The Importance of a Sound Security Strategy
CDW deals with agencies that want to implement zero-trust security architectures, starting with their data centers and multicloud environments. However, they may lack security strategies that wrap around their data. That must necessarily come first.
Many agencies know that they need to apply certain security controls to their data, but developing a strategy forces them to identify relevant regulations and compliance measures. On a more basic level, the planning process includes them figuring out where their data resides and how to access it.
The cloud complicates data access. An agency might not need to worry about a hacker in Europe or the Middle East accessing its data center, only the people already authenticated to have access. But in the cloud, if there are no data sovereignty requirements, and data can be moved all over.
Another security challenge agencies face with hybrid data centers is a large volume of legacy apps that require updates to be compatible. Agencies may not even be aware of all of the legacy apps being used that need updates.
Hybrid Data Centers Require Sharing the Responsibility for Security
Mere days after the Department of Defense fully funded identity, credential and access management capabilities under its Thunderdome initiative, which will move it toward a zero-trust security architecture, one of its cloud providers, Microsoft, was found to have been hacked, with government email services exposed.
The cyber incident underscored that it’s not enough for agencies to secure themselves; the underlying technologies in a hybrid cloud environment must be secured by the vendors who provide them.
Every cloud service provider has services that have yet to obtain Federal Risk and Authorization Management Program high security approval, and some services have yet to go through the FedRAMP process at all. The responsibility lies with these vendors to address the issue, create incident response plans and ensure data forensics in the cloud.
When agencies can’t obtain the FedRAMP-approved cloud services they need, some attempt to create those capabilities in-house without considering the consequences, creating what’s known as shadow IT. This leads to unauthorized cloud use and puts data at risk, since there’s no oversight over these capabilities.
An agency’s cloud bill skyrockets when it opts to put everything in the cloud, which means it must be judicious about which applications to migrate to a hybrid data center. Email and Microsoft SharePoint services are typically transferred, but agencies often don’t want their DevSecOps environments or certain data mining and analytics applications in the cloud. An adequate hybrid data center security strategy eliminates all of these concerns.
This article is part of FedTech’s CapITal blog series.