Dec 26 2023

Why Cloud Workload Protection Is Imperative for Agencies

The move to multicloud requires comprehensive, consistent security.

Agencies embracing multicloud strategies need cloud workload protection to address the cybersecurity challenges unique to such IT environments.

CWP solutions can secure workloads comprehensively and consistently across the array of cloud platforms that agencies have to choose from today.

The technology has gained acceptance among both defense and civilian agencies in the past four or five years as they continue to migrate from on-premises systems to cloud environments and seek a secure transition with minimal risks. While the capability began as a means of protecting containers on-premises, it’s become part of cloud-native application protection platforms that span multiple clouds.

“Every toolset that you need is offered with different providers, so the complexity just goes through the roof,” says Joe Sangiuliano, public sector regional vice president of Prisma Cloud by Palo Alto Networks. “And that leads to an untenable security solution with too many tools to manage and too much cost.”CWP platforms offer a holistic way to safeguard “assured workloads” such as the operating system, apps, data, services and process within virtual machines and containers, rather than protecting an entire private, hybrid or public cloud environment.

Click here to learn more about optimizing your cloud connection.

Cloud Workload Protection Meets Agencies’ Most Pressing Needs

As cyberattacks become more sophisticated, securing cloud workloads becomes increasingly critical for avoiding the compromise of government security infrastructure and intelligence and defense systems, says Nat Montha, U.S. federal systems engineering director at Nutanix.

Cloud environments can increase agencies’ attack surface because they have more entry points and interconnected systems and thus present a higher risk of security vulnerabilities.

As concerns about the security of federal data grow, it makes sense that CWP platforms not only ensure data is stored in the cloud confidentially but also detect and attempt to mitigate threats such as malware, ransomware and unauthorized access. This is often done through a combination of real-time monitoring, behavioral analysis and machine learning algorithms trained to identify abnormal activities.

“CWP solutions are essential for federal agencies, as they are increasingly adopting cloud services to stand up new applications and services quickly to meet requirements and mandates,” Montha says. “It is critical to protect data and workloads that inform and power their operations and missions.”

Agencies working toward cloud-native app development are most likely to adopt CWP, and this helps ensure compliance with the Federal Information Security Modernization Act, Federal Risk and Authorization Management Program and Department of Defense impact level certifications.

CWP further aligns with the zero-trust security model agencies are required to adopt, which emphasizes the need to verify and secure all users and devices on their networks regardless of location in the era of remote work, Sangiuliano says.

What’s more, CWP scales up and down with cloud environments.

DISCOVER: DOD is charting a new path to zero trust.

The CWP Solutions Available to Agencies

Agencies have many CWP solutions available to them, and the technology is rapidly evolving. Traditional security companies and hyperscalers offer CWP platforms, as do other tech players such as Nutanix, with its Cloud Platform.

Because different solutions address different facets of the CWP framework (not necessarily most of them), it’s important for agencies to build defense in depth — an all-encompassing solution that meets as many requirements as possible.

“Choosing a CWP platform for federal agencies involves careful consideration of various factors to ensure that the selected solution aligns with security requirements, compliance standards and the agency’s specific needs,” Montha says. “They should begin with an evaluation of all of the cloud platforms they are using.”

From there, agencies must review solutions that address the CWP framework, such as threat detection and prevention, vulnerability management, encryption and data protection, incident response, continuous monitoring and reporting, and compliance certification.

Early CWP Wins for Agencies to Target

Defense agencies’ strict certification requirements can be an impediment to CWP adoption, as can hard-to-migrate legacy apps that also challenge civilian agencies. As a result, agencies are at wildly different stages.

Generally, once agencies progress past the early “lift and shift” of workloads and infrastructure to the cloud — and have shifted their focus to DevSecOps and continuous integration and delivery — they can begin outlining their security and compliance goals. That’s because the DevSecOps life cycle is where multiple cyber vulnerabilities and attack paths emerge, Sangiuliano says.

Compliance monitoring is a great place for agencies to start because CWP solutions include features to help them monitor and enforce compliance with federal regulations, Montha says.

“We still talk very frequently with customers about the shared responsibility model, meaning what does the cloud provider provide for security, and what is still the responsibility of the agency?” Sangiuliano says. “And what it comes down to is a conversation about application protection.”

Only after an agency determines what apps are staying on-premises (versus moving to the cloud) can it identify the workloads and IT assets that need CWP, he adds.

MORE FROM FEDTECH: The Air Force uses platform engineering to support DevSecOps.

Next, the agency must decide whether it wants to develop a CWP solution in-house or pay for a commercial platform.

“Having the same platform delivers a common operating model across on-premises, edge, colocation and public cloud environments,” Montha says. “This makes security easier to manage.”

Agencies should consider trusted vendors and security providers whose solutions have features that go beyond CWP, Sangiuliano says.

A CWP implementation timeline will depend on the number of workloads being secured, the size of the team deploying the solution, compliance standards and level of visibility, but will typically run three to six months, he adds.

Sangiuliano recommends starting small by loading different instances of Amazon Web Services, Microsoft or Google workloads into the CWP platform.

“We spend a lot of time working with customers at the outset to really define exactly what their goals and responsibilities are,” Sangiuliano says. “They need to think beyond what the cloud service providers provide and meet their compliance standards.”

bancha singchai / getty images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT