual stacking of IPv4/IPv6 is common but should be removed as soon as practical and operate IPv6 only. Ensuring your 5G deployments are secure, to include base stations which provide edge computing. Establish cyber hunt capabilities to identify and combat Advanced Persistent Threats (APTs). Need to identify and deploy advanced cyber tools around high-value assets (databases, systems, networks), and also analyze mission essential systems for resiliency, redundancy and automated failover capabilities.

One of basic tenants of cybersecurity is knowing who has access to what data. Identity management is the “who” and becomes even more critical in cloud environments because you cannot rely on traditional security perimeters. Need to create a centralized authoritative source to store identities and manage access to systems; for users both within and external to the organization. This allows us to enforce the use of strong authentication, privileged access and provisioning of access through automated means.

How KPMG can help

No matter what stage of development your security program is in today, KPMG LLP can help you accelerate moving your cyber program into the cloud. Our proven scalable KPMG Intelligent Cyber Analytics Program (kiCAP) can propel your security organization with the adoption of AI-powered cyber security, cloud-based zero-trust, and does not require orchestration or legacy cyber solutions. KPMG offers a well-tested and qualified team of more than 3,000 global cybersecurity professionals with deep government and commercial experience. We have advanced cyber security services and proven methodology to enable clients to build trust in their systems and data. We understand compliance requirements around data and will help ensure cyber security and privacy are included upfront. We can establish and maintain a cyber security program that protects the enterprise while maintaining agility, even if you do not have a large or mature cyber security program. And we build long lasting relationships with our clients.

The approach commonly referred to as SecDevOps provides an opportunity for government to incorporate security into agile code development upfront rather than bolt on after the fact to meet security requirements. Systems deployed in the cloud are inherently secure because their continuous development/integration process automates vulnerability scanning, source code reviews, and secure configurations prior to being released. This affords us the ability to more rapidly deploy secure applications within the cloud.

We need to have holistic security visibility into our services and networks. Building a managed service providing secure network connectivity to all CSPs via a virtualized security stack at Internet peering points. A virtualized stack will prevent bottlenecks and allow for a consumption based pricing model. The network must include automated counter measures to combat DDOS attacks. We need to continuously monitoring traffic, to include visibility into containers and encrypted traffic, to and from our cloud service providers. We need to scan and monitor our cloud services and applications to allow for fast detection of vulnerabilities and remediation. Real-time analysis and rapid-response forensics is also critical. SOC serves as the central nexus for network monitoring, incident response, cyber threat intelligence collection, and cross-agency threat information sharing. The modern SOC should move away from a product and orchestration focus to a remote cloud-based SOC providing real-time security posture assessments, taking pre-scripted actions, and building real-time cyber/compliance risk profile/dashboards. It is also time to harmonize or even merge organizational Network Ops Centers (NOCs) with SOCs because the network is an important tool in protecting your enterprise.

© 2020 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

7April 10, 2020 | Federal Cyber

KPMG LLP8350 Broad StreetMcLean, VA 22102 www.kpmg.com/us

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.

© 2020 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

kpmg.com/socialmedia

Tony HubbardPrincipal, KPMG LLP Government ConsultingWork: 202-486-4945 Mobile: 202-486-4945 thubbard@kpmg.com

Kathy CruzDirector, KPMG LLP Government ConsultingWork: 916-554-1186 Mobile: 916-792-3976 kathycruz@kpmg.com

Joe KlimaviczManaging Director, KPMG LLP Government Consultingjklimavicz@kpmg.com

Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.