Cloud

Agencies Need Data Center Security Strategies Before Building

Cyberdefense is now a shared responsibility of government and industry.

Peter Dunn is Federal CTO for CDW Government.

Agencies looking to establish hybrid data centers need comprehensive security strategies that set realistic time frames and are mapped to their respective budgets.

These strategies should identify desired security tools and practices such as cloud environments and ways to continuously monitor them.

A hybrid data center relies on cloud, software-defined networking and virtualization technologies to distribute applications across physical and multicloud environments. While most federal IT leaders understand that multicloud environments are the future of government IT, the lack of agency security strategies continues to be a barrier to adoption.

Strategies are often an afterthought because security is expensive and requires that agencies understand the sensitive data they collect and how to protect it. Transitioning to hybrid data centers also means that agencies are no longer fully responsible for their management, but a shared responsibility model requires vendors to ensure the security of their interconnected elements.

Click the banner below to learn about the benefits of hybrid cloud environments.

The Importance of a Sound Security Strategy

CDW deals with agencies that want to implement zero-trust security architectures, starting with their data centers and multicloud environments. However, they may lack security strategies that wrap around their data. That must necessarily come first.

Many agencies know that they need to apply certain security controls to their data, but developing a strategy forces them to identify relevant regulations and compliance measures. On a more basic level, the planning process includes them figuring out where their data resides and how to access it.

The cloud complicates data access. An agency might not need to worry about a hacker in Europe or the Middle East accessing its data center, only the people already authenticated to have access. But in the cloud, if there are no data sovereignty requirements, and data can be moved all over.

Another security challenge agencies face with hybrid data centers is a large volume of legacy apps that require updates to be compatible. Agencies may not even be aware of all of the legacy apps being used that need updates.

Hybrid Data Centers Require Sharing the Responsibility for Security

Mere days after the Department of Defense fully funded identity, credential and access management capabilities under its Thunderdome initiative, which will move it toward a zero-trust security architecture, one of its cloud providers, Microsoft, was found to have been hacked, with government email services exposed.

The cyber incident underscored that it’s not enough for agencies to secure themselves; the underlying technologies in a hybrid cloud environment must be secured by the vendors who provide them.

Every cloud service provider has services that have yet to obtain Federal Risk and Authorization Management Program high security approval, and some services have yet to go through the FedRAMP process at all. The responsibility lies with these vendors to address the issue, create incident response plans and ensure data forensics in the cloud.

When agencies can’t obtain the FedRAMP-approved cloud services they need, some attempt to create those capabilities in-house without considering the consequences, creating what’s known as shadow IT. This leads to unauthorized cloud use and puts data at risk, since there’s no oversight over these capabilities.

An agency’s cloud bill skyrockets when it opts to put everything in the cloud, which means it must be judicious about which applications to migrate to a hybrid data center. Email and Microsoft SharePoint services are typically transferred, but agencies often don’t want their DevSecOps environments or certain data mining and analytics applications in the cloud. An adequate hybrid data center security strategy eliminates all of these concerns.

This article is part of FedTech’s CapITal blog series.