Tackling Cloud Security: US Federal Edition
Back in 2007, the first US federal CIO, Vivek Kundra, was appointed. Shortly after in December of 2010, he launched one of the world’s first “cloud-first” initiatives, making many US federal agencies such as the General Services Administration (GSA) some of the earlier innovators in this arena. At the heart of this push was better experiences for government customers and leapfrogging tech advancement to achieve faster innovation and greater efficiency.
Governments around the world have since followed suit with cloud-first/cloud-smart programs. This momentum, combined with unique government infrastructure and contracting requirements, led the first industry-specific cloud offerings, which remain active today. US federal agencies are still heavy cloud users, with examples such as the Department of Defense’s US Air Force Cloud One program and the GSA’s Healthcare.gov website. Although much of these use cases are entirely public-facing, aspects of each represent highly secure information.
Do industry clouds take care of all government security needs? No, not by a long shot. While cloud security operates on a shared responsibility model across all industries, federal agencies navigate an even more intricate landscape of compliance mandates, fragmented authority structures, and procurement complexities that favor operational expenditures over capital investments — creating additional hurdles for implementing hybrid cloud solutions that meet stringent government security requirements. Government clouds listed in government marketplaces such as FedRAMP focus on data center certifications and contracting requirements, but this is a far cry from security across the entire stack.
Forrester has observed that maintaining cloud security is difficult for US federal groups because of:
- Reductions in force and contract cancellations straining the federal workforce. This risk is highlighted by the cuts at the Cybersecurity and Infrastructure Security Agency (CISA), which terminated active security initiatives leading to the dismissal of a significant number of probationary employees. Cuts of this nature exacerbate existing shortages of skilled cybersecurity personnel and challenges in competing with private-sector salaries.
- Impact levels/security tiering. Many government groups classify data and applications by impact/clearance levels. This creates additional layers of complexity in crafting out security plans and sourcing strategies. Governments with their eyes set on large-scale data migrations will need to pay particular focus on data tiering and security of data in movement.
- Need for adaptivity due to changing policy. As government personnel shift with party changeups, so do policies. Government technology and security leaders find that shifting policies make it difficult to commit to a platform or plan. Sometimes leaders select additional abstraction that adds costs, limited capabilities, and/or constrained agility to prepare for these changes. At times they may choose to insource to avoid rework despite slower initial delivery and reduced capabilities.
- Certification costs for third party security tools. Achieving FedRAMP and National Institute of Standards and Technology certifications is a costly and complex process for vendors, period. Now imagine that you are a small cloud security vendor; this makes it even harder. Forrester estimates that obtaining a moderate authorization-to-operate level can take at least a year and require significant financial investment. This high cost and complexity often lead to the exclusion of otherwise suitable solutions from federal agency shortlists, impacting the adoption of effective security measures. FedRAMP 20x may reduce some of this burden.
- Cloud infrastructure complexity. The increasing adoption of multicloud platforms makes it challenging to understand adversaries’ activities and translate them into coherent risk and threat models. Misconfiguration risks are high due to the large number of human and machine identities; numerous compute, storage, and network instances; and difficulties in determining effective access to data and configuration policies. Some are available via GovCloud; many aren’t. Many government agencies must approve each specific service for use, and your security vendors may also struggle to keep up with what is live on the platform.
- SaaS application adoption. SaaS apps are now central to organizational and US federal government operations, but they pose risks such as data exposure and rogue IT integration. Cloud-based solutions challenge federal agencies that restrict cloud use. Agencies must follow stringent Department of Defense (DoD) security controls beyond FedRAMP to protect national security systems. And this list is ever-increasing.
Cloud Security Federal Essentials: Governance, Zero Trust, SaaS
Solving for these challenges will take diligence. Start with the basics by looking at the categories of cloud security and specifics of the uneven handshake. This will give you the fundamentals of cloud security players and get an initial sense of what is mandatory versus areas where you may opt to provide additional due diligence. At this specific moment in time, with significant change and uncertainty, standardization and automation is key as it helps with reducing cloud administration work and rework as well as with improving the accuracy of cloud security policy posture and remediation. In addition to developing a business case or metrics up front, Forrester recommends the following:
- Become familiar with the federal regulations. The US DoD published its Security Requirements Guide documentation for cloud security and the CISA released its Cloud Security Technical Reference Architecture — each give a review on the requirements for US federal agencies. Zero Trust principles, a shared responsibility model between cloud service providers and federal agencies, robust cloud security posture management, and protecting data during cloud migration and within cloud environments are each key callouts in these materials.
- Define and refine their cloud governance processes. Until an agency has limited inventory and understanding of its cloud resources, protecting those resources and the data in them will be next to impossible. Forrester recommends defining then annually refining a cloud governance framework that controls not only the security but also the cost, uptime, and resilience of cloud workloads. Establishing and maintaining cloud Zero Trust posture (i.e., limiting and eliminating administrative cloud admins’ privileges) is a must. As a direct measurement of the above, agencies should be looking to improve their US Federal Information Technology Acquisition Reform Act score. Next up and closely tied to this effort? Data governance.
- Limit SaaS app and data proliferation and SaaS shadow IT. Protecting data in interconnected but insufficiently controlled and monitored software-as-a-service (SaaS) applications (e.g., employees uploading sensitive document to their personal cloud storage, such as Box, Dropbox, or Google Drive) results in costly data breaches, reputational damage, and remediation costs. Using SaaS app governance in addition to SaaS security posture management solutions in this space helps with mapping out data paths, as well as detecting and remediating excessive SaaS admin privileges.
- Implement broad cloud security controls using CNAPP platforms. Cloud-native application protection platforms (CNAPP) solutions provide comprehensive cloud threat detection and response across: 1) cloud infrastructure administration; 2) guest operating system configuration and storage; 3) container runtime and orchestration; 4) continuous improvement/continuous delivery infrastructure-as-code layers; and 5) application security in the forms of software development (static and dynamic application security testing) and component analysis.
- Manage admin and business user identities and their access comprehensively. Controlling business and admin human and machine identities with access to cloud configuration and data is multifaceted and complex. At a minimum, agencies should have automated control on users’ joiner, mover, transfer, and leaver processes, aided by cloud infrastructure and entitlement management, workforce identity management and governance solutions, and privileged identity management tools. Sound identity and access management (IAM) admin user joiner/mover/transfer/leaver processes and periodic entitlement reviews are instrumental in the above areas. Auditing IAM will be key.
- Use quantum security and cryptoagility preparation to get budgets. Forrester recommends that organizations — via e-discovery and prioritization of data assets and cryptoagility — prepare for quantum computing’s inevitable evolution and future ability to break asymmetrical (RSA, ECC, Diffie-Hellman) cryptography. Cloud security improvements (e.g., installing cloud-based encryption-discovering next-gen firewalls) help agencies discover quantum-vulnerable encryption. The introduction of cryptoagility (i.e., choosing and developing software in a way that makes cryptography algorithms pluggable) should synergize with cloud security modernization.
If you’re a client interested in this blog, please reach out to schedule an inquiry or guidance session. Thank you!