A cybersecurity architecture for a Mobile-first Digital Government

A modern government organization produces a large number of IT solutions. Their prompt adoption and execution inevitably demand remote access to the organization’s IT services. In practice, remote access turns into mobile access — after all, modern smartphones support any remote access technologies.

This way, information and secrets belonging to the state begin to flow in a polygon — the IT perimeter of the organization, home IT infrastructure, work laptop, and personal smartphone of an employee.

Clinton can be understood — no manager can imagine themselves without convenient remote access to mail and calendar. Having a large number of specialized employees, business trips to regions and districts lead to the need to have access to information systems from anywhere in the country or even globally.

Every coin has two sides… and some have more than two

You need to decide on a strategy before shaping the rules of the game. The process of establishing the procedure for employees to handle mobile information, as well as developing a cybersecurity architecture, requires some thought.

As in the well-known tale, due to the specifics of the public administration sector, there are only three strategies: “open”, “formal” and “complete”. Let’s put the protection of state secrets out of the way since the processing of state secrets requires secure premises, which means that it is conceptually poorly compatible with the mobility of IT services.

An “open” strategy implies a direct and unambiguous legal prohibition for employees of the organization to transfer any confidential information outside its perimeter. It is rather difficult to implement the ban at the technical level, but this is not the main point. The main thing is that the ban must be legally correct and communicated to all employees of the organization (with their signature, and ideally — as part of the regular control of cybersecurity operations). 

With a high degree of probability, employees will technically still be able to access confidential information through remote channels. But if the organization ignores the instructions of the head management, it has much more significant problems than cybersecurity.

The “formal” strategy is focused exclusively on the requirements of regulators in the field of technical and cryptographic protection of confidential information. Practically in any government organization, there is already some groundwork in place regarding compliance with regulatory requirements for the protection of confidential information. All that remains is to scale existing practices to new transmission channels, places for processing and storing information. 

Separately, I note that “confidential information” (in common parlance — CI) is a closed list of information: personal data, the secrecy of the investigation, and a number of other secrets protected by law. Completely different information can be confidential from a manager’s point of view, and from a technical point of view, it is better to protect it without involving the whole bulk of regulatory requirements.

The “complete” strategy will be the choice of government organizations, for which, for one reason or another, cybersecurity is vital. For example, they can provide vital services to citizens, process significant amounts of financial data or the intellectual property of commercial enterprises, be connected to dozens of “third parties” (each of which may have its own security concerns). 

Such organizations need to meet the requirements of regulators (historically aimed at ensuring the confidentiality of the information). In addition, they can benefit from an audit of the mix of IT services and access devices. This ensures the development of a holistic and complex cybersecurity architecture to protect the company’s key assets.

Let’s now take a closer look at each of the three approaches.

We have nothing to hide or “open” architecture

“Open” architecture (OA) aims to ensure the availability and reliability of the organization’s information because mobility can be not only a data leak channel but also a point of entry into an organization’s IT services. Let’s say a laptop is lost by the press secretary of the department. Imagine it being used to send an “official” statement of the department with information discrediting the head to the business publications. A nightmare, isn’t it?

In the past 3-5 years, a change of paradigm took place. The efforts were historically focused on quality management of the classic Deming cycle (Plan-Do-Check-Act, PDCA) in ensuring the cybersecurity of leading international corporations. Nowadays, the cyber threat-oriented cycle for protecting critical infrastructures from the USA National Institute of Standards and Technology has gained particular popularity. The NIST CSF (Identify – Protect – Detect – Respond – Recover) cycle reflects the full spectrum — of five types of activities that are required to identify, prevent and respond to cyber threats.

OA consists of five blocks — audit, protection, monitoring, response, and recovery, accordingly. By the way, the practice of ensuring fire safety in the state is de facto similar – there is inspection (audit), protection (compliance with requirements), monitoring (based on awareness and signals from citizens), and response and recovery — fire brigades and assistance to fire victims.

The OA audit block is aimed at determining the current situation in all segments of the enterprise information system:

  1. Users — what they are required to do and what they know (standards, policies, training, and knowledge testing)
  2. Accounts — what are the password policies (password complexity, frequency of password changes, is there a lock after an incorrect entry)
  3. Channels of access to services — whether encryption of data transmission between service cores and access devices are provided
  4. Access devices — are there unified security standards for access devices (PCs, laptops) — antiviruses, encryption of mobile access devices, the obligatory installation of corrections (patch management)
  5. Service core — whether security audits were performed when the services were brought to the Internet, and whether event logs were enabled to enable future investigations.

Let me emphasize that in fact, mobile IT services can commonly be located outside the perimeter of the organization (at some point, the media reported that a significant percentage of the contact addresses of public procurement tenders are located with external e-mail providers).

Within the framework of OA, it is reasonable to equate external services with internal ones, implementing OA in the part where it is possible and rational (for example, somewhere you can protect the data of key employees, and somewhere you can insist on using a corporate service).

The OA protection block is aimed at increasing cybersecurity in all five segments of the enterprise information system that will be “mobilized”:

  1. “Users” segment — development and implementation of ToS for mobile users. Among the classic recommendations are not to use public Wi-Fi networks (without encryption), close the keyboard when entering a password, promptly report the loss of an access device with connected IT services of the organization, as well as the compromise of passwords or access tokens.
  2. “Accounts” segment — user accounts of mobile IT access services must be protected by strong password policies (for example, Group Policy, ActiveSync) and multi-factor authentication. Two-factor authentication must be compatible with international protocols like OAuth2. In the absence of financial possibilities for the implementation of two-factor authentication, it is imperative to implement a compensating measure — an account lockout policy after a certain number of attempts. This policy has the side effect of causing service outages with a bogus attack. But given the ability to sort out passwords for accessing an organization 24 hours 365 days a year, there may be no other alternative. To reduce the risks associated with the loss of devices, I note the usefulness of the policy of requiring a password to be entered after a certain waiting period.
  3. “Access channels” segment — access channels must use encryption (S/MIME, VPN client, VPN tunnel MDM solutions). By the way, in order to avoid conflict with the regulatory requirements, encryption in the internal regulatory documents of the organization can be called coding.
  4. “Access devices” segment — devices for accessing IT services must be protected no worse than stationary PCs, at least a password for accessing the device must be set, built-in encryption of drives on iOS/OS X/Windows/Android platforms must be used, strong password policies (local accounts, PIN Security) must be in place
  5. “Service core” segment — the core of services should be built using technologies with long-term support by the manufacturer (no End of Support!). It is advisable to use the latest technologies (they usually have more built-in security technologies, for example, Windows 10 includes Credential Guard technology, which effectively counteracts the “scourge” of Windows infrastructures – the classic Pass-the-Hash attack).

Before launching services on the Internet, you need to audit their security — at least with free scanners like Microsoft MBSA, and OpenVAS, and check critical services for compliance with the security requirements of manufacturers (all major vendors have the so-called Security Guides) and/or best practices (for example, classic CIS). To ensure the possibility of subsequent monitoring and investigation, it is necessary to configure the logging systems in the service cores. Planning and implementing data backup procedures will be a cross-cutting measure for all segments.

The OA monitoring block is aimed at understanding the current situation with the cybersecurity of mobile IT services. The problems can be identified through signals from users based on the results of a loss, according to the results of the strange behavior of IT services (for example, a sudden account lockout due to a one-time incorrect password entry), through identifying brute force attempts (for example, using periodic scripts).

The OA response block is structured based on simple scenarios from the lifecycle of access devices:

  1. Loss of the device. You need to change passwords to services, block device access to services, and make a full remote wipe (if the device is corporate);
  2. Anomaly in IT — strange behavior of an IT service/brute-force hacking attempt. It is necessary to change passwords, identify the source of brute-force attacks, temporarily change the antivirus on access devices (identify viruses that are invisible to the current antivirus), and conduct further investigation. It is possible to tighten password policy or disable old unused service accounts (a common reason for unsuccessful domain login attempts).

OA recovery block is aimed to instruct the user. Give him/her new credentials, and provide a new corporate device, if possible. If necessary, restore data from backups. It is advisable to analyze the causes of the incident, to learn the lessons in order to develop and implement corrective measures.

OA implies the maximum possible use of built-in cybersecurity measures of popular platforms and mobile services (for example, the ability to remotely wipe Microsoft Exchange ActiveSync data). If the built-in measures are insufficient, separate protection measures can be purchased. If you do not have the financial ability to purchase commercial security tools (for example, solutions from multi-factor authentication providers), you can use Open Source (for example, Gluu). However, to use Open Source tools, you will have to pay for additional time for your employee’s training.

Depending on the degree of readiness and the size of the organization, the OA implementation project can be implemented in a few weeks or months, often without additional budgetary expenses.

“You are a regulator body – I’m a fool”, or “formal” architecture

“Formal” architecture (FA) is focused on meeting the regulatory requirements — technical and cryptographic protection of confidential information. Alas, for government organizations, the implementation of the FA requirements is possible only with the use of the so-called certified protection tools.

This translates into a limitation of the choice of protection tools, problems with their updates, and, in general, great managerial difficulties. It’s hard to maintain an efficient cybersecurity system in an actual real-life environment and change the state of threats.

Therefore, compliance with the requirements of regulators remains largely a thing in itself, which de facto helps to implement a shift in responsibility from an organization to a regulator, but is not enough to reduce actual risks.

Accordingly, the FA can consist of OA (all five blocks) + a block for fulfilling the requirements of regulators according to methodological documents that can be quite detailed. There are enough security system design companies on the market, that offer a number of certified security products for laptops, smartphones, and tablets. In general, there should not be fundamental difficulties in meeting the requirements of regulators. There can, however, be exotic options — for example, using uncertified Linux.

Depending on the degree of technical maturity and the size of the organization, FA can be implemented within a period of one year, and it is impossible to do without the allocation of additional substantial budgetary funds — certified means of protection are not cheap.

For the most “unruly” or “complete” architecture

A “complete” architecture (CA) implies a reduction in the real cybersecurity risks. This is only possible when employees voluntarily choose to use secure solutions (security becomes convenient), so building blocks include a wide range of secure services that can replace “shadow IT” with controlled corporate practices. At the same time, the risks that are reduced by OA measures will not go anywhere — therefore, the CA functions as OA + additional blocks: “protection”, “response” and “recovery” (blocks “audit” and “monitoring” are generally the same for both architectures)…

The protection block of the PA first of all forms new secure services — “corporate Dropbox” (EFSS – enterprise file synchronization service), corporate mail, and after formation publishes them on the Internet in a convenient way and trains users to work with them. For example, email services can be published using application proxy or terminal services from various vendors. Ideally, all information that users need in a mobile mode should circulate exclusively within corporate convenient and secure services.

The users’ segment — an extremely important formalization of goals, objectives, and restrictions of mobile security is possible through the creation and implementation of a mobile security policy that determines the approach to mobility (BYOD / COPE), balancing the interests of the organization and users.

To educate users, it is possible to create and enforce rules for the use of mobile technologies (either as a separate document or as a section of the rules of conduct for the acceptable use of corporate IT assets), but the rules can be part of a mobile security policy. It is still optimal to separate policies and rules since they serve different purposes and should be written in different languages. Policy — formal, rules — understandable to users without IT education and without understanding the strategic goals of the organization.

For large organizations (10,000+ users), it is rational to create a mechanism for checking users’ knowledge of the rules of conduct when gaining access to mobile services, as well as a place to store evidence of user consent (in case of audits, external parties, or the need to fire an employee due to a policy/rule violation).

Access devises segment — in order to streamline the fleet of mobile devices and services, it is reasonable to create a standard for corporate mobility: what services and models of mobile devices are acceptable in the organization, what technical measures are applied to protect mobile devices. 

The world’s best practices (European, American, and Australian) recommend a typical set of technical protection measures:

  1. Management is similar to the workplace (the presence of antivirus, installation, removal, and control of applications or settings) or the presence of a protected isolated container with corporate information and services (usually as part of an MDM solution)
  2. Before connecting to the network, you must go through a health check (whether the antivirus is updated, whether updates are installed, whether encryption is on, whether there is a jailbreak, and whether the PIN is set). To do this, you can implement NAC, 802.1x, and MDM technologies
  3. Publishing applications using an application proxy will reduce the possible flow of information to the user, and reduce the risk of unloading and theft of information by the user (the user will receive only a picture).

CA monitoring block — monitoring at the CA level should already become proactive. Proactive planning of a plan for collecting events, and setting up rules for monitoring anomalous activity will allow faster detection and faster response, which means less damage from cybersecurity incidents. Technologies of the Log management / SIEM classes have become good helpers in this matter.

CA response block — a third scenario will be added to the previously described scenarios, covering responding to information leakage with intent or through the carelessness of the user. It is better to start investigating such incidents by removing the maximum possible number of event logs and analyzing user actions. Depending on the presence of the user’s intent, there can be a need to apply administrative measures to him/her.

Measures to clean up the user’s access to the network are described in the OA. For a guilty user, it is also possible to carry out an extraordinary certification — access check, thereby reducing the level of his access to corporate information to the minimum value required for work.

Depending on the degree of technical maturity and the size of the organization, the CA can be implemented in a period of one year or more, and it will require the allocation of additional substantial budgetary funds (certified protective equipment is not cheap). However, CA also has a side effect — seeing such significant attention of the organization’s leadership to cybersecurity, inspectors can turn a blind eye to certain shortcomings, which, if skillfully managed a security program, can make CA more cost-effective than FA.

Author – Alex Bodryk, Certified Information Systems Auditor

Managing Consultant, Cyberlands.io

In the absence of the financial ability to purchase commercial security tools (for example, log management / SIEM systems), you can use Open Source (for example, Elastic, OSSIM). However, the choice of CA implies the rationality of budget investments in the cybersecurity of mobile IT services. The law of “conservation of energy” is implacable — there is only one line between the corners of safety, convenience, and economy, and you need to choose two out of three.

However, organizations and leaders that are committed to long-term work, successful competition in the electoral and political field, and ensuring the stability and reliability of federal and regional government services have no such choice. The experience of Clinton, Brennan (the CIA director whose data was leaked in 2015), as well as information leaks of a number of top Russian officials (2014), eloquently demonstrate the consequences of insufficient systemic attention to cybersecurity issues.

A separate interesting move could be the use of a certified and additionally protected cloud service as a secure infrastructure for the core mobile IT services. This can free up the organization’s time and resources for tasks more interesting than providing cybersecurity for a typical infrastructure. But, alas, the pretty pictures of the security architectures of cloud service providers do not always relate directly to their data centers. “It’s not necessary once and for all” — therefore, such a provider cannot do without a preliminary audit of cybersecurity.

Of course, the supplier is better able to provide infrastructure services, but in the end, if the risks are realized, it will be difficult or impossible to shift political and legal responsibility to him.

A key principle of mobile cybersecurity effectiveness

Regardless of the chosen strategy, effective implementation is possible only with the mutual work of the organization’s management, IT and cybersecurity managers, and employees of the organization.

Carefully planned stakeholder engagement in the development of solutions, and applying the change management best practices will ensure the success and consolidation of change.

This will make a government organization more resilient to cyber risks and allow it to fully exploit the potential of mobility in work and lifestyle.

Author – Alex Bodryk, Certified Information Systems Auditor (Certificate #13109090 \ from the 2013 year)

Managing Consultant, Cyberlands.io