Federal agencies are pushing data, applications and systems into the cloud as fast as they can. Cloud promises better performance, better availability and security that’s almost always better than what legacy solutions could deliver.
At least, isn’t that what everyone is telling you?
The reality is that cloud is a broad term that applies to a range of products and services. Each cloud solution is really only as secure as the choices you make to implement them.
Even more important: today, cloud is never a single solution. We live in a hybrid, multi-cloud world, where users move in and out of different cloud services all day long. For chief information security officers and their teams, the network perimeter now includes applications and services running on mulit-tenant clouds hosted by commercial providers, in government-only shared-cloud and agency-run data centers.
Hybrid environments add complexity as well as flexibility. They create more choices for information architects – and more seams that attackers will try to exploit. Here, experience matters. You don’t hire a novice climber to lead your expedition to a Himalayan peak, and the same applies as you try to mount a successful cloud security strategy.
Just as critical is ensuring your architecture can withstand the tremors and quakes that will inevitably come your way. Your architecture has to work regardless of circumstances – it must scale to meet changing demands over time. That new enterprise data collection tool sounds great at the start, but six months in, it’s cost-prohibitive to store all the data it generates, and the payoff is unclear. That’s another place where experience can help inform better decisions.
Today’s proliferation of cyber tools can be as much of a hindrance as a help. Better security does not necessarily mean more tools. It means making efficient and effective use of the best tools available. At GDIT, we’ve built a cloud-focused security stack from market-leading components to meet the Secure Cloud Computing Architecture (SCCA) requirements set by the Defense Information Security Agency. That, too, is experience at work.
When we helped one customer reduce the number of cybersecurity tools they were using, analysts were able to shift more time to critical problems and focused on more proactive threat hunting. They were spending less time maintaining disparate toolsets. The bigger payoff: improved cyber posture and fewer cyber incidents.
With new systems, experience saves time and effort in the race to earn the all-important authority to operate (ATO). Whether it’s assessing security controls or mapping out your security plan, we can get that work done faster because it’s something we do all the time. We’ve gained experience navigating hybrid and on-premise multi-cloud solutions wrapped in a common security stack and leveraging containers. Since we aren’t reinventing the wheel, the steps move more quickly.
Finally, there’s the question of scale. Enterprise solutions eliminate duplicative spending and enhance overall effectiveness. Rather than have separate solutions in each enclave or sub-agency, leaders should seek to scale solutions to support all those customers, providing the same level of security and cyber awareness across all those domains.
Adopting cloud services on that kind of scale takes vision and determination, but we are past the point where this is novel. Today’s solutions are proven and understood. What agency leaders need to do is focus on the fundamentals:
- Resilience. The more resilient you can make your architecture on Day 1, the fewer issues you’ll see in operations later on.
- Tools. Select foundational tools that give you broad situational awareness for your platform. Moving to the cloud does not outsource responsibility for understanding what’s happening on your systems.
- Automate. Artificial intelligence and machine learning are better suited to tracking system traffic and data logs than humans. That will free up your security analysts to dig into the big problems.
Today’s cloud offers a plethora of choices, many of them confusing. We frequently see initial forays into cloud that aren’t resilient and don’t scale well – and must be reengineered to be resilient and efficient.
Implementing a secure cloud solution is a process, more like building a car from a kit than driving one off the lot. All it takes is one mistake and your whole system can become vulnerable. An experienced partner is essential to the process.