This article appeared recently in Information Management. Written by Gerry Gebel the Vice president of business development at Axiomatics.
Six Data Security Trends and Challenges for Federal Agencies in 2020.
Data security is rapidly evolving in the federal sector as new threats and challenges emerge daily. Every year, new devices and technologies emerge that produce massive amounts of data to help governments reduce costs, create new public services, protect community health and safety and more. Guarding large volumes of data is a top priority, especially national security and private citizens’ information.
Due to the quantity of data that is collected by governments today, and the need to collaborate and share information agency-wide and between agencies/departments, the challenge now is to secure access for the right users, at the right time and under the right circumstances.
As we head into 2020, the data security landscape is only growing more complex. Federal agencies require modern tools and techniques to both protect sensitive digital assets and appropriately share the right data with different departments, across agencies and with citizens.
For federal agencies that want to be at the forefront of the security industry, let’s take a close look at six trends that will stand out in 2020.
Transitioning to Cloud Hosted Data Systems
In 2019, federal agencies are moving their data and other IT resources to the cloud because of the flexibility and affordability of cloud platforms compared to on-premise database solutions. The budget that goes toward cloud technologies is steadily increasing.
According to a recent report by Bloomberg Government titled “An Insider’s View of Government Cloud,” federal agencies spent a combined $2.4 billion on cloud-based infrastructure and technologies in 2015. By 2018, that number was up to $4.3 billion and is expected to top $5 billion by the end of this year. However, platform-specific security capabilities aren’t always sufficient to address all requirements, particularly for departments that adopt a multi-cloud architecture.
Technologies such as dynamic authorization, delivered with attribute based access control, offer a policy-based approach to protect digital assets by providing a consistent, repeatable access model across cloud platforms.
Securing APIs and Microservices
Utilizing microservices, service meshes and APIs to access sensitive or confidential data has become the norm in government applications. According to research from Gartner, government CIOs will focus technology investments on data analytics and cybersecurity in 2019.
In situations that require fine-grained access, federal agencies can invest in security technologies such as OAuth and dynamic authorization to establish a comprehensive approach to access control. Together, OAuth and dynamic authorization allow the proper management of access control scopes and cleaner APIs that are not overwhelmed with security logic.
Global Data Privacy Laws
GDPR set off a cavalcade of data privacy laws when it went into effect in May 2018. Various government agencies across different states and countries are now implementing regulations with GDPR’s data privacy guidelines in mind.
During the 2019 Corporate Counsel Symposium hosted by the Federation of Defense and Corporate Counsel, a panel stated “The GDPR is serving as a template for other potential data privacy laws around the world.” As a result, organizations are forced to implement new security controls that protect citizens’ privacy through a context-sensitive and risk-based access control model.
Public Key Infrastructure Transitions to OpenID Connect
Public key infrastructure (PKI) based authentication was the linchpin for comprehensive authentication in government applications for years. PKI excels in cryptographically linking user authentication and system access in an unbroken chain of custody.
However, PKI is also associated with high maintenance costs, hard to use and unnecessarily complicated and not agile enough for most use cases. Instead, we can expect to see more adoption of OpenID Connect (OIDC), which is easier to implement, simpler to use and supports modern applications.
The Concept of Zero Trust Network Access
Zero trust network access (ZTNA) delivers stronger validation before allowing users and devices access to the network, replacing technologies that enable broad entry to the system once someone is remotely connected. ZTNA and dynamic authorization models are similar in two ways. First, every access attempt is validated against current access policies. Access policies are also specific to enable access only to the resources needed for a particular function.
Eliminating the IT Skills Gap
Government employees must understand how to use a variety of modern technologies to ensure data security, but there is a growing IT skills gap across federal agencies. For example, identity and access management (IAM) tools require distinct expertise for each one. Users need training to learn how to utilize these tools and ensure unauthorized users can’t access data. Companies such as IDPRo are addressing this challenge by turning federal employees into digital identity professionals.
As federal agencies continue to upgrade and modernize technologies, managing and verifying who can and can’t access data is key to data security today. By choosing technologies such as dynamic authorization and adopting a zero-trust philosophy, federal agencies can better disseminate and share actionable insights across disparate agencies.