The cloud is an increasingly attractive prospect for federal agencies, but many still have unanswered questions about how public cloud security stacks up. With the president’s recent cybersecurity executive order emphasizing the shift to the cloud, agencies will have to move quickly to comply. Below are five questions that federal technology buyers should ask public cloud providers to see if they have what it takes to store and manage federal data securely.
Many customers are not aware that some major cloud providers do not allow penetration testing. While this makes sense because it could damage the cloud that other customers rely on, it also creates challenges for IT managers. Similarly, agencies may not know how to audit applications and aren’t sure what they are allowed to audit in a public cloud. The only course available with these vendors is to run the denial-of-service attack and see if the application will survive the load. To avoid this scenario, choose a solution that allows auditing and testing.
These questions should be answered when applications, especially custom applications, are being designed, not after they’re in production. Nowadays, when an agency is thinking about applications, it needs to make sure the apps are cloud-ready. This means not only asking if the app can run on Amazon or Microsoft but making sure it can be inspected deeply through APIs versus through just a gateway. A gateway is not going to do any good when everything is encrypted in between.
Agencies should also consider which applications truly need to move to the cloud, and in what time frame. Migrating to the cloud is more complex than “lift and shift;” customers must ensure that their apps will have the support they need and that they will be able to retrieve all the apps’ data.
Security should scale with the cloud infrastructure itself and provide transparent protection without slowing down business operations. Cloud environments need super-fast physical firewalls that provide highly scalable data center and network security protection at the edge of the private cloud. They also need virtual firewalls that provide north-south protection for public clouds and east-west protection for data and transactions moving between devices in the cloud. High-performance firewalls and network security appliances must scale vertically to meet performance and volume demands as well as horizontally to seamlessly track and secure data from the internet of things and endpoints -- across the distributed network and data center and into the cloud.
A cloud provider’s underlying security infrastructure should offer automatic awareness of dynamic changes in the cloud environment to ensure holistic data safety. It’s no longer sufficient to detect bad traffic or block malware using discrete security devices. Security in private and public clouds should be integrated into a security information and event management solution with other analytic tools (such as big data security analytics) to gather and correlate data. This will enable automatic orchestration of changes to security policy and posture in response to detected incidents and events. The individual elements must work together as an integrated and synchronized security system with true visibility and control.
Because pooling resources through technologies such as virtualization and software-defined networking creates significant IT efficiencies, cloud environments have become increasingly aggregated -- to the point where entire data centers can be consolidated. If a cybercriminal or advanced threat breaches the cloud perimeter via a single vulnerable application, there’s usually little to protect critical assets within the flat and open internal network. To mitigate the serious potential for damage and loss, organizations should separate business units and applications. Networks should be intelligently segmented into functional security zones to control east-west traffic.
End-to-end segmentation offers deep visibility into east-west traffic moving across the distributed network, limits the spread of malware and enables the identification and quarantining of infected devices. A strong end-to-end segmentation strategy includes internal segmentation firewalling across data centers, campuses and local offices, as well as secure micro-segmentation for SDN and cloud environments.
With a mandate from the White House to migrate to the cloud, federal agencies are feeling the pressure to make the shift quickly yet securely. Agencies must vet their options thoroughly to ensure the choices they make keep government and citizen data safe. Asking the five questions above will help rule out unsatisfactory solutions and provide a firm foundation for the government to enjoy greater security, efficiencies and cost savings.
This blog post originally appeared in GCN.