idc technology spotlight - developing your security fabric ... · idc technology spotlight...
TRANSCRIPT
IDC TECHNOLOGY SPOTLIGHT Sponsored by: Fortinet
Developing Your Security Fabric: A Transformational Approach for State Government May 2019
Written by: Shawn McCarthy, Director, IDC Government Insights, and Ruthbea Yesner, Vice President, IDC Government Insights
Introduction State CIOs in the United States have consistently rated security as their number 1 priority for the past several years. Security and risk management again ranked first on NASCIO's 2019 Top 10 list of state CIO priorities, and in a recent IDC survey, 45% of U.S. state government respondents selected "strengthening security detection and resilience capabilities" as the initiative that will drive significant IT investment in 2019.
There is good reason for this focus on security in state government. A multitude of forces are coming together to place further stress on keeping systems and data secure, especially for state agencies that operate diverse, and often decentralized, IT systems. The expansion of the Internet of Things (IoT) and the convergence of information technology/operational technology (IT/OT) make many physical systems susceptible to cyberattacks, and the increased mobility of the workforce that accesses government applications from the field has dramatically increased the attack surface. Meanwhile, the threat landscape is advancing with more sophisticated distributed denial-of-service (DDoS) attacks and a high volume of botnet and ransomware breaches often based on malware as a service. The result is that security management is more complex and security failures are more costly.
At a time when government IT security spending is reaching its highest level ever, state governments are still facing huge challenges. Verizon's 2018 Data Breach Investigations Report noted the high frequency of incidents in the public sector; of the 22,788 incidents, 304 had confirmed data disclosures. These breaches are coming mostly from external actors, and 41% involved theft of personal data. The bottom line: Everything is potentially at risk, including networks, hardware, applications, and government data.
Many state agencies are not fully prepared to handle the level of complexity required to manage their security infrastructure. An approach that uses a broad, integrated, and automated security fabric is the method that allows for full end-to-end monitoring and management of security issues, configuration, and potential responses.
In the United States, many state agencies are not fully prepared to handle the level of complexity required to manage their security infrastructure. A holistic, enterprisewide security fabric approach can help address modern government IT security challenges.
KEY STATS »U.S. states will spend over $2 billion in
2019 on security solutions.
» 45% of U.S. states surveyed report that security detection and resilience capabilities will drive significant IT investment in 2019.
»Only one-fifth of state governments report implementing next-generation security solutions.
AT A GLANCE
Page 2 #US45041519
IDC TECHNOLOGY SPOTLIGHT Developing Your Security Fabric: A Transformational Approach for State Government
State Government Security Trends
Security Is a Priority Linked to Achieving Other State Priorities
Security is a clear priority for state governments and one that is tied to successfully achieving other key priorities. Security of systems and data is a priority, but the consequences of system outages or breaches of personal data are more far reaching in state government than in many other industries. State governments are focused on other priorities as well, such as improving consumer services and the overall government experience, increasing the level of trust in state entities by constituents, and continuing fiscal responsibility efforts by being more operationally efficient and resilient. As seen with large-scale attacks at the city level, for example in Dallas and Atlanta, services were impacted that directly affected the safety and daily functions of residents, tourists, and businesses. In turn, such incidents impact the economy, the ability to adhere to the budget, and the sense of trust constituents have in their government. Additionally, state governments hold a lot of sensitive, personal data for services such as Medicaid and employment benefits, and breaches of personal information reduce confidence in state government, adding to the urgency in protecting systems.
Spending Is Growing, But Overall Adoption Is Low
State governments remain focused on cost containment, and budgets are not growing at the level required to keep pace with technology. There is significant investment in security among U.S. states, as shown in Figure 1. IDC projects spending of over $2 billion on security software, hardware, and services in 2019 and a five-year spending growth rate of almost 7%. This investment is likely not enough to fully modernize and secure state systems, and states are actively looking for lower-cost options that offer integration of existing products without the high costs of large-scale systems integration.
FIGURE 1: U.S. State Spending on Security Software, Hardware, and Services
Source: IDC's Worldwide Semiannual Security Spending Guide — 2018H1, February 2019
Overall, the adoption of next-generation security is low among state governments, as shown in Figure 2. Only 39% of U.S. state respondents report adopting the latest in IT security, with 7% adoption enterprisewide and almost one-third still in the research phase of the investment cycle. Key for states is to consider next-generation data security practices
0
500
1,000
1,500
2,000
2,500
3,000
2017 2018 2019 2020 2021 2022
($M
)
Page 3 #US45041519
IDC TECHNOLOGY SPOTLIGHT Developing Your Security Fabric: A Transformational Approach for State Government
that include data-centric security solutions such as encryption technologies, data loss prevention (DLP), user and entity behavior analytics (UEBA), supervision and monitoring, and data tokenization and masking.
FIGURE 2: U.S. State Adoption of Next-Generation Security
Source: IDC's Customer Insights and Analysis 2018 Industry IT and Communications Survey
States Must Spend Wisely to Address High Security Needs
Fragmentary networks and applications used by modern government agencies provide a massive level of connectivity. At the state level, this can include connections to thousands of sensors as well as IoT and mobile devices of a high variety and in disparate locations. Street lights, connected fleets, and field workers are just some examples of how this expansion is creating an attack surface that's constantly increasing in size and complexity. Ongoing digital transformation efforts within government operations are creating a highly mobile workforce and a growing network of personal endpoint devices. This trend is prompting a shift in how governments handle their endpoint security.
In fact, an ever-increasing number of endpoints are being connected to legacy systems, which do not have updated security. Endpoints in states (videocameras, sensors, mobile devices used by workers) are being connected to dated platforms, which, at the time of deployment, faced radically different cybersecurity threats.
Beyond the expanded attack surface, the sophistication of threats has increased. DDoS attacks are increasingly multivector and botnets created to target endpoint devices continue to grow, making security more complex to address. In addition, malware is becoming more sophisticated with polymorphic viruses that are increasingly difficult to detect as the code is designed to evolve or change. Malware distribution also is made more powerful as bad actors leverage malware as a service for additional compute power.
Not considering (13.0%)
Considered not yet pursuing
(19.0%)
Researching/under consideration
(29.0%)
Pilot/proof of concept (16.0%)
In production in business units
or departments (16.0%)
In production enterprisewide
(7.0%)
Page 4 #US45041519
IDC TECHNOLOGY SPOTLIGHT Developing Your Security Fabric: A Transformational Approach for State Government
This evolution in security threats, in turn, must prompt a new approach to threat detection and mitigation within government systems. The goal today is to manage fragmented security that is currently deployed across the government enterprise in cloud solutions, employee devices, applications, networks, and IoT devices in a unified and effective security solution.
The Benefits of Developing a Security Fabric In the commercial world, many companies now carry insurance policies that cover cybersecurity incidents. The cost of such incidents can include breach response time, plus mitigation and restoration efforts. For government agencies, this type of coverage is not always an option. Agencies must be willing to spend the money needed to round out their security portfolios, with a special focus on identity management, vulnerability management, threat management, and trust management.
A security fabric approach integrates advanced threat protection (ATP) with breach detection across a wide variety of solutions in a network environment, including relationship discovery, response management, and ongoing analysis. This type of solution taps into multiple security tools, giving agencies an effective enterprise view and transforming existing, piecemeal security integration models and information consumption patterns. It's a flavor of integrated security that offers a cost-effective approach.
Think of a security fabric as a set of integrated products with a common interface, capable of working together without a lot of customization, systems integration, or manual configuration effort. While this approach can require an up-front investment, it ends up keeping overhead low in the long term. It is particularly useful for states that run multiple name-brand products including switching and firewalls — all separate point products — whose data can be viewed in one platform using open standards.
To achieve a security fabric, the integrated security architecture UTM approach is key, and security solutions must monitor even the smallest network and application transactions. Automation is equally important, providing the opportunity to monitor and address issues on the government network, multicloud attached systems, and web applications, among other things. When automation is coupled with threat management solutions capable of addressing multiple security issues (right down to the wireless access points and associated devices), then agencies can gain a powerful set of tools to help them lock down their systems.
The Current Threat Landscape
Roughly 30% of cyberattacks start with malware, so being able to scan for malware at the start helps close a major hole for many agencies. Other attacks may come through access points and switches, and they can employ simple but highly effective DDoS attacks. Artificial intelligence (AI) and machine learning (ML) help identify points of vulnerability and potential attack patterns, bringing awareness to hacking attempts and mitigating the threat. U.S. governments overall often experience security breaches because of internal misuse or error, whether purposeful or accidental, but this can be an overlooked area of security vulnerabilities. State agencies should ensure that the security fabric includes specialized solutions to rapidly identify and respond to internal incidents and even spot unusual user behaviors before they become dangerous. Advances in AI and ML will be essential to ensure continuous refinement of rules and algorithms and to maintain security and regulatory compliance.
Page 5 #US45041519
IDC TECHNOLOGY SPOTLIGHT Developing Your Security Fabric: A Transformational Approach for State Government
A security fabric spans the entire attack surface, leveraging integrated, intent-based segmentation to stop the impact of a threat at multiple points. Intent-based segmentation separates and tags data and resources, allowing the security fabric to protect attack vectors by discovering and containing threats as they attempt to move within the network and endpoints, thus securing critical data within the network. The fabric shares details with the security appliance, which in turn uses intent-based segmentation, all the way down to the data tagging layer, to make sure the endpoint has proper authorization. It also can help with controlling things such as guests on the agency's wireless network, making sure the guest's traffic is segmented and can't reach the rest of network.
With single-pane-of-glass visibility across the entire infrastructure and automated remediation and response, a security fabric doesn't require a wide range of talent to integrate and operate, which is a benefit to state agencies that may struggle to hire trained security personnel. Additionally, each security analyst can view all relevant information and make decisions and take action more quickly.
Finding the Right Mix
Government agencies should look for open standards that can help with device and security solution integration. This approach also helps with detection and response coordination. Because threats can happen at high speeds, solutions must have aggressive response times and mitigation capabilities.
Without the right toolset, software-defined networks and other systems can be particularly challenging because managers must combine their computer network security architecture and methodology with security monitoring and defensive perimeter that can interact in real time. Such an approach can be daunting.
Considering Fortinet Fortinet is a worldwide provider of network security appliances and network security solutions. The company focuses purely on security products and subscription services. Its portfolio is designed to provide broad, integrated, and high-performance protection against advanced threats while simplifying an organization's IT security infrastructure. Fortinet has received multiple third-party certifications, including from NSS Labs, Common Criteria EAL4+ Certification, FIPS 140-2 validated, plus multiple certifications from ICSA Labs and Virus Bulletin. In fact, by participating in tests conducted by NSS Labs, as well as NGIPS and/or NGFW deployments, Fortinet can provide an NSS Labs–recommended ATP solution that is compliant from the datacenter to endpoints.
Fortinet's Security Fabric focuses on security transformation using a holistic, architectural approach that ensures security is embedded in all areas: across multicloud environments, the network, email and web applications, and network access points. The fabric creates a single security system that uses open standards and a common operating system to integrate the multitude of products typically in use by state organizations and often fragmented across agencies. A unified management platform also provides enterprisewide visibility into security processes for better automation management and control.
One key differentiation is that Fortinet handles some security processing via embedded hardware. The company offers one appliance capable of operating across multiple form factors, including email, web, and network traffic. Without this approach, agencies end up purchasing multiple appliances, configuring each appliance, and working to integrate the appliances. Fortinet appliances use multicore processor technology combined with hardware-based SSL tools to deliver fast protected web application firewall (WAF) throughput. Three-quarters of traffic on government networks is encrypted
Page 6 #US45041519
IDC TECHNOLOGY SPOTLIGHT Developing Your Security Fabric: A Transformational Approach for State Government
today, and turning on SSL inspection can result in performance degradation. To help address this, Fortinet has developed high-performing security appliances.
The company also focuses heavily on software-defined WANs (SD-WANs), which are common in large government agencies. Fortinet's high-performance SD-WAN is combined with built-in security to ensure a secure SD-WAN solution.
Challenges
» Budget is always a challenge for state and local governments that need to increase their security posture. A single security fabric requires more up-front work, and possible investment, even if the total cost is lower over time. Government security officers will require help to make the case for this investment in Fortinet's Security Fabric. Such a case might use examples of the solution's effectiveness and resulting cost savings as well as demonstrate the cost of security failures and the importance of using the right tools for risk mitigation.
» Fortinet may be less well-known than other suppliers. In the world of quick cloud-based applications, there will likely be supplier consolidations, or even failures, making it feel riskier for agencies to work with a company without brand recognition similar to that of competitors.
» As new systems and endpoints are invented, there will be an ongoing demand for for necessary changes, updates, and additions. Providers of integrated IT security solutions will have a continuing challenge. Fortinet will need to demonstrate to state IT departments that the company has a history of being able to adapt its solutions to the evolving needs of agencies.
Conclusion The world of IT is rapidly expanding and changing, and government agencies face multiple challenges in keeping pace with technology. Most need to increase the effectiveness of their security posture, but they are not always sure how to do so. It can also be difficult to evaluate security programs in a way that indicates where more money and effort are required. If there is no security breach, that doesn't necessarily mean your efforts are successful. Break-ins could still loom.
What we do know is that state governments must take digital transformation and security transformation seriously, particularly as endpoints expand and attacks, especially DDoS types, become increasingly frequent, volumetric, and complex.
There is a call for for better enterprisewide security issue monitoring and mitigation. A security fabric approach can address this issue.
Government agencies face multiple challenges in keeping pace with technology.
Page 7 #US45041519
IDC TECHNOLOGY SPOTLIGHT Developing Your Security Fabric: A Transformational Approach for State Government
About the Analysts
Ruthbea Yesner, Vice President, IDC Government Insights Ruthbea Yesner is the Vice President of Government Insights at IDC. In this practice, Ms. Yesner manages the U.S. Federal Government practice and the Worldwide Smart Cities and Communities practice.
Shawn McCarthy, Director, U.S. Government Systems and Infrastructure Optimization Shawn P. McCarthy analyzes government market data, providing IT investment and positioning strategies for both government and vendors and market sizing for tech suppliers. His core research includes U.S. federal, state, and local IT budgets; agency-level technology priorities; and government enterprise architecture standards.
Page 8 #US45041519
IDC TECHNOLOGY SPOTLIGHT Developing Your Security Fabric: A Transformational Approach for State Government
MESSAGE FROM THE SPONSOR
About Fortinet
Fortinet (NASDAQ: FTNT) is a worldwide provider of network security appliances and a market leader in network security solutions. Fortinet products and subscription services provide broad, integrated, and high-performance protection against advanced threats while simplifying the IT security infrastructure. Learn more about Fortinet Government solutions at: https://www.fortinet.com/solutions/industries/government.html
IDC Corporate USA
5 Speen Street Framingham, MA 01701, USA
T 508.872.8200
F 508.935.4015
Twitter @IDC
idc-insights-community.com
www.idc.com
This publication was produced by IDC Custom Solutions. The opinion, analysis, and research results presented herein are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor sponsorship is noted. IDC Custom Solutions makes IDC content available in a wide range of formats for distribution by various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee.
External Publication of IDC Information and Data — Any IDC information that is to be used in advertising, press releases, or promotional materials requires prior written approval from the appropriate IDC Vice President or Country Manager. A draft of the proposed document should accompany any such request. IDC reserves the right to deny approval of external usage for any reason.
Copyright 2019 IDC. Reproduction without written permission is completely forbidden.