Insight by Veeam Government Solutions

Cloud Exchange 2022: Don’t leave agency data up in the air — establish backup and compliance for cloud-native workloads

FedRAMP provides a baseline of security for federal cloud services. But it’s not enough because adversaries increasingly target cloud environments, says Veeam...

This content is provided by Veeam Government Solutions.

The pandemic sparked a massive increase in the federal government’s push to cloud to facilitate remote work and meet the security requirements that prompted. Then, in May 2021, President Joe Biden signed an executive order mandating agencies “accelerate movement to secure cloud services,” pouring more fuel on the fire. But this rapid pace has caused certain details to get lost in the shuffle, and that’s left many agencies and their data vulnerable.

Agencies have an advantage: Their cloud services are all pre-vetted through FedRAMP and other federal compliance regulations, meaning agencies can expect a higher baseline of security than the average cloud services consumer. But that doesn’t mean they can get complacent. The World Economic Forum’s global risk support says 95% of all security breaches are due to human error. The most secure infrastructure in the world doesn’t mean a thing if it’s not configured properly.

Forward-thinking cloud security strategy

That’s why agencies need to invest in backup and recovery for their cloud-native applications, especially those that use Kubernetes.

“Red Hat does the state of Kubernetes security report every year. This year, what they found when they surveyed folks about what was going on with Kubernetes, with cloud native containerized environments in 2021, was that 93% had had a security incident in their Kubernetes environment last year, and 22% of surveyed organizations had failed an audit for their Kubernetes cloud native environment in the previous year,” said Jeff Reichard, vice president for public sector and compliance strategy at Veeam Government Solutions.

And that’s not all. Veeam frequently conducts its own research, and its recent ransomware survey found that 52% of 1,000 organizations that had been hit with ransomware in the past year said it affected their data center resources. This wouldn’t be unexpected. But 51% said it affected their cloud workloads, which many organizations might not expect.

“Just because I’m now running in a super secure hyperscale data center, run by a multibillion dollar corporation that is a household name all around the world, that doesn’t mean that ransomware adversaries can’t still affect my workloads. They absolutely can,” Reichard said.

That’s why it’s so important to have a mature development, security and operations stack. Modern DevSecOps environments are typically built on Kubernetes and contain a wide variety of commercial and open source tools. Although hybrid environments are the rule for federal agencies, Kubernetes and DevSecOps only amplify that. It’s not unusual for an agency to have containers running in several different environments at once, with application data located across structured and unstructured cloud and on-prem resources. That’s why they need a Kubernetes-native solution to protect their data at the application level, Reichard said.

Organizations new to Kubernetes often try backing up their DevSecOps stacks using storage snapshots, virtual machine backups or a combination of methods driven by scripts. These methods typically break down due to cost, complexity and data loss driven by the inherent hybrid complexity of modern Kubernetes environments, he said. Many organizations have resolved that situation by switching to a Kubernetes-native backup product like Veeam Kasten K10.

Accelerating the ATO process

Making data protection part of the Kubernetes-native DevSecOps cycle can also help agencies accelerate the long, exacting process to achieve an authority to operate for their applications from an agency.

As one example, the National Institute of Standards and Technology’s Special Publication 800-171 specifies controls for handling confidential unclassified information. Among other things, NIST SP 800-171 requires media protection for both the data and application software used to process CUI. Application software must be protected in such a way that individual versions of software being used by agencies can be rolled back if necessary.

Satisfying these controls can be time-consuming. One large federal systems integrator previously found that it often took them anywhere from 45 to 60 days to prepare a development environment to write code in a way that would satisfy a potential audit. But by implementing certain services to shift security left, including a Kubernetes-native data protection component like Kasten K10, that timeframe can be shortened to as little as four to five days, Reichard said.

The Veeam product specifically builds data protection as code into the commits and pulls from code repositories. So every time a piece of code gets committed, it gets scanned to ensure compliance with required data protection policies. That way developers know any code they pull from that repository is already compliant. That can help organizations achieve continuous ATOs.

“If you think about the advantages for the agency that’s contracting for that, instead of two months of work before they get any useful work product back, they have only a week to wait before their contractors become productive. It’s a sea change,” Reichard said. “And with an agile, modular development process where you are constantly developing pieces of the application, if one of them is bad, it fails as a tiny little module. You don’t have a great big monolithic construct that failed entirely. And so the potential for accelerated capabilities and for cost savings for taxpayers from going into this model are just huge.”

Check out more from the Federal News Network Cloud Exchange 2022.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    (Getty Images/Wavebreak Media/Wavebreakmedia Ltd)

    Tips for agencies to improve cloud security posture

    Read more