Cloud

The Benefits of a Cloud Security Posture Assessment

As agencies are tasked with accelerating their shifts to the cloud, they must maintain security after the shift.

Evan Doty is a senior field solution architect at CDW focused on hybrid cloud and Microsoft Azure. His areas of expertise include LAN and WAN network design and implementation, Windows system administration, project management, call center management and deployment, and IT vendor management.

President Joe Biden’s May 12 executive order on cybersecurity said government agencies should “accelerate movement to secure cloud services” as part of modernizing their approach to cybersecurity.

As agencies continue to use cloud technology, the order states, “they shall do so in a coordinated, deliberate way that allows the Federal Government to prevent, detect, assess, and remediate cyber incidents.”

How can agencies know though whether they are deploying cloud services in a way that is secure and allows them to detect and respond to cyberattacks on their cloud infrastructure? A cloud security posture assessment is something IT leaders should consider undertaking, if they haven’t done so already.

A cloud security posture assessment can help an agency know whether it meets its own cloud security requirements. For example, is the agency supposed to be following specific cloud security controls outlined in the National Institute of Standards and Technology’s 800-53 guide, or other controls? An assessment can help determine whether the agency is meeting those compliance targets and what it needs to do to improve.

What Is a Cloud Security Posture Assessment?

There are two main steps to a cloud security posture assessment. In the first, data is collected from an agency’s cloud environments, whether that is a single cloud or multicloud environment.

An agency should then work with a trusted third party to review and assess that data and pull it together into a report that presents how the agency’s cloud services and tools are set up and where the organization might have lapses. The report should also provide recommendations that can help the agency prioritize how it might want to address those security gaps.

This assessment is also an opportunity for an agency to see the benefits of cloud security posture management in general. An assessment can provide a point-in-time snapshot, but CSPM platforms can provide cloud security on an ongoing basis.

CSPM platforms connect to an agency’s Infrastructure as a Service and Platform as a Service environments using application programming interfaces. They provide agency IT leaders with visibility into their inventory of cloud assets and continuously scan the configuration of the agency’s cloud environment and generate compliance reports.

Advisers such as CDW can help agencies test out different CSPM providers to see how they might benefit the agency’s approach to cloud security.

The Value of Cloud Security Posture Assessments and Management

There are several reasons agencies can benefit from a cloud security posture assessment.

The first is that most federal agencies are carrying a lot of technical debt associated with maintaining legacy systems. As agencies seek to move legacy systems and applications into cloud environments, it is often expedient for IT leaders to simply move over what they already have in place — the age-old “lift and shift” approach.

However, doing so means agencies are also migrating all of their technical debt. A cloud security posture assessment can help ensure an agency is clearing out that dross. By illuminating and analyzing the cloud configurations and potential security lapses that might have been hiding in legacy systems and applications, an assessment can help ensure that the new cloud environment is as secure as possible.

Another reason to conduct an assessment is that it means that IT leaders won’t overlook potential risks. As the federal government evolves how it delivers digital services to citizens and seeks to improve its customer experience to operate more like a business in some ways, it can be easy to lose focus on the potential risk associated with modernization.

Ultimately, security is always shifting, and the risks associated with cloud technologies keep evolving. An assessment can help make sure agency IT leaders don’t lose sight of that as they upgrade legacy apps.

Compliance is also always changing. For example, the U.S. Senate Committee on Homeland Security and Governmental Affairs recently called for the Federal Information Security Modernization Act to be reformed, a move supported by Federal CISO Chris DeRusha. Assessments and ongoing compliance checks by CSPM platforms can help ensure agencies are maintaining appropriate security compliance.

Cloud security posture assessments should be conducted regularly, along with other cybersecurity audits. However, if an agency chooses to adopt a CSPM tool, it will be able to continuously scan its cloud environments to ensure they are complying with all the necessary security standards.

This article is part of FedTech’s CapITal blog series. Please join the discussion on Twitter by using the #FedIT hashtag.