Public sector agencies in the U.S. operate in a global environment, making the issue of cybersecurity global as well. “We live in a world in which the threat landscape has changed—ransomware, zero-day attacks, nation-state attacks. And they’re distributed across an infrastructure that’s increasingly connected through multiple clouds and multiple service providers,” asserted Sandy Orlando, senior vice president of product for SolarWinds. While software and hardware vendors have been building-in greater security mechanisms, agencies with a worldwide presence need to know baseline criteria have been met and are consistent with international guidelines. “Leveraging a common set of standards, such as the Common Criteria, gives the government a foundation to evaluate vendors and its own security posture,” Orlando said.
The Common Criteria for Information Technology Security Evaluation evolved over more than 20 years from multiple international standards. It provides globally recognized levels of certification crucial as agencies evaluate technologies.
Because most organizations don’t have a single tool vendor, she said, it’s essential for agencies to have criteria that “look at security requirements, from whether it’s functionally and structurally tested to whether it’s formally verified, designed, and tested.” (Note: SolarWinds recently submitted its Orion Suite for Federal Government v4.0 for Common Criteria to Evaluation Assurance Level (EAL) 2+.)
One particular outcome of this standardized evaluation, she said, is it reduces the overall risk to the government, as vendors begin adhering to Common Criteria.
This has the effect of improving the agency’s security posture, by ensuring correct operation from a security standpoint and providing consistency in documentation. For vendors, she said, “Common Criteria really provides a foundation to other cybersecurity certifications because it covers a lot of the basic capabilities of a secure system. For vendors, Common Criteria is often the first step you would take to get to those other standards.”
What’s driving the spread of standards enforcement is a combination of factors. Orlando pointed to pressure from both citizens and lawmakers, citing the growth in data privacy laws such as GDPR and the just-introduced California privacy regulations. In addition, she said, there are internal pressures to become more secure, in light of insider threats putting agencies at risk. As a result, more and more RFPs are calling for Common Criteria certification along with other security prerequisites.
But, Orlando stated, security depends on much more than technology alone. “The challenge in many cases isn’t whether any individual tool is secure or not. It’s that we live in a connected world in which the bad actors are moving much faster than ever before.” She spelled out three questions she believes organizations should consider to better protect their data, networks and people:
- How do you protect your network?
- How do you quickly detect when there’s a breach in your environment?
- How do you remediate and resolve these issues as fast as possible, then apply those learnings to improve your security posture?
Starting with protection, she said some security tactics are very basic: having good system hygiene and making sure patches are up to date. Paying attention to access mechanisms is equally important, she said: “If you’re storing data with, say, AWS, do you have an S3 bucket open to the public? This is all part of basic blocking and tackling.”
For her second point, Orlando explained, “We live in a world that has changed with the growth of cloud, and even on-premises environments are using more ephemeral containerized workflows. When things are changing, we need to make sure those changed conditions don’t open up security holes.” Detecting and isolating breaches, when they do occur, must happen rapidly to “prevent lateral spread, and require enough diagnostic information to understand what to do about the breach.”
Lastly, she said, corrections often circle back to the beginning of the process. “If you had your patches up to date, if you knew where your systems were, and you knew your interdependencies, then you would have been in in a much more secure position to begin with,” she said. “Government agencies should be thinking about not just the tools they use but their processes, standards, the basic hygiene and compliance that gives you the ability to more quickly detect and react when there’s a problem.”