the changing face of data security in the federal government. · certification process. ... in...

2019 Thales Data Threat Report Federal Edition 1

thalescpl.com

The Changing Face of Data Security in the Federal Government.2019 Thales Data Threat Report Federal Edition

#2019DataThreat

http://thalescpl.com/


About this studyThis report is based on a global IDC web-based survey of 1,200 executives with responsibility for or influence over IT and data security from nine countries, and a range of industries, with a primary emphasis on healthcare, financial services, retail, and Federal Government organizations. Job titles range from C-level executives including CEO, CFO, Chief Data Officer, CISO, Chief Data Scientist, and Chief Risk Officer, to SVP/VP, IT Administrator, Security Analyst, Security Engineer, and Systems Administrator. Respondents represent a broad range of organizational sizes, with the majority ranging from 500 to 10,000 employees. The survey was conducted in November 2018.

This report focuses on the findings from the 100 U.S. Federal Government respondents, providing comparisons and contrast to other U.S. vertical markets. For global roll-up findings and analysis,please see www.thalesesecurity.com/dtr.

http://www.thalesesecurity.com/dtr


Our Sponsors:

04 Executive Summary

06 Key Findings07 Federal Government agencies are playing digital transformation catch-up

08 AreFederalagenciesfinallyapproachingasecurityspendceiling?

09 Threat vectors for Federal Governments are broadening

12 Respondents believe they have adequate security (which may be a false sense of complacency)

14 Increasing complexity in Federal data environments is a top barrier to data security

16 Federal Government agencies are broadly adopting clouds for their sensitive data

16 Agencies are taking a multi-layered approach to security

17 Federal Government’s aspirational desires may outstrip budget realities

20 Regulatory and compliance changes introduce new challenges

21 Federal Government encryption rates are low 23 Cloud data security concerns24 Overall cloud security concerns

24 Software as a Service

25 Infrastructure as a Service

25 Platform as a Service 26 Security concerns and methods of alleviation by data technology environment27 Mobile payments

28 Internet of Things

28 Big data

29 Containers/Docker

29 Blockchain

30 IDC guidance/key takeaways

31 Principleanalystprofiles

Contents


Executive Summary

Digital transformation (DX) is fundamentally impacting all aspects of the economy and all industries, and government is no exception. U.S. federal datacenters are facing unprecedented pressure to move quickly into an era of digital transformation.Itwilltaketime,butgreaterefficienciesandeconomiesofscalewill result. Because datacenter transformation is risky and highly complex, it is important that vendors in this arena work to implement appropriate data best practices that give them the foundation they need for high-quality, secure transformation efforts.

Digital transformation is enabling new and transformative ways to provide constituentservicesanddrivegreaterefficienciesthatenablegovernmentstodomore with fewer taxpayer dollars. And while some agencies are at the vanguard of DX (e.g. the Defense Department, the Department of Homeland Security) and others may be information laggards, Digital Transformation is leaving its mark throughout the U.S. Federal Government, with profound impacts on information and data security. IDC is seeing federal agencies facilitate DX through their use of 3rd Platform technologies to create value and to reduce business process friction, via powerful new tech solutions, new business models, and new relationships.

Our research for this study shows that DX is a current reality for many U.S. Federal Government agencies, with 38% of respondents in our study saying they are either aggressively disrupting the markets they participate in or embedding digital capabilities that enable greater organizational agility.

Agencies are being spurred on by the requirements of the Data Center Optimization Initiative (DCOI) and competitive prices for cloud-based solutions that have gone through the federal approval process (FedRAMP) cloud certificationprocess.

WhileDXisdrivingbenefitstoagenciesandconstituentsalike,itisintroducingnewdifficultiesforinformationsecurityprofessionals,includingthepotentialtoput government secrets and constituents’ sensitive data at risk. This could be a big opportunity for third-party datacenter and cloud operators that have gone through FedRAMP and the Department of Defense (DoD) Security Requirements Guide (SRG) up to Impact Level 5. Federal agencies are still following the lead of otherindustriesinseekingstreamlinedandefficientthird-partydatacenterfacilities,but such facilities still must meet stringent federal security requirements. For the DCOI, cost reduction through consolidation and optimization is the key goal of this directive.

Vendors with solutions that can help agencies achieve compliance often have a ready audience among IT systems managers. But, not only must security professionals deal with a threat environment in which 60% of U.S. Federal Government respondents report that they have been breached — 35% in the past year alone—but they must also face an ever-expanding threat environment including state-sponsored hackers, cyber-criminals, and malicious internal actors.

“DigitalTransformationis leaving its mark throughout the U.S. Federal Government, with profound impacts on information and data security..”


Government agencies are obvious targets for international hacking attempts. Governments not only need to protect state secrets, but they also have a solemn trust to protect their constituents’ sensitive personal data. Upgrading their underlying infrastructure as part of a DX journey creates risk. For instance, entrusting a greater amount of sensitive data to new technologies like the cloud, and edge technologies such as mobile devices and the Internet of Things, cause attack vectors to move further away from a centralized area of control. In many cases,addressingincreasedriskfallstoagency-levelChiefSecurityOfficers(CSOs).Someoftheirchallengesrangefrombeingabletofindandhirequalifiedsecuritystafferstoworryaboutprotectingemployeecredentials.Manyare looking for the latest in edge security technologies to help them protect their infrastructure and data.

A multi-layered approach to security has long been touted as the answer to creating a robust program. As DX expands the number and position of attack vectors, the layers of security must expand and reposition to address new needs. Federal Government respondents understand this and are shifting their security focus accordingly. While network security continues to be a core focus with 36% of U.S. Federal Government respondents, they are now putting a nearly equal amount of emphasis on data security and application security, each area receiving 32% of respondents’ focus. But implementing a multi-layered approach to security isn’t easy, and while Federal Government security budgets continue to grow, needs and wish-lists are growing even faster.

Toaddresstheseneeds,agenciesrequireflexible,consolidatedsecurityplatformsthat will enable them to manage greater amounts of complexity, span legacy on-premises access control and other security needs, as well as modern cloud- tbased and edge-oriented technologies, plus things like encryption and key management solutions.

60%of U.S. Federal Government respondents report that they have been breached — 35% in the past year alone.”

“ While DX is driving benefits to agencies and constituents alike, it is introducing new difficulties for information security professionals, including the potential to put government secrets and constituents’ sensitive data at risk.”


01 Key Findings


Federal Government agencies are playing digital transformation catch-up

Although many Federal Government agencies have been late to the game, our study shows that across the board, digital transformation (DX) is well underway in Federal Governments. 38% of U.S. Federal Government respondents in our survey believe they are in one of the two most-advanced DX categories, characterized by aggressively disrupting their markets or embedding digital capabilities into the enterprise tightly linked to an agile management vision.

This is slightly ahead of U.S. healthcare respondents, but trails both the U.S. retail andfinancialservicesindustries(Figure1).

In comparison to global Federal Governments, the U.S. Federal Government is further along in its DX transformation. Only 27% of non-U.S. Federal Government respondents say they are in one of the top two categories, the lowest amount of any vertical in the study.

U.S. Federal Government agencies are also facing their share of challenges. Many CIOs have direct report connections to top agency management. But many still lack the decision-making authority or the staff and funding to deliver on broader agency goals. Without increased authority and funding, agencies tend to take shorter-term approaches to IT projects, including security-related projects, tackling smaller projects, or nursing older systems along for extra years. This makes broader digital transformation challenging and makes security piecemeal rather than fully enterprise-ready.

Digital transformation is also introducing a disconnect between the more advanced agencies, such as DOD, NSA, and NASA, and agencies that remain behind the curve. And while on the surface it may seem that the DX “haves” are in a better place than the “have-nots,” the former have their own set of challenges to address. They must apply security architectures across old infrastructures while simultaneously rolling out new cloud-based, digitally transformative technologies. Ironically, they may face even greater challenges as they look to secure a wider variety of IT infrastructures.

...agencies require flexible, consolidated security platforms that will enable them to manage greater amounts of complexity, span legacy on-premises access control and other security needs, as well as modern cloud-based and edge-ori-ented technologies, plus things like encryption and key management solutions.“

“

Aggressively disruptivein our use of new digitaltechnologies andbusiness models toaffect markets.

Digital capabilities areembedded in theenterprise and tightlylinked to an agilemanagement vision.

17%

21% 23%

14%

27%

15%

27%

22%

Healthcare RetailFederal FinancialServices

Figure 1 – Digital transformation stanceSource: 2019 Thales Data Threat Report Survey, IDC, November, 2018


Are Federal agencies finally approaching a security spend ceiling?

As U.S. Federal Government agencies work to play catch-up in their DX initiatives and in IT security, they have enjoyed healthy budget increases over recent years. Our survey supports this, showing that U.S. Federal Government respondents are spending a greater percentage of their IT security budget on data security (16%) than their non-U.S. counterparts (15%) or the global sample (15%).

Our survey additionally provides evidence that this security spend continues to increase. This year, 60% of U.S. Federal Government respondents told IDC they expecttoincreasetheirsecuritybudgetspending,significantlyhigherthanthe50% in our global sample, and second only to U.S. retail, in which 62% said they would increase spending (see Figure 2).

Nevertheless,thisisstillsignificantlydownfromthe93%ofU.S.FederalGovernment respondents who said they expected an increase in security spending last year. In comparison, 50% of non-U.S. Federal Government respondents said they would increase their security spend, matching the global sample.

Of course, the budget conversation differs from agency to agency. DoD, Homeland Security, and Energy will always have the budget they need to address security. Other agencies may not. When budgets are tight, agencies get creative, and look to commercial off-the-shelf solutions to help them meet their IT goals. While commercial enterprises continue to leverage public cloud services to augment on-premises resources, they are also looking to utilize many of the technologies in the public cloud in their own datacenters to drive the same economic,agility,andefficiencygains.Butinthecaseofgovernment,publiccloudstillmustmeetspecificstandardsaslaidoutbytheFedRAMPprocessandother requirements to qualify as a government cloud provider.

Decrease About the same Increase

1% 6% 93%15% 25% 60%

2018

2019

Figure 2 – IT security spendSource: 2019 Thales Data Threat Report Survey, IDC, November, 2018


IDC believes that, as in other industries, this will drive a wave of federal datacenter technology service spending on consulting services, integration services, and security services. In fact, respondents to IDC’s 2016 Enterprise Datacenter Survey indicated that infrastructure integration services and security services represent the top two areas of spend in their datacenter transformation initiatives. Government will see a similar impact, though it will not be as pronounced as what will be seen in other industries.

Despite all the Federal IT security spending largesse, budget expansions will not be able to increase forever. And as security needs continue to cross multiple environments — on-premises as well as emerging cloud environments — agencies will need to implement security tools and platforms designed for modern, hybrid, and multi-cloud architectures, not jerry-rigged from legacy technologies. Cloud-based solutions delivered “as a service” and “as a platform” that cross environments are examples of such solutions that can eliminate cost and complexity and make the job more manageable.

Threat vectors for Federal Governments are broadening

AsignificantnumberofFederalGovernmentagenciesreporthavingexperienceda breach. 60% of U.S. Federal Government respondents say they have been breachedatsomepointintheirhistory,thesamefigureasintheglobalsample,and somewhat lower than the other U.S. verticals in the study (Figure 3).

Meanwhile, new edge devices, including sensors, security monitoring systems, and the world’s ever-expanding Internet of Things (IoT) are creating a rapidly expanding set of data for governments, quickly growing to hundreds of terabytes. Potentially,alldatainmotioncanbetracked,evaluated,directedtospecificresources, and managed. The potential for business transformation during the transient periods is huge, and it’s an area of growing research at universities as well as within the government.

...agencies will need to implement security tools and platforms designed for modern, hybrid, and multi-cloud architectures, not jerry-rigged from legacy technologies.“

“


Figure 3 – Breach incident rates (at any time)Source: 2019 Thales Data Threat Report Survey, IDC, November, 2018

60% 70% 62% 62%


Of course, all these new devices also introduce new points of presence that need to be protected. Federal Government respondents believe they are more vulnerable to security threats than most other industries. While 82% of U.S. Federal Governments respondents acknowledge they are vulnerable to data security threats, 42% call themselves “very” or “extremely” vulnerable, compared to 37% of international government respondents and 34% in the global sample (see Figure 4).

Complicating life for Federal Government agencies, the threat vectors they face are extremely broad. Respondents’ top concerns regarding data security threat actors are cyber-criminals and cyber-terrorists. Federal Government respondents, consistent with their role, place somewhat greater emphasis on the threat of terrorism and somewhat less on cyber-criminals than in the global sample (see Figure 5). The probing of federal networks by China, Russia, and others is constant, and while few cyber-terrorist activities are apparent, the preparation for such activities in the future is huge.

Non-U.S. FederalGovernment

Figure 4 – Very/extremely vulnerable to data security threatsSource: 2019 Thales Data Threat Report Survey, IDC, November, 2018

Global U.S. FederalGovernment

34% 42% 37%

Figure 5 – Greatest data security threatsSource: 2019 Thales Data Threat Report Survey, IDC, November, 2018

0% 10% 20% 30% 40% 50% 60%

Cyber-criminals

Cyber-terrorists

IT system/network/cloud/database and other administrators

Partners with internal access

Service provider accounts

Hacktivists' (non-nation states with political goals)

Executive management

Competitors (Industrial Espionage)

Ordinary (non-privileged) employee accounts

Other (non-privileged) IT accounts

Contractor accounts

Nation-states

U.S. Federal Government Global


But government agencies cannot ignore internal threats either, with privileged IT administrators, partners with internal access, and service provider accounts roundingoutthelistofthetopfivethreats.Evenastheyshiftfocustoexternalthreats, guarding against insiders is also vitally important.

At the federal level, IT security is often coupled with physical security concerns (border monitoring, defense perimeters, building access, infrastructure monitoring, police communication, etc.). This is related to the growing number of edge devices mentioned previously. Things like door sensors, border alarm triggers, and more need to be protected as part of the broader government network.

Respondents believe they have adequate security (which may be a false sense of complacency)

Federal Government organizations generally believe they have adequate security. 79% of U.S. Federal Government respondents rate the security they provide for new technology deployments as “very” or “extremely” secure, which is generally inlinewithotherU.S.verticals,butsignificantlyhigherthannon-U.S.FederalGovernment respondents and the rest of the global sample (see Figure 6).

However, respondents may have a false sense of complacency. When asked about factors impacting IT security spending decisions, data breaches were towardthebottomofthelist.24%saidtheyareworkingtoavoidfinancialpenalties resulting from a data breach, and 30% said they are motivated by a breach having occurred in the past. The #1 factor was agencies looking to implement best practices, cited by 44% of respondents.

Non-U.S. FederalGovernment

Figure 6 – Security level of new technology deploymentsSource: 2019 Thales Data Threat Report Survey, IDC, November, 2018

Global U.S. FederalGovernment

66%79%

55%

22%15%

31%

12% 6% 14%

Very/extremely secure

Moderatelysecure

Not secure/a little secure


“...even as they shift new workloads to the cloud, agencies must still maintain mission-critical applications that run on on-premises environments. An enormous driver of complexity is the increase in the number of cloud environments Federal Government agencies are now supporting.”


Increasing complexity in Federal data environments is a top barrier to data security

Data environments are increasingly complex. This is true throughout all industries’ IDC studies, and is certainly true for U.S. Federal Government respondents as well. Agencies such as DOD, Department of Energy, NASA, and the Justice Department have particular challenges. These agencies endure thousands of hacking attempts every day. They also have vast perimeters to protect in environments where both man-made and environmental threats are ongoing. For them, high availability and business continuity is a large part of their security posture.

Workloads that used to be handled by a single on-premises environment are now being augmented with multiple IaaS and PaaS environments, as well as tens and even hundreds of SaaS applications (see Figure 8). And even as they shift new workloads to the cloud, agencies must still maintain mission-critical applications that run on on-premises environments. An enormous driver of complexity is the increase in the number of cloud environments Federal Government agencies are now supporting (see Figure 7).

One

Two or Three

Four or More More

than 50

10 or Fewer

11 to 50

PaaS SaaSIaaS

Figure 7 – Number of cloud environments in U.S. Federal Government agenciesSource: 2019 Thales Data Threat Report Survey, IDC, November, 2018

19% 24% 20%

64% 57%

36%

17% 19%

44%

“Managing multiple cloud instances introduces new challenges for Federal Government IT departments. It’s hard enough to provide encryption, tokenization, visibility, and access to sensitive data within a single cloud instance, let alone dozens of them.”


Managing multiple cloud instances introduces new challenges for Federal Government IT departments. It’s hard enough to provide encryption, tokenization, visibility, and access to sensitive data within a single cloud instance, let alone dozens of them. Just like in the global sample, U.S. Federal Government respondents rated complexity as their number one perceived barrier to implementing data security, well above all other considerations (see Figure 8). It’s not the lack of staff, budget needs, or organizational buy-in that are the primary elements holding U.S. Federal Government agencies back.

Cloud is not the only means by which digital transformation is achieved. But it is an increasingly popular path. It is having a disruptive impact within the datacenter, with systems integrators, and on networking solutions. In some cases, agencies will build out cloud-like network infrastructure as they work to meet application and workload demands. This in turn will help boost their agility and it should also be an opportunity to improve their security posture.

IDC has noted a small but growing number of federal agencies hosting systems that also are used by state or local agencies, raising cross-jurisdictional security challenges. The most noteworthy example of this is within the Justice Department, and the way data is collected and shared with the FBI and state- and city-level police departments and courts. We also have seen joint systems related to Medicare and Medicaid management.

Just like in the global survey, this is a powerful message. Government agencies are looking to get data security right and have the budget and the organizational backing to do so.

Not only are government agencies deploying numerous cloud environments, but clouds have emerged as a leading repository for sensitive data. Roughly 78% of U.S. Federal

Government respondents say they use at least one of the three flavors of cloud. “

“

Figure 8 – Perceived barriers to implementing data securitySource: 2019 Thales Data Threat Report Survey, IDC, November, 2018

U.S. Federal GovernmentGlobal

0% 10% 20% 30% 40% 50%

Concerns about impacts on performanceand business process

Lack of organizational buy-in/Low Priority

Lack of perceived need

Lack of budget

Lack of staff to manage

Complexity


Federal Government agencies are broadly adopting clouds for their sensitive data

Not only are government agencies deploying numerous cloud environments, but clouds have emerged as a leading repository for sensitive data. Roughly 78% of U.S. Federal Government respondents say they use at least one of the three flavorsofcloud–SaaS,PaaS,andIaaStostoresensitiveorregulateddata.These cloud usage rates for sensitive data are well above the rates in the global sample (see Figure 9).

But government agencies need to be aware that using cloud providers does not entirely alleviate the burden of data security. They need to pursue a shared security model between themselves and their cloud providers in which the underlying infrastructure is secured by the PaaS, IaaS, or SaaS provider, but the agencies take on responsibility for ensuring data protection methods like encryption, tokenization, and masking within their own environments to ensure protection when data moves between SaaS applications or migrates to other applications.

Agencies are taking a multi-layered approach to security

In the past, when most data was located on-premises, governments placed a great amount of security focus on network and device security. Their focus was on protectingtheperimeter,backedupbydevice-leveldefenseswithinthefirewall.There used to be a “two-for-one” spending effect in that the money spent on network security also protected the organization’s data. Today there remains a significantemphasisonnetworksecurityintheFederalGovernmentbecausenetworks are used for spying, and to plan (if not fully execute) cyber-terrorism. However, this is now changing with an increasing amount of budget and focus shifting back toward balance with data and application security.

They need to pursue a shared security model between themselves and their cloud providers in which the underlying infrastructure is secured by the PaaS, IaaS, or SaaS provider, but the agencies take on responsibility for ensuring data protection methods like encryption, tokenization, and masking within their own environments to ensure protection. ”

“

Figure 9 – Environments used to store sensitive/regulated dataSource: 2019 Thales Data Threat Report Survey, IDC, November, 2018

U.S. Federal GovernmentTotal

0% 10% 20% 30% 40% 50% 60%

Infrastructure as a Service (IaaS) environments

Software as a Service (SaaS) applications

Platform as a Service (PaaS) environments

Big data environments (Hadoop, NoSQL, etc.)

Mobile payments

Internet of things platforms

Containers/Docker images

Social media

Blockchain


In this year’s study we found that Federal Government respondents are putting only slightly less emphasis on data security (with issues such as data-loss prevention, digital rights management, encryption, and PKI) as they are on network security (includingendpoints,firewalls,UTM),andanequalamountonapplicationsecurity(software development security, DevSecOps, vulnerability scanning) (see Figure 11on the next page). At 32% of their focus, U.S. Federal Government agencies are putting only slightly less emphasis on data security as the healthcare (36%) and retail industries (35%) (see Figure 10).

Federal Government’s aspirational desires may outstrip budget realities

As they continue making inroads in their digital transformation stance, agencies interviewed for this study have big plans for adding to their information technology infrastructures. Adoption levels for foundational technologies such as cloud, social media, mobile, and Internet of Things generally fell between half and three-quarters of respondents (see Figure 11 on the next page), and most Federal Government agencies who do not have those technologies say they are planning to implement them over the next 12 months.

Network security

Data security

Application security


Figure 10 – Proportion of security focusSource: 2019 Thales Data Threat Report Survey, IDC, November, 2018

36% 33% 35% 36%

32% 36% 35% 32%

32% 31% 30% 32%

“At 32% of their focus, U.S. Federal Government agencies are putting only slightly less emphasis on data security as the healthcare (36%) and retail industries (35%).”


Government security professionals in our survey also have ambitious plans for adopting data security technologies. Roughly half the organizations surveyed currently support a wide variety of data security technologies. Of those that don’t, the vast majority say they plan to implement these technologies in the next 12 months (see Figure 12). Particularly notable are data-loss prevention, whose rate of implementation is 12% higher than in the global sample, digital rights management (7% higher), third-party key management (7% higher), and multi-factor authentication (7% higher).

IDC cautions readers to keep in mind that these are aspirational plans, and that they likely speak to adoption but not penetration. Many of these technologies don’t have 50% total accessible market (TAM) penetration today and won’t be over 75% a year from now. It’s likely that these penetration percentages speak to individual pockets of the organization, such as isolated DevOps teams, and not to full-scale deployments.

Figure 11 – Technology adoption levels – Federal GovernmentSource: 2019 Thales Data Threat Report Survey, IDC, November, 2018

Plan to use in the next 12 monthsCurrently using

79%

78%

75%

74%

71%

65%

60%

54%

47%

17%

18%

20%

17%

23%

30%

32%

31%

40%

Social media

Software as a Service (SaaS) applications

Internet of Things platforms

Mobile payments

Infrastructure as a Service (IaaS) environments

Platform as a Service (PaaS) environments

Big data environments (Hadoop, NoSQL, etc.)

Containers/Docker images

Blockchain

0% 25% 50% 75% 100%

Figure 12 – Data security technology adoption levels – Federal GovernmentSource: 2019 Thales Data Threat Report Survey, IDC, November, 2018

Plan to implement in the next 12 monthsCurrently implementing

61%

58%

57%

57%

55%

55%

55%

54%

53%

51%

49%

47%

47%

46%

44%

38%

29%

33%

30%

30%

36%

34%

34%

38%

39%

33%

34%

37%

36%

43%

45%

44%

Data loss prevention (DLP)Multi-factor authentication

Identity and Access Management (Directories, access controls, SSO, etc.)Privileged user access management

File EncryptionCloud Access Security Broker (CASB)/Cloud Encryption Gateway

Digital Rights Management

Enable encryption capabilities in a cloud services (IaaS, PaaS, SaaS)Database encryption

Deploy a 3rd party key managementHardware Security Modules (HSMs)

Application layer encryptionData masking

Data access monitoringFull Disk Encryption

Tokenization

0% 25% 50% 75% 100%


Nevertheless, these are notable adoption plans, the extent of which becomes even more evident when considering that security budgets, while healthy, are not unlimited. Security professionals are going to need to be thoughtful with their security spend and to look for solutions that allow them to do more with less.

Regulatory and compliance changes introduce new challenges

Data privacy and sovereignty are critical considerations for U.S. Federal Government agencies. They must deal with myriad laws and initiatives, including FIPS, NIST, FISMA, and FedRAMP, although they may have other hoops to jump through for select IT systems.

• Federal Information Processing Standards (FIPS) apply to non-military government agencies and to systems operated by government contractors. These standards have been in effect for many years, and some pre-FIPS standards dating back to the 1980s were blended into FIPS when it became formalized. The standards are multi-part and are updated and added to on occasion, which means IT systems needtobeflexibleenoughtoadheretonewstandardswhenthey’reissued.

• Earlier this year, NIST updated its Framework for Improving Critical Infrastructure Cybersecurity. Now in version 1.1, it extends beyond just government to include suggested security structures and approaches for industries that are fundamental to national and economic security, including energy, banking, communications, and defense-focused industries. It’s heavily focused on authentication and identity, self-assessing cybersecurity risks, managing cybersecurity within the supply chain, and vulnerability disclosure.

• The 2002 Federal Information Security Management Act (FISMA) comprehensive framework was passed to protect government information, operations, and assets against natural or man-made threats. It’s heavily focused onthingslikecategorizinginformationtobeprotected,defininghowtheinformation will be protected, and setting up minimum baseline controls. Much of FISMA is still in effect and needs to be part of an agency’s security posture.

• FedRAMP is a process that IT vendors can go through to have their cloud-based ITofferingsreviewedandcertifiedviaGSAandthird-partyassessmentservices.The cloud providers’ offerings are reviewed for compliance with FISMA, FIPS, and other IT security rules, as deemed appropriate for each system.

“ Security professionals are going to need to be thoughtful with their security spend and to look for solutions that allow them to do more with less.”


Thesecompliancerequirementsareclearlydrivingasignificantportionoforganizations’ data security efforts. Encryption was the primary strategy used to address data privacy and sovereignty by Federal Government respondents, although its usage rate was at lower levels than in other industries (36%, Figure 13). Compared to other industries in the study, U.S. Federal Government agencies are more likely to rely on their cloud provider (20%) or tokenization (17%). Alarmingly, they are also more likely to say they are not impacted by privacy/sovereignty regulations than other industries (14%).

Federal Government encryption rates are low

Despite the recognition of the importance of protecting sensitive data, encryption rates in our study are surprisingly low. Much like in the global sample, 30% or fewer of government agencies say they use encryption for most use cases studied, including disk encryption within datacenters, from cloud providers, in big data environments, in databases, within mobile devices, and in IoT environments. Encryption for PC data at rest topped the list at 33% of Federal Government respondents using it. Given the high usage of sensitive data, these low rates of encryption pose a risk to agencies.

FinancialServices

RetailHealthcareFederal

Figure 13 – Data privacy/sovereignty stanceSource: 2019 Thales Data Threat Report Survey, IDC, November, 2018

36%50%

40% 45%

20%

14%17% 15%

17%12%

16% 12%

12% 12% 17% 14%

14% 10% 8% 13% Other

Our organization will not be impactedby any local, national or regional dataprivacy/sovereignty regulations

We are migrating customer data to newlocations to remain compliant with dataprivacy/sovereignty regulations

We are tokenizing any personal data wecollect or process that is subject to dataprivacy/sovereignty regulations

We are utilizing local hosting or cloudproviders to remain compliant with dataprivacy/sovereignty regulations

We are encrypting any personal data wecollect or process that is subject to dataprivacy/sovereignty regulations


Comparing U.S. Federal Government data to both non-U.S. Federal Government and the global sample yields some interesting gaps (see Figure 14). U.S. Federal Governmentrespondentsaresignificantlylesslikelytouseencryptioninavarietyofareas,includingspecificfilesandfieldsindatabases,filesystemandvolumeencryption for sensitive servers within the datacenter, and from public cloud providers. On the other hand, U.S. Federal Government agencies are likely to use encryption in other manners to safeguard some of this data. They are more likely to use encryption to safeguard IoT applications and use full-disk encryption for sensitive servers in the datacenter and to select public cloud providers that offer native encryption.

Figure 14 – Encryption use rates – Federal GovernmentSource: 2019 Thales Data Threat Report Survey, IDC, November, 2018

Global totalU.S. Federal Government Non U.S. Federal Government

0% 5% 10% 15% 20% 25% 30% 35%

Public cloud (IaaS, PaaS and SaaS) environments

File system/volume encryption within our data centers

Full Disk Encryption (FDE) within our data centers

PCs (data at rest)

IoT applications

Cloud native provider encryption

“Despite the recognition of the importance of protecting sensitive data, encryption rates in our study are surprisingly low. Much like in the global sample, 30% or fewer of government agencies say they use encryption for most use cases studied. ”


Cloud data security concerns02


Overall cloud security concerns

With cloud emerging as a critical environment for data, we asked about respondents’ concerns when it comes to cloud data security, both overall and for each type of cloud. Overall, Federal Government respondents’ concerns cover a range of issues, with business stability of the provider, ability to meet compliance requirements, and breaches at the security provider at the top of the list (see Figure 15). Not surprisingly, government respondents are more concerned about meeting compliance requirements than other industries in the study.

Software as a Service

Lookingspecificallyatsoftwareasaservice(SaaS),FederalGovernmentrespondents had a similarly broad set of concerns, with their top concerns being encryption of data within the service provider’s infrastructure, encryption with the ability to store and manage keys locally, and exposure of security monitoring (Figure 16).

Figure 15 – Primary overall cloud data security concernsSource: 2019 Thales Data Threat Report Survey, IDC, November, 2018

Federal Healthcare Retail Financial Services

0% 10% 20% 30% 40% 50% 60%

Security of my organization's data if thecloud provider fails or is acquired

Security breaches/attacks atthe service provider

Lack of a data privacy policy orprivacy service level agreement

Managing, monitoring and deployingmultiple cloud native security tools

Meeting compliance requirements

Figure 16 – Primary SaaS data security concernsSource: 2019 Thales Data Threat Report Survey, IDC, November, 2018


0% 10% 20% 30% 40% 50% 60%

Encryption of my organization's data within service provider's infrastructure

w/ keys managed by the provider

Encryption of my organization's data with the ability to store and manage

my encryption keys locally

Exposure of detailed securitymonitoring for my organization's

implementation


Infrastructure as a service

In terms of infrastructure as a service, Federal Government respondents’ top concerns included understanding their providers’ physical/IT architectural security implementations,SLAssurroundingasecuritybreach,andconfigurationdatacontrols (Figure 17).

Platform as a service

Federal Government agencies’ leading data security concern around platform asaserviceis,notsurprisingly,meetingspecificcompliancecommitments,whichwas cited by 41% of U.S. Federal Government respondents compared to 29% of the global sample (Figure 18). Other leading PaaS concerns include support for HSMs,localmanagementofencryptionkeys,andFIPS-levelcertification.

Figure 17 – Primary IaaS data security concerns Source: 2019 Thales Data Threat Report Survey, IDC, November, 2018


0% 10% 20% 30% 40% 50% 60%

Detailed physical and IT architectural andsecurity implementation information

Service level agreements and liabilityterms for a data breach

Support for Hardware SecurityModules (HSMs)

Figure 18 – Primary PaaS data security concerns Source: 2019 Thales Data Threat Report Survey, IDC, November, 2018


0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

for standards that apply to my organization

Support for HardwareSecurity Modules (HSMs)

Encryption of my organization'sdata with the ability to store and

manage my encryption keys locally

Encryption/ Key Management Hardware


security concerns and methods of alleviation by data technology environment

03


The edge is a fundamental component of any digital transformation initiative. By pushing intelligence closer to the end user, be it a constituent, contractor, or supplier, government agencies can engage with their audiences in a more compelling manner and provide a better overall experience. But edge technologies also increase complexity and demands on security. Mobile and IoTarespecificexamplesofedgetechnologies,butbigdata,containers,andblockchain are also enabling technologies that help expand and customize edge computing.

Mobile payments

Respondents have a wide range of data security concerns regarding mobile payment technologies. Fraudsters lead in the list of concerns, and are joined by exposure of PII, and weak authentication protocols (see Figure 19). Mobile payment has not been as common in the Federal Government as in other industries, but the option is becoming slightly more popular.

Figure 19 – Leading mobile payment data security concerns Source: 2019 Thales Data Threat Report Survey, IDC, November, 2018


0% 10% 20% 30% 40% 50% 60%

Fraudsters using mobile paymentapps for account takeover (ATO)

information (other than payment card info)

Weak authentication protocolsused by mobile payment apps

Fraudsters using mobile paymentapps for new account fraud

“ The edge is a fundamental component of any digital transformation initiative. By pushing intelligence closer to the end user, be it a constituent, contractor, or supplier, government agencies can engage with their audiences in a more compelling manner and provide a better overall experience.”


Internet of Things

The main data security concerns around IoT include attacks on IoT devices, protecting sensitive data through encryption and tokenization, and validating the integrity of data collected by IoT devices (see Figure 20).

Big data

Leading data security concerns for Federal Government respondents regarding bigdataincludesensitivedatadiscovery/classification,theabilitytomaskdataby role, and system-level encryption (see Figure 21).

Figure 20 – Primary IoT data security concerns Source: 2019 Thales Data Threat Report Survey, IDC, November, 2018


0% 10% 20% 30% 40%

Attacks on IoT devices that may impact critical operations

Protecting sensitive data generated by an IoT device

Validating the Integrity of data collected by IoT devices

Loss or theft of IoT devices

Lack of skilled personnel to implement IoT securely

Figure 21– Leading big data security concerns Source: 2019 Thales Data Threat Report Survey, IDC, November, 2018


0% 10% 20% 30% 40% 50% 60%

Capability to mask data by role withinthe big data environment

System level encryption and accesscontrols on underlying systems

big data environments


Containers/Docker

When it comes to containers/Docker, Federal Government respondents were most concerned about the security of data stored in containers, followed by the spread of malware among containers and patching/updating containers (see Figure 22).

Blockchain

Blockchain data security concerns were also very broadly spread. The leading concerns among Federal Government respondents are compromising user account credentials, exposure of private data from public ledgers, and insider risk (Figure 23). IDC notes that blockchain is still a relatively new technology and respondents are probably not as familiar with it and its security issues as they are with other technologies in this study.

Figure 22– Primary containers/docker data security concerns Source: 2019 Thales Data Threat Report Survey, IDC, November, 2018


0% 10% 20% 30% 40% 50% 60%

Security of data stored in containers

Spread of malware among containers

Patching/updating containers

Unauthorized access to containers

Figure 23– Primary blockchain data security concerns Source: 2019 Thales Data Threat Report Survey, IDC, November, 2018


0% 10% 20% 30% 40%

Compromise of user account credentials

Exposure of private data fromimproper public ledger controls

Insider risk

Compromise of an exchange provider


IDC guidance/key takeaways Data security is not easy, particularly for Federal Government agencies, many of whomareworkingdiligentlyrealizethebenefitsofdigitaltransformation.Andastheycontinue along their DX journey, they need to reexamine their data security stances. In particular, IDC recommends that Federal Government security professionals consider the following:

• Focus on all threat vectors, from foreign governments to internal actors. Today’s threats come from all corners, and Federal Governments particularly need to worry about a variety of bad actors. While foreign governments and cyber-terrorists are taking much of their attention, the threat from within is just as real. As bad actors continue to evolve their methods, security professionals need to remain vigilant and ensure that their solutions are relevant both for current needs but are also adaptable to deal with unforeseen threats down the line.

• Keep in mind that the security evaluation that comes with FedRAMP should be considered a good starting point but may not encompass all that is needed by a federal agency. The agency’s CSO should be part of the conversation and should be involved in setting and supporting agency-level security standards.

• Invest in modern, hybrid and multi-cloud-based data solutions for modern architectures. While governments continue to place emphasis on network security, focusing only on perimeter-based defenses is not enough. Governments must recognize the increased complexity of today’s security environment and implement solutions that span legacy concerns as well as modern, cloud-based digital transformation technologies. “As a service” and “as a platform” solutions that cross environmentscanhelpeliminatemuchofthiscomplexityandcost–makingthejobmuch more manageable.

• Be willing to work with Amazon, Google, and other large back-end hosts. These providers already have been approved as meeting some types of government security and compliance standards. This makes them good, ready partners for government projects. Some channel partners may want a Microsoft .Net environment.

• Prioritize compliance issues. With the overarching impact of federal and global data regulations, 2018 could be considered “the year of data protection.” But the impact of data-use compliance and sovereignty is likely still on the rise, and regulations may become more rigid, not less. Federal agencies need to ensure they are not only diligently following current regulatory compliance mandates, but thattheyalsohavesufficientflexibilitybuiltintotheirtechnologiestohandlenewrequirements when they occur.

• Data security, starting with encryption, is an important part of the mix. As federal agencies move away from purely on-premises data stances and increasingly use the cloud for sensitive data, they must adopt new data security strategies. Even selecting a top-tier cloud provider doesn’t remove the burden of doing your part to provide data security, and this starts with encryption.


Principal analyst profilesFrank Dickson Frank Dickson is a Research Vice President within IDC’s Security Products research practice. In this role, Frank provides thought leadership and guidance for clients on a wide range of security products including endpoint security, identity and access management, authentication, threat analytics, and emerging products designed to protect transforming architectures and business models.

Shawn P. McCarthy Shawn P. McCarthy is Research Director for IDC Government Insights, responsible for collecting and assessing government market data, providing IT investment and positioning strategies for both government and vendors, and market sizing for tech suppliers. His core coverage area includes U.S. federal and state and local IT budgets, agency-level technology priorities and government enterprise architecture standards. He also covers government use of blockchain solutions. He manages the

IDC Government Insights: United States Government Infrastructure and Systems Optimization Strategies research advisory service, which includes technology recommendations and key industry forecasting for government IT systems. He also issues IDC’s semi-annual U.S. Government IT Spending Guides (federal, state and local and education).

About International Data Corporation (IDC)IDC is the premier global provider of market intelligence, advisory services, and events for the information technology, telecommunications, and consumer technology markets. With more than 1,100 analysts worldwide, IDC offers global, regional, and local expertise on technology and industry opportunities and trends in over 110 countries.

IDC’s analysis and insight helps IT professionals, business executives, and the investment community to make fact-based technology decisions and to achieve their key business objectives. Founded in 1964, IDC is a wholly-owned subsidiary of International Data Group (IDG), the world’s leading media, data and marketing services company that activates and engagesthemostinfluentialtechnologybuyers.

About Thales Cloud Protection & LicensingToday’s enterprises depend on the cloud, data and software in order to make decisive decisions. That’s why the most respected brands and largest organizations in the world rely on Thales to help them protect and secure access to their most sensitive information andsoftwarewhereveritiscreated,sharedorstored–fromthecloudanddatacentersto devices and across networks. Our solutions enable organizations to move to the cloud securely,achievecompliancewithconfidence,andcreatemorevaluefromtheirsoftwareindevices and services used by millions of consumers every day.

32

thalesesecurity.com/DTR-Fed

#2019DataThreat

> thalescpl.com <

http://thalesesecurity.com/DTR-Fed

https://www.linkedin.com/company/22579/

https://twitter.com/thalesesecurity

https://twitter.com/thalesesecurity

https://www.facebook.com/ThalesTeS

https://www.youtube.com/user/ThalesEsecurity

http://thalescpl.com

the changing face of data security in the federal government. · certification process. ... in...

Documents