Federal agencies embarking on large-scale cloud transformation initiatives are focusing on cloud provider and supply chain scrutiny as core aspects of proactive cybersecurity.
Speaking at the GovernmentCIO Media & Research Cloud Summit, representatives from both security-focused agencies and private industry discussed the foundational steps the federal government is taking to protect public sector IT systems from both malicious actors and state adversaries.
Cloud transitions tend to involve large shifts in how IT systems are managed, and one of the main concerns among cybersecurity experts is ensuring old vulnerabilities are not automatically baked into new structures.
“Part of our challenge today is that because of the fear of lock-in, or the fear of risk associated with moving legacy systems to the cloud, we see a lot of organizations that take legacy systems and transport them into infrastructure-as-a-service. And ultimately, what that means is you're really taking the same vulnerabilities you had on-prem and moving them to somebody else's infrastructure,” said Department of Homeland Security CISO Kenneth Bible.
Managing this shift is currently recognized as one of the greatest security challenges for agencies undergoing these significant transitions to off-premise architectures.
“It is a well-known challenge right now that you don't want to create seams or gaps between how these cloud environments are architected versus the legacy on-prem environments,” said Sean Connelly, senior cybersecurity architect at CISA.
This lends to the importance of analyzing preexisting systems to correct against potential vulnerabilities that will only become more pronounced when moving to a more complex and dispersed cloud environment.
“I think part of the big risk we see is that a lot of times organizations don't understand the capabilities they are moving into. So it's really important to understand what exactly are the capabilities and environment that you're going into. And then based on those capabilities, you have to step back and note what security goals you’re trying to accomplish,” said David Jenkins, distinguished engineer at IBM.
Another core aspect of cloud cybersecurity in government is analyzing technology supply chains for vulnerabilities.
“From our perspective, the way to mitigate risk is for us to do our vetting process right. So we have a pretty robust vetting process for any cloud provider we bring in and host as a DOD-available cloud provider at different levels of information classification. So a lot of that is making sure that we have confidence that the information is separate from the commercial environment, making sure data that is sensitive is physically separated, and making sure that we can identify any possible issues in the supply chain on the cloud provider side. I think of it as a combination of an initial assessment followed by continual reassessment,” said Korie Seville, cybersecurity expert at the Defense Information Security Agency.
The recent SolarWinds hack that used vulnerabilities within the services offered by a private cloud provider to gain dispersed access into connected federal systems demonstrated the importance of assessing the vulnerabilities of all software used to maintain cloud architecture, with federal agencies paying special attention to, and correcting against, possible breach points in their networks. This has also included determining what an intentionally malicious piece of code — often referred to as a logic bomb or software bill of materials (SBOM) — that is deployed within software would look like in cases of interconnected cloud architecture.
“This was really a direct product of SolarWinds, namely how would we assess a product to determine whether it met our criteria for the integrity and composition of the product. That translated into discussion around software bills of material as we started to look at other products outside of SolarWinds and started to look at other cloud services, and what an SBOM would look like for a cloud-based service. Now you have multiple libraries and the development environment for some cloud services actually being in the same cloud, or being from open-source libraries and other services within the cloud. So the SBOM challenge for a cloud service provider becomes even more complex,” Bible said.