Federal Network Security Survey Report

Transcription

1 Federal Network Security Survey Report April 20, Market Connec1ons, Inc.

2 EXECUTIVE SUMMARY 2 About the Study As networks become increasingly complex and more data moves across the network vulnerability to security breaches can increase. Despite the volume of unencrypted inter- and intra- agency data traversing most enterprises, many federal agencies are not implemencng procedures to protect the network because it is expensive and degrades performance. The right tools can help agencies overcome these network security obstacles, and provide end- to- end proteccon of data within the data center and in transit without adding complexity to the network. Government market research firm Market ConnecCons, Inc. conducted this study to learn to what extent agencies feel their data is protected in transit, the challenges they face in addressing data proteccon proaccvely and any gaps between priorices and accons.

3 EXECUTIVE SUMMARY 3 Key Research Findings PrevenCon is the highest priority within an agency s cybersecurity strategy. Only 26% of agencies feel their data on the network is fully protected. o The ability to protect data on the network diminishes the further the data travels. o Budget constraints, limited resources, complexity and impact on the network performance are top challenges for agencies when protecxng the data on the network. EncrypCng the data on the network is important to 95% of respondents. Seventy- six percent of agencies encrypt their data. A majority (62%) focus on SSL. o In most cases, agencies are are focused on SSL encrypxon to secure web- based applicaxons. Yet there are many other applicaxons that need to be encrypted in transit. What encrypxon is used in those cases?

4 EXECUTIVE SUMMARY 4 Key Research Findings (concnued) Those who are not encrypcng their data are not doing so because of budget constraints and the impact on network performance. Eighty- seven percent believe it is important to base their network proteccon strategy on the Suite B encrypcon algorithm.

5 SECURITY, CHALLENGES AND PRIORITIES 5 Cybersecurity PrioriCes Agencies cybersecurity priorixes for 2015 include a widespread focus on prevenxon (72%), although idenxficaxon (47%) and remediaxon (48%) are also high priorixes. High priority in 2015 Moderate priority in 2015 Not a priority in % 25% 50% 72% 47% 48% 75% 100% 48% 46% 24% 4% 5% 6% PrevenXon IdenXficaXon RemediaXon N=200 What are your agency s cybersecurity priori1es for 2015 with regard to preven1on, iden1fica1on, and remedia1on?

6 SECURITY, CHALLENGES AND PRIORITIES 6 Cybersecurity Budget In most instances, agencies cybersecurity budgets are esxmated to remain unchanged from the previous fiscal year. In line with its relaxvely higher priority, 24% of respondents anxcipate budgets for prevenxon to rise in FY % Increase in FY 2015 About the same in FY 2015 as previous fiscal year Decrease in FY % 16% 14% 25% 50% 75% 71% 76% 80% 100% 6% 8% 6% PrevenXon IdenXficaXon RemediaXon N=200 To the best of your knowledge, in each of the following areas did your agency s cyber security budget increase, decrease, or stay about the same as the previous fiscal year?

7 SECURITY, CHALLENGES AND PRIORITIES 7 Cyber and Network Security Only one- quarter of agencies feel their data on the network is fully protected. Similarly, just 23% rate their agency as fully cyber- secure. 1- Not at all protected Fully protected Network- level security 4% 22% 48% 26% Agency- level cyber security 5% 24% 48% 23% N=200 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% In your opinion, how would you best rate your agency s overall cyber security protec1on, and your agency s level of network security?

8 PROTECTION PROTOCOLS 8 Agency StandardizaCon Historically, agencies have used firewalls, encrypxon appliances and routers with encrypxon modules. Some of these tools can impact performance and do not sufficiently protect data on the network. Agency StandardizaCon Firewalls 85% EncrypXon appliance 67% Router with encrypxon module 58% Other 1% N=151 0% 25% 50% 75% 100% Note: MulXple responses allowed For the traffic on your network today, what has your agency standardized on to perform encryp1on/decryp1on? (select all that apply)

9 SECURITY, CHALLENGES AND PRIORITIES 9 Top Challenges ProtecCng Data Budget constraints, limited resources, complexity and impact on network performance are top challenges for agencies when protecxng the data on the network. Budget constraints 75% Lack of internal resources to implement/maintain 56% Complex to implement/maintain 48% Impact on network performance 46% IncompaXble hardware and sojware 36% Lack of bandwidth/capacity Other 8% 32% Lack of internal resources to implement/maintain FedCiv Defense 52% 68% 0% 10% 20% 30% 40% 50% 60% 70% 80% N=200 Note: MulXple responses allowed What are the top challenges you face with regard to protec1ng your data on the network? (select top 3) = staxsxcally significant difference

10 SECURITY, CHALLENGES AND PRIORITIES 10 Network ConnecCon Speed Typical connecxon speeds between data centers or remote offices vary widely. Sixty- seven percent run at 10Gbps or faster. At these speeds, the encrypxon method can become more of a hindrance than a help. 100Gbps 16% 40Gbps 20% 10Gbps 31% 1Gbps 16% 100Mbps 12% Other 4% N=200 0% 5% 10% 15% 20% 25% 30% 35% What is your agency s typical network connec1on speed between data centers or remote offices?

11 SECURITY, CHALLENGES AND PRIORITIES 11 Ability to Protect Data in Transit/ Over the Network The ability to protect data on the network diminishes the further the data travels. 0% 25% 58% 49% 33% 50% 75% 36% 45% 61% 100% N=198 6% 6% 7% Within data center Internally (between or within buildings on the same campus) Agency to agency How would you rate your agency s ability to protect the following aspects of data in transit/ over the network?

12 PROTECTION PROTOCOLS 12 Data EncrypCon Importance EncrypXon of data on the network is considered important by 95% of respondents. Very important Somewhat important 31% 64% 95% IMPORTANT Neither important nor unimportant 4% Somewhat/ very unimportant 0% N=200 0% 10% 20% 30% 40% 50% 60% 70% How important is encryp1on of data on the network, rela1ve to the overall security of your agency s data?

13 PROTECTION PROTOCOLS 13 ProtecCng Data Although agencies may think they are protecxng their data at sufficient levels, a majority are focused on SSL encrypxon to secure web- based applicaxons. This does not address other inflight traffic types that require a minimum of 128 bit soluxons for Secret and 256 bit encrypxon soluxons for Top Secret inflight data sets. Protocols to Protect Data Level of EncrypCon User credenxals (for applicaxon security only) 80% Secure Socket Layer (SSL) 62% EncrypXon 76% 64 bit 9% Access Control List (ACL) (permissions anached to an object) 49% 128 bit 256 bit 20% 32% Unsure 5% Unsure 9% N=198 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% N=151 0% 20% 40% 60% 80% Note: MulXple responses allowed What protocols do you require to protect your network s data when in transit? (select all that apply)

14 PROTECTION PROTOCOLS 14 Reasons for Not EncrypCng Data Those who are not encrypxng their data are not because of budget constraints and the impact on the network performance. Budget constraints 45% Impact on network performance 39% IncompaXble hardware and sojware Lack of internal resources to implement/maintain Complex to implement/maintain 29% 29% 32% Lack of bandwidth/capacity 18% Other 3% N=38 0% 10% 20% 30% 40% 50% Note: MulXple responses allowed For what reason(s) are you not encryp1ng the data on your network? (select all that apply)

15 PROTECTION PROTOCOLS 15 Importance of Suite B Eighty- seven percent of respondents believe it is important to base their network protecxon strategy on the Suite B encrypxon algorithm. Strategy Based on Suite B Importance Very important Somewhat important Neither important nor unimportant Somewhat/ very unimportant N= 151 2% 11% 31% 56% 0% 20% 40% 60% Suite B is a set of cryptographic algorithms promulgated by the NaXonal Security Agency as part of its Cryptographic ModernizaXon Program. It is to serve as an interoperable cryptographic base for both unclassified informaxon and most classified informaxon. Note: MulXple responses allowed How important is it that your network data security strategy is based on Suite B (a government cer1fied solu1on) versus some other standard approach?

16 RECOMMENDATIONS 16 RecommendaCons Despite the priority agencies place on security and prevencon, the study results show there is no place within the enterprise where data is fully protected to prevent cyber- aaacks. It is criccal to ensure your encrypcon strategy expands as your enterprise grows to accommodate addiconal users and networking services. Checklist for seleccng a data proteccon solucon for your network! Simple to implement and maintain! Does not impact your network or increase network costs due to complexity and management overhead! Protects the different types of data on your network and is Suite B compliant if you have Secret and Top Secret data! Can handle your data connecxon speed today as well as into the future

17 BACKGROUND AND APPROACH 17 About the Survey Market ConnecCons designed and conducted a blind online survey among 200 federal government IT decision makers and influencers in February Two hundred completed interviews yields a +/- 6.9% margin of error. Sixty different agencies parxcipated in the survey. Throughout the report, notable significant differences are reported. StaXsXcal analyses were conducted for agency type (federal civilian vs. defense). Due to rounding, graphs may not add up to 100%. Sample Agencies Represented (In AlphabeXcal Order) Air Force Army Congress Department of Agriculture (USDA) Department of Commerce (DOC) Department of Defense (DOD) Department of Energy (DOE) Department of Homeland Security (DHS) Department of Housing and Urban Development (HUD) Department of JusXce (DOJ) Department of State (DOS) Department of the Interior (DOI) Department of TransportaXon (DOT) Department of Treasury (TREAS) Department of Veteran Affairs (VA) Federal AviaXon AdministraXon (FAA) Judicial/Courts NaXonal InsXtutes of Health (NIH) Navy US Postal Service (USPS)

18 RESPONDENT CLASSIFICATIONS 18 Job Role A wide variety of agency roles are represented, the most common of which are Chief InformaXon Officer, Network Manager, Data Center Manager/Director and Security Administrator. Chief InformaXon Officer Network Manager 13% 12% Data Center Manager/Director Security Administrator Network Administrator Network Architect Chief Security Officer Security Architect 9% 8% 6% 4% 3% 2% ExecuCve Director Project Manager Program Manager IT Director Other 42% N=200 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% What is your role at your agency?

19 RESPONDENT CLASSIFICATIONS 19 Decision Making Involvement Nearly half of respondents menxon they evaluate or recommend network data protecxon soluxons (46%), or are part of a team that does so (45%). Thirty- two percent also describe their role as managing or implemenxng network data protecxon soluxons. And 18% make the final decision regarding network data soluxons. Evaluate or recommend network data protecxon soluxons On a team that makes decisions regarding network data protecxon soluxons 46% 45% Manage or implement network data protecxon soluxons 32% Make the final decision regarding network data protecxon soluxons 18% Other involvement in network data protecxon 8% N=200 Note: MulXple responses allowed 0% 10% 20% 30% 40% 50% How are you involved in decisions or recommenda1ons regarding your agency s network data protec1on? (select all that apply)

20 RESEARCH TO INFORM YOUR BUSINESS DECISIONS 20 Contact InformaCon Dave Glantz, Director of Research Services , ext. 104 Monica Mayk, MarkeCng Director , ext. 107 Susan Rose, Thought Leadership Content Lead