Experts praise Pentagon's march to security standards
- — 20 September, 2013 12:51
The Pentagon's decision to move its thousands of networks under a single security architecture is the right strategy to bolster defenses against hackers and malicious insiders, experts say.
The massive consolidation of the Defense Department's 15,000 networks into a "joint information environment" is expected to cut costs, as well as improve security against Edward Snowden-like leaks, National Defense magazine reported.
The former contractor took thousands of documents from the National Security Agency and distributed them to the media, which is driving a national debate on NSA surveillance of Americans.
Thwarting hackers is also behind the Pentagon's move to have all four branches of the military, defense agencies and overseas commands use the same network and security systems. The expected benefits include killing redundancies and making it easier to detect hacker-induced anomalies.
The transition away from the Pentagon's current mishmash of technology unique to the various government entities is expected to take years. However, experts contacted by CSOonline said the outcome will likely justify the time and expense.
"The better security comes from the lack of complexity," Ron Gula, chief executive and technical officer of Tenable Network Security, said.
Consolidating networks and standardizing systems mean less technology to monitor while making it easier to see when something has been compromised, Gula said.
The Pentagon has already started the transition. The U.S. European Command based in Stuttgart, Germany, was recently brought under a single security architecture. "We are building increments," Air Force Lt. Gen. Ronnie D. Hawkins Jr., head of the Defense Information Systems Agency, told National Defense.
The consolidation effort is likely to include having one data center in a region where there were multiple centers, said Jody Brazil, president and chief technology officer for network security management company FireMon. Having just one means "you now invest more heavily in securing that one data center."
"That's at least what I've heard them talk about and I think it makes sense," Brazil said.
Removing silos of technology spread throughout the Defense Department will make it much easier to monitor events across computer systems, Brazil said. In addition, performance data gathered from the systems will be easier to analyze for unusual occurrences.Ã'Â
Sharing information across all entities will also be easier, because everyone will be able to understand the data, since it will come from the same systems. Brazil said.
For catching Snowden-like leakers, the Pentagon plans to standardize on identity access management technology used for fixed computers and mobile devices, Hawkins told National Defense. In addition, workers and contractors would be subject to "no notice inspections" to ensure they are complying with security standards.
No security architecture is bulletproof, particularly against the highly sophisticated, state-sponsored hackers the Defense Department is battling from countries like China. Experts acknowledged that breaching a standardized network could enable intruders to travel much deeper than they would if they had invaded a system unique to one agency.
However, having the same systems throughout means security pros will know the potential entry points. With different systems, those weaknesses are much more difficult to tract and monitor.
"I'd rather defend against a few knowns than defend against all the unknowns," Gula said.
The most difficult barrier the Pentagon is likely to face is the army of employees comfortable with the old computer systems, but who now have to march to something new.
"People as a species don't like change," Gula said. "They don't like to learn new things."
The Pentagon also will struggle to find enough experts to make the technical changes, administer the new systems and train employees to use them.
"That remains one of the bigger challenges," Brazil said.
Pentagon officials told National Defense that the transition will not require additional funding from Congress, but would come out of the Defense Department's cybersecurity budget.
Read more about network security in CSOonline's Network Security section.