Customized Cloud Environments Require New Security Approaches

Sometimes making the most of the cloud means rethinking cloud security. Many federal agencies are still in the process of transitioning to the cloud, but as they customize their cloud environments to suit agency missions and priorities, they encounter new security challenges.

“We have to make sure we’re keeping up on the security policy and enforcement side for managing risk as we’re moving through and taking on these new challenges,” said Brian Merrick, director of cloud programs at the Department of State.

The Defense Department, for example, is exploring infrastructure-as-code (IaaC), which helps streamline security protocols.

“[IaaC] greatly reduces the time to set up and configure cloud environments, allowing us to focus on capability [rather than] infrastructure,” said DOD Acting Deputy CIO Danielle Metz at the FCW Cloud Security Workshop last week. “Making the accreditation process go faster. IaaC will streamline the cloud configuration process while conducting security assessments faster. The challenge now is to determine the right number of platforms for the department. We need to balance having enough without having too many.”

The Department of State, on the other hand, favors software-as-a-service (SaaS). Merrick said cloud access security brokers can help coordinate security across the cloud environment.

“It’s more and more difficult to manage the security overlays of custom applications,” he said during the event. “It helps you enforce consistent security controls over disparate cloud environments, and greater visibility in data movement. We’re using this now with one of our cloud collaboration tools. We have an alert set up so that if we see a large amount of data moving out of the environment, it triggers a review. You can also set it up to sever connections if certain events look suspicious and meet your business rule. You can also pull data back in certain environments, not all, and work toward preventive rather than detective controls, which is really what we’re moving toward.”

Merrick said he sees a trend toward hybrid cloud environments where “a workflow tool will access on-prem data.”

“Obviously you have to think about the security risks that entails,” he said. “You want to secure your data as close to the data pool as possible.”

Ron Ross, a fellow at NIST, said NIST integrated privacy and cloud security controls to better address the new risks associated with cloud computing.

“We’re making the catalog more efficient, expanding the reach with privacy,” he said at the FCW Workshop. “We also added a very important new family [of controls] on supply chain risk management (SCRM), that’s going to be a really important topic going into 2021. It’s all about managing risk. We’re always adding new controls to deal with some of the new threats we’re seeing.”

Ross believes the most successful cloud security strategies start in the C-suite and focus on the “why.”

“At the end of the day it’s all about assurance and trust,” he said. “We’re putting everything that matters into computers today — from pacemakers to the electric grid. So it has to be as reliable as it possibly can be.”

Everyone will eventually suffer hack in some capacity, he added, which is why new security controls like zero trust are so important for cloud environments.

“We have to be able to continue our mission critical biz ops even if it’s in a debilitated state,” he said. “Limiting the damage gives us more of an in-depth approach. Limiting damage through zero trust architecture, it makes it very difficult for adversaries to move laterally. They can get in, they just can’t move.”