The road to cyber hell was paved with good intentions

A series of well-intended cloud initiatives have left agencies with unforeseen security challenges, but overcoming them is not hard if you know where to look.

 

It is 2010 and Federal CIO Vivek Kundra has just unveiled a brand new federal IT policy he is calling "Cloud First." Its goal: to deploy all new government IT solutions in cloud ecosystems whenever possible, increasing agility and innovation, and reducing time and costs related to acquiring, deploying and maintaining traditional infrastructures, all in pursuit of accelerating government-wide IT modernization. Along with the Federal Data Center Consolidation Initiative announced the same year, both mandates would drastically change the face of government IT by the end of the decade.

Fast forward to 2018, and things have gotten better for the IT operations guys -- cloud, DevOps and agile development are making the creation of new application and digital services easier and cheaper than ever. Also, datacenter consolidations combined with cloud migrations mean agencies now spend less time managing hardware than they did in the ante-cloud days.

However, those very successes for the IT operations teams have resulted in a different story for the security operations teams. Their job is now more complicated. Mandated with the noblest of intentions, Cloud First and the FDCCI has resulted in federal data and applications that now live off-premises and exist in a constant state of ephemerality, with containers and micro-service instances spinning up and down in mere seconds. While IT was never easy and always complex, today's IT ecosystems pose a far greater challenge to understand and protect than ever before. Day-by-day it grows harder to ensure these services and data remain secure.

But isn't cloud secure?

Many may pause here and say that cloud is actually more secure than traditional infrastructure thanks to the rigorous FedRAMP approval process and numerous other security standards cloud providers are required to meet in order to host federal data. That is absolutely true with two caveats.

Before we go further, ask yourself three questions:

  • First, is all your data on the cloud?
  • Secondly, is the data you do have on the cloud all with a single vendor?
  • Third, do you have an on-premises infrastructure that integrates with data and applications hosted on your public cloud?

If you are like most agencies I talk with, my guess is the answers to these respective questions are no, no and yes. As a result, I'm also guessing you would have trouble confidently saying you have a clear line of sight across that infrastructure and have a consistent security policy across it as well.

This brings me to the first caveat: for the foreseeable future, even the most cloud-progressive agencies will continue to have a multi-cloud or hybrid infrastructure with data and applications living both on-premises and in the cloud. That is a huge challenge for the CISO because it leaves open potential for compliance gaps, or worse, security gaps, as data moves around.

The second caveat is that people continue to play a crucial role in managing those cloud and on-prem infrastructures and even the best, most well-trained and well-intentioned employees will always be fallible. We've already seen this play out with the reports of AWS S3 buckets left accidentally unsecured.

So how do we fix these two caveats so that cloud computing becomes as secure as should and needs to be?

Unifying automated discovery and security compliance

Federal CISOs have long known that data discovery is the first crucial step to strengthening cyber postures. However, the very nature of multi-cloud and multi-tenancy makes understanding and knowing where your data is challenging, particularly as the aforementioned containers and micro services are so fleeting. Traditional methods of tracking, monitoring and then securing this complex-cloud world are either too inaccurate, too slow, or both.

Instead, agencies need to start deploying automated solutions that can both run deep data discovery and apply security compliance measures simultaneously, according to pre-defined requirements. More importantly, those solutions must be able to do so across all types of cloud and virtualized infrastructure, regardless of whether data lives in a private datacenter, in a multi-tenant environment, in Azure, in AWS, or in some combination of those.

By addressing these issues, we are already seeing cabinet-level federal agencies begin realizing the full promise of cloud without the risks of falling victim to unexpected security hazards. They now have better, more consistent security, automated compliance auditing which reduces human error, and more overall confidence in their ability to continue expanding into the cloud with clear visibility into the future.