- API Penetration Testing

A cybersecurity high-level architecture for a Mobile-first Digital Government - Part 2

That is a second part of our guide on high-level cybersecurity architecture for a mobile-first Digital government (first part).

"You are a regulator body - I'm a fool", or "formal" architecture

"Formal" architecture (FA) is focused on meeting the regulatory requirements — technical and cryptographic protection of confidential information. Alas, for government organizations, the implementation of the FA requirements is possible only with the use of the so-called certified protection tools.

This translates into a limitation of the choice of protection tools, problems with their updates and, in general, into great managerial difficulties. It's hard to maintain an efficient cybersecurity system in an actual real-life environment and changing state of threats.

Therefore, compliance with the requirements of regulators remains largely a thing in itself, which de facto helps to implement a shift in responsibility from an organization to a regulator, but is not enough to reduce actual risks.

Accordingly, the FA can consist of OA (all five blocks) + a block for fulfilling the requirements of regulators according to methodological documents that can be quite detailed. There are enough security system design companies on the market, who offer a number of certified security products for laptops, smartphones and tablets. In general, there should not be fundamental difficulties in meeting the requirements of regulators. There can, however, be exotic options — for example, using uncertified Linux.

Depending on the degree of technical maturity and the size of the organization, FA can be implemented within a period of one year, and it is impossible to do without the allocation of additional substantial budgetary funds — certified means of protection are not cheap.

For the most "unruly" or "complete" architecture

A "complete" architecture (CA) implies a reduction in the real cybersecurity risks. This is only possible when employees voluntarily choose to use secure solutions (security becomes convenient), so building blocks include a wide range of secure services that can replace "shadow IT" with controlled corporate practices. At the same time, the risks that are reduced by OA measures will not go anywhere — therefore, the CA functions as OA + additional blocks: "protection", "response" and "recovery" (blocks "audit" and "monitoring" are generally the same for both architectures)...

The protection block of the PA first of all forms new secure services — "corporate Dropbox" (EFSS - enterprise file synchronization service), corporate mail, and after formation publishes them on the Internet in a convenient way and trains users to work with them. For example, email service can be published using application proxy or terminal services from various vendors. Ideally, all information that users need in a mobile mode should circulate exclusively within corporate convenient and secure services.

The users segment — an extremely important formalization of goals, objectives and restrictions of mobile security is possible through the creation and implementation of a mobile security policy that determines the approach to mobility (BYOD / COPE), balancing the interests of the organization and users.

To educate users, it is possible to create and enforce rules for the use of mobile technologies (either as a separate document or as a section of the rules of conduct for the acceptable use of corporate IT assets), but the rules can be part of a mobile security policy. It is still optimal to separate policies and rules, since they serve different purposes and should be written in different languages. Policy — formal, rules — understandable to users without IT education and without understanding the strategic goals of the organization.

For large organizations (10,000+ users), it is rational to create a mechanism for checking users' knowledge of the rules of conduct when gaining access to mobile services, as well as a place to store evidence of user consent (in case of audits, external parties, or the need to fire an employee due to a policy/rule violation).

Access devices segment — in order to streamline the fleet of mobile devices and services, it is reasonable to create a standard for corporate mobility: what services and models of mobile devices are acceptable in the organization, what technical measures are applied to protect mobile devices.

The world's best practices (European, American and Australian) recommend a typical set of technical protection measures:

  1. Management is similar to the workplace (the presence of antivirus, installation, removal and control of applications or settings) or the presence of a protected isolated container with corporate information and services (usually as part of an MDM solution);

  2. Before connecting to the network, you must go through a health check (whether the antivirus is updated, whether updates are installed, whether encryption is on, whether there is a jailbreak, whether the PIN is set). To do this, you can implement NAC, 802.1x, MDM technologies;

  3. Publishing applications using an application proxy will reduce the possible flow of information to the user, reduce the risk of unloading and theft of information by the user (the user will receive only a picture).

CA monitoring block — monitoring at the CA level should already become proactive. Proactive planning of a plan for collecting events, setting up rules for monitoring anomalous activity will allow faster detection and faster response, which means less damage from cybersecurity incidents. Technologies of the Log management / SIEM classes have become good helpers in this matter.

CA response block — a third scenario will be added to the previously described scenarios, covering responding to information leakage with intent or through carelessness of the user. It is better to start investigating such incidents by removing the maximum possible number of event logs and analyzing user actions. Depending on the presence of the user's intent, there can be a need to apply administrative measures to him/her.

Measures to clean up the user's access to the network are described in the OA. For a guilty user, it is also possible to carry out an extraordinary certification — access check, thereby reducing the level of his access to corporate information to the minimum value required for work.

Depending on the degree of technical maturity and the size of the organization, the CA can be implemented in a period of one year or more, and it will require the allocation of additional substantial budgetary funds (certified protective equipment is not cheap). However, CA also has a side effect — seeing such significant attention of the organization's leadership to cybersecurity, inspectors can turn a blind eye to certain shortcomings, which, if skillfully managed a security program, can make CA more cost-effective than FA.

In the absence of the financial ability to purchase commercial security tools (for example, log management / SIEM systems), you can use Open Source (for example, Elastic, OSSIM). However, the choice of CA implies the rationality of budget investments in the cybersecurity of mobile IT services. The law of "conservation of energy" is implacable — there is only one line between the corners of safety, convenience and economy, and you need to choose two out of three.

However, organizations and leaders that are committed to long-term work, successful competition in the electoral and political field, and ensuring the stability and reliability of federal and regional government services have no such choice. The experience of Clinton, Brennan (the CIA director whose data was leaked in 2015), as well as information leaks of a number of top Russian officials (2014), eloquently demonstrate the consequences of insufficient systemic attention to cybersecurity issues.

A separate interesting move could be the use of a certified and additionally protected cloud service as a secure infrastructure for the core mobile IT services. This can free up the organization's time and resources for tasks more interesting than providing cybersecurity for a typical infrastructure. But, alas, the pretty pictures of the security architectures of cloud service providers do not always relate directly to their data centers. "It's not necessary once and for all" — therefore, such a provider cannot do without a preliminary audit of cybersecurity.

Of course, the supplier is better able to provide infrastructure services, but in the end, if the risks are realized, it will be difficult or impossible to shift political and legal responsibility to him.

Key principle of mobile cybersecurity effectiveness

Regardless of the chosen strategy, effective implementation is possible only with the mutual work of the organization's management, IT and cybersecurity managers and employees of the organization.

Carefully planned stakeholder engagement in the development of solutions, applying the change management best practices will ensure the success and consolidation of change.

This will make the organization more resilient to cyber risks and allow it to fully exploit the potential of mobility as a work and life style. Team