From the local to the federal level, government agencies are entrusted with sensitive information. Corporate enterprises share similar concerns over data loss and how best to protect information, yet for government agencies the stakes are perhaps even higher, many say.
Citizens count on their civil servants to protect not only access to their personal information, but, in matters of national security, classified correspondence between agencies as well. These requirements contribute to making the government vertical a particularly complex market for IT security vendors.
Despite the formidable obstacles, Peter Beardmore, product marketing manager at RSA, says that the need to line up with government mandates is driving further growth for his company. While some of the Bedford, Mass.-based company's products, like tokens, are suitable right off the shelf for government purposes, others require a bit of tailoring to meet specific needs in the government space, says Beardmore. Encryption and smart card management, for example, need a good deal of servicing, he says. The effort appears to be paying off as government information sharing has become an important part of RSA's business.
“The ability for employees to authenticate information from other agencies through secure web access, depending on clearance, has proven fruitful,” he says.
Most recently, two federal government standards have been a key driver. Homeland Security Presidential Directive (HSPD-12) and Federal Information Processing Standards (FIPS) 201 specify personal identity verification (PIV) requirements for federal employees and contractors to vet the identities of credentialed recipients.
PIV smart cards enable users to be identified using several methods, including by photographic images printed on the cards, as well as by biometrics (fingerprints), personal information numbers (PINs), and other electronic credentials (digital certificates) stored on the card chip. These PIV smart cards are designed for physical access (such as entry to buildings) and logical access (access to computer systems and networks).
The cards have been put to use in RSA's partnership with Hirsch Electronics on an initiative for the government sector, particularly in deploying HSPD-12 (Hirsch Electronics manufactures high security access control and security management systems). The interoperability of the RSA Card Manager smart card management solution with Hirsch systems consolidates multiple credentials onto a single device. This allows employees to access both secured areas and electronic resources.
Alliances such as this one are expected to grow in the coming years as RSA rolls out smart badges to more departments within the government, the U.S. Coast Guard and port workers, for example (see sidebar, below). An initial contract of 1.3 million is projected to grow to several million, says Beardmore.
The wireless factor
Wade Williamson, director of product management at AirMagnet, agrees that the government is vigilant about enforcing mandates to keep its data secure. The Sunnyvale, Calif.-based company provides protection of system-wide LANs at all levels of the government, including military and research facilities.
Wireless has made the process of ensuring security more complicated, says Williamson. “Traditionally, the firewall was enough to prevent leakage, but now we can go through walls, and there are new ways to capture information.”
And, wireless LANs are not the only route for those intent on piercing network defenses. AirMagnet offerings also provide spectrum analysis to identify devices beyond WiFi, including Bluetooth units, wireless cameras and cordless phones.
The company launched the latest version of its AirMagnet Enterprise in the fall. According to Williamson, the solution detects and defends against the latest classes of wireless LAN exploits, delivers forensic analysis for spectrum/RF threats and introduces a complete threat intelligence system to classify and prioritize all wireless events for simple management.
FISMA driving investment
Larry Lunetta, vice president of strategy and corporate development at security and compliance management solution provider ArcSight, sees the government leading the pack in the security field.
Part of this centers around the fact that government agencies typically have heterogeneous environments to protect, so there are a wide variety of security needs, he points out.
ArcSight understands that diversity, he adds, so offers everything from turn-key solutions to customizable platforms. ArcSight's SIM offering, Enterprise Security Management (ESM), helps protect against a range of threats — helping ensure compliance and combat security threats, fraud, physical breaches, malicious insiders and more. ArcSight ESM collects and parses data from a vast array of event sources — and delivers a single view into that information, which can be used by stakeholders.
In addition to not so homogenous infrastructures, government agencies must also contend with compliance regulations, which remain big drivers for security solutions — especially the Federal Information Security Management Act of 2002 (FISMA), he says.
Lunetta says the fed will continue to be a growth market, adding that the economic environment is loosening up for local and state governments as well.
“The threat environment is not diminishing,” Lunetta says.
Along with traditional threats seen by the private sector, he explains, headlines keep cropping up that inform the public about state-sponsored threat terrorism.
“The stakes,” Lunetta says, “are getting higher.”
In the cards
To help secure the nation's transportation system, RSA is working with Lockheed Martin to deploy biometric identification credentials to maritime workers nationwide.
The Transportation Security Administration's Transportation Worker Identification Credential program is intended to enhance port security by requiring workers to successfully complete a security threat assessment and to carry a biometric credential.
— Greg Masters