Dec 23 2010

The Keystone of Security

Spotlight on Defense in Depth

Protecting state and local government IT assets has never been more challenging. Mobility dissolves the perimeter while threats become ever more sophisticated and pernicious. That's why a defense-in-depth security strategy of implementing multiple layers of protection throughout the enterprise is essential.

Long lauded for its multilayered approach to security, the ­Commonwealth of Pennsylvania implements strong controls at nearly every point in the enterprise. "Even if an attacker is able to get through one of our defenses, other defense-layered mechanisms catch them to protect our resources," says Chief Information Security Officer Erik ­Avakian. "We put multiple security layers in place so it becomes a lot harder for a hacker to gain access."

It starts with physical security controls such as surveillance cameras and locked doors; permeates the network with firewalls, intrusion prevention systems, web content filtering and other technologies; and extends to client computing devices with antivirus, host-based intrusion prevention systems and mobile-device encryption. The IT staff chooses best-of-breed products for the task at hand.

But just as important as the technologies are the proactive security processes and awareness programs in place within Pennsylvania's Office for Information Technology, notes Acting CIO and Chief Technology Officer Tony Encinias. More than 80,000 state workers receive mandatory security awareness training on an annual basis, for example.

Minimizing Risk

Drawing on his U.S. Department of Defense background, Encinias modified the Department of Defense ­Information Assurance Certification and ­Accreditation Process (DIACAP) to suit the state's need for application risk mitigation. The Commonwealth ­Application Certification and ­Accreditation (CA2) process catches vulnerabilities early in the development process so they can be remedied before the application hits production environments.

"We've saved hundreds of thousands of records and millions of dollars in potential breach cost avoidance by catching and remediating potential application security flaws before these applications go live," Avakian says. CA2 also reduces the costs of application development because coders don't have to go back to their work later to recode their applications or build in added protection.

A security information and event management system provides an all-encompassing view of the state's security stance, collecting log data from a wide variety of network devices, including roughly 300 domain controllers spread throughout the state, from Erie to ­Philadelphia. "We have live dashboard views that have been instrumental in monitoring activity," Encinias says.

Going forward, Pennsylvania is evaluating technologies such as data loss prevention and is incorporating application firewalls to help protect commonwealth data. "The security landscape changes on a daily basis with new threats and zero-day exploits, and we have to continue to stay one step ahead of them," Avakian concludes.


"True security requires a diligent multifaceted approach addressing users, processes and technology."

-- David Monahan, chief information security officer, Jefferson County, Colo.

"We've had to implement new ways of building defense in depth, including simplified handheld computers, strong authentication and outsourced first-line incident response."

-- Keith Young, security official, Montgomery County, Md.

"Security is not something you can just build, it's much more about the ongoing business processes to maintain it."

-- Glenn Haar, IT resources manager, Idaho State Tax Commission

Endpoint Security

McAfee Total Protection for Endpoint Enterprise Edition is one of the leading endpoint security solutions. McAfee has bundled together its own best thinking on what is needed on the enterprise desktop, including antimalware, web and e-mail security, desktop firewall, and host intrusion prevention, into a single package managed by the manufacturer's ePolicy Orchestrator enterprise console.

McAfee's suite also includes network access control capabilities that are tightly linked to its desktop protection features. The result is an unusually deep vision into the exact security posture of the endpoint with strong controls designed to keep noncompliant endpoints off the network, notes Joel Snyder, a senior partner with consulting firm Opus One. This competitive edge will appeal to enterprises with high security requirements, such as governmental organizations or financial institutions.

By the Numbers


Average percentage
of IT spending devoted to
security in

Source: Gartner


Number of states that allow the use of personal smartphones for government business

Source: NASCIO's "Security at the Edge: Protecting Mobile Computing Devices -- Part II"


Number of consensus metrics for measuring IT security

Source: The Center for Internet Security


Percentage of IT professionals who are confident that their organizations have enterprisewide visibility for user access and can determine if that access is compliant with policies

Source: Ponemon Institute's 2010 Access Governance Trends report


Percentage of state CISOs who say lack of sufficient funding is a major barrier in addressing information security

Source: 2010 Deloitte-NASCIO Cybersecurity Study


Estimated cost per compromised customer record in 2009

Source: Ponemon Institute's annual study

721.9 million

Number of records breached between Jan. 1, 2005, and Dec. 31, 2009

Source: Digital Forensics Association report