Government cloud security demands new vision
- By Sebastian Taphanel
When choosing a particular cloud solution, agencies can leverage of a cloud service provider's compliance with critical federal requirements like the Federal Risk and Authorization Management Program and take advantage of built-in controls for both physical and technical security that comply with National Institute of Standards and Technology Security Publication (SP) 800-53 and the Department of Defense Security Requirements Guide IL4.
To get the most out of such solutions, however, agencies must take a thoughtful and judicious approach to managing security in the cloud because they are ultimately responsible for the security and compliance of their platforms and applications.
A new model for security
Public clouds present a shared security model -- CSPs implement security of the cloud, while customers are responsible for security in the cloud. That means agencies must understand that their security now has two levels. First, they have to secure their own “stuff” -- everything related to the data they work with --whether that's data in their own repositories or transactions conducted through application programming interfaces and connectors. It also includes the platforms, applications and access/authorization of any aspect of their IT landscape. Second, agencies must monitor the compute, storage, database and networking services of their cloud provider. The cloud environment contains an agency's most valuable assets, and it is very clearly the agency's responsibility to manage and secure it.
Security insight means constant awareness not just of data and applications but also how they are functioning within the cloud environment. In other words, it's about the data, but it's also about how the data is being treated in the cloud. Hackers don't care where data resides, they just want an easy way to get in and access it. When sensitive, confidential or even classified data and assets are at stake, as they will be for government agencies, cloud managers must provide assurances that they can identify issues before they become disasters. Even with rigorous security management from the CSP, agencies must automate their view into, and plans for fixing, risks that arise in their cloud infrastructure.
A study sponsored by the SANS Institute, Orchestrating Cloud Security, surveyed almost 500 enterprise IT department employees about their cloud infrastructures. It discovered that while 40 percent of organizations said they store or process sensitive data in the cloud, fully one-third of the survey participants said they do not have enough visibility into their public cloud providers’ operations. Cloud providers can demonstrate excellent track records, but agencies cannot presume that a CSP can monitor their intellectual property as well as they can.
A lack of clarity prevents some agencies from being able to fully use their cloud for fear of vulnerabilities. The inability to continuously monitor the state of their data and operations is a major cause of concern among IT leaders because they are on the hook for reducing vulnerabilities of their resources. If they can't spot potential problems or know how a CSP is affecting them, they are failing in their role as protector of their organization’s assets.
Malicious cyber behavior and inadvertent non-malicious mistakes are difficult to anticipate or change, so agencies have to treat security and compliance as a continuously critical priority. Threat intelligence, through monitoring and automated solutions, is the most effective weapon at thwarting the work of hackers, and cloud users have to embrace this mindset and assign corresponding activity to this task.
Embedding security into operations
Federal cloud users that want to increase delivery speed, quality assurance and overall operations have benefitted from a DevOps approach. Although it can help them quickly achieve service mandates, in too many organizations adherence to DevOps has the undesired effect of shortchanging security. For a team dedicated to quick development, detailed security work often gets bypassed in favor of shortcuts and quick fixes that can unfortunately lead to major vulnerabilities. Security, both as an approach and as a tactical activity, must be embedded into the DevOps process. It is important to be specific about security requirements so the DevOps group will be more inclined to adopt it.
Cloud users must take care to assess all new data and application connectors within the context of controls and compliance requirements that were addressed at initial development. As the development is iterative, so too must be security practices that keep the environment safe and compliant. For agencies using a cloud service, this means updating their defense strategy with the limitations and requirements needed to operate in the cloud. It also means that if they adapt both their development and security operations, they can take advantage of continuous monitoring and automated remediation.
Although the cloud can be an essential tool for federal agencies in terms of operations and efficiency, there are still many compliance and security requirements they must meet. Organizations using the cloud should be thoughtful in adopting security solutions that surround their cloud engagement.
Sebastian Taphanel is a principal solutions architect with Evident.io.