How to Think About Federal Cloud Security in 2019
Many federal agencies are being tasked with moving toward a cloud-first model. This means applications and nation-critical data will now reside in the cloud. This data migration places high-value data in the trust of private sector companies. What do agencies need to consider when navigating the path to the cloud?
Migrating existing workloads to cloud environments is more difficult than many assume, especially when contrasted with building an IT architecture from the ground up. Using traditional architecture, administrators can make certain controlled assumptions on how it ought to be designed for specific use cases, especially from a security standpoint. Admins dictate the security controls that they have in place.
However, moving to the cloud lessens an agency’s grip on certain policies, and there is a trade-off between visibility and agility. Most security controls in cloud environments are not the same as in on-premises environments. The “shared responsibility model” works differently for each cloud vendor, and in a multicloud architecture, agencies need to understand the security specifics of each and every platform.
For example, what’s the equivalent of flow log data or firewall logs in the cloud? And should the agency invest the security team’s time into looking at them in cloud environments? Exactly how much do cloud customers need to be involved in the day-to-day of security operations?
What Is Driving Feds to the Cloud?
A large push to the cloud for federal agencies is cost savings. However, most cost gains are achieved not by moving virtual machines to the cloud but by re-architecting infrastructure to leverage native cloud services and components. Workload “fit” varies by service, and overlapping services make deciding on a cloud service provider difficult. IT leaders need to dive deep on understanding the limits and assumptions of each service. This means needing to understand not only how the service works, but also how each “dependent” service works, so that IT leaders and their staff can ensure high availability and that disaster recovery works as expected.
For now, high critical workloads for federal agencies may require a transition plan where agencies build a hybrid architecture that involves cloud and on-premises components. As assurance metrics improve over time, they can consider migrating more workloads to cloud services. For now, agencies should retain some small on-premises components as a fail-safe.
If cost is the driving factor, then IT leaders must also factor in the possibility of having to migrate workloads across many cloud infrastructures. This means picking a subset of cloud service designs that are “cloud vendor agnostic.” Yet many of the big cost gains are seen when adopting vendor-specific services that are not available on other platforms. However, this creates a vendor lock-in risk for future rate hikes, which can negate the cost benefits of moving to the cloud.
Best Practices for Cloud Security
When migrating workloads to the cloud, most security engineering teams need to adopt strategies to work with system owners at scale. That means for each system, security should not require deep personalized involvement during the accreditation process.
Rather than accrediting individual systems, security teams should accredit and certify entire cloud service components. This involves building mechanisms to make it easy for system owners to “self-certify” by leveraging best practices within each cloud service and documenting notable exceptions.
Security teams then focus their time on understanding each exception and determining if the risk and mitigation are acceptable to proceed. As new cloud services are launched, security teams should maintain a whitelist of pre-approved services that system owners can pick and choose from. This list would ideally grow over time, based on demand.
With the increasing ease of accessibility to utilize cloud services across the organization, security teams need to detect and manage “dark and rogue IT” components in a systematic way. This is true for all organizations, yet even more so for federal agencies that are targeted by increasingly sophisticated nation-state-sponsored levels of attacks.
Reducing friction in the accreditation process also helps minimize dark IT. A new strategy that security teams haven’t really employed in the past is tracking cloud spend and billing to uncover dark IT. This is just one of many examples of how security needs to extend its reach and partner more closely with business units across the organization. Moving to the cloud means everyone becomes responsible for security.
Migrating to the cloud for federal agencies offers many benefits and is an inevitability. But the path to get there opens up new choices that must be weighed against each other. Going to a cloud-first model isn’t something that needs to be rushed today. For federal agencies specifically, there are many reasons to first step into a hybrid model. However, cloud ought to be an aspiration when designing for the future.