As agencies embrace multicloud architectures, they’re also starting to think about how they should architect their security posture differently as well.
“When you move from a traditional data center to a multicloud environment, many things change in terms of security,” Jason Ni, principal cyber architect for the Leidos Civil Group, said during the Federal News Network Cloud Exchange 2022. “Traditionally you could deploy a firewall, [intrusion prevention system] and that type of security tool to a brand new environment that embraces today’s modern cloud-based technologies, which also bring in a new set of cloud tools that we had never seen before.”
The White House Office of Management and Budget has directed agencies to adopt a zero trust architecture for their networks by the end of fiscal 2024. The strategy rests on the idea that system owners should verify “anything and everything attempting to establish access,” according to the federal zero trust strategy.
Identity takes center stage
The shift means “identity is really becoming the new perimeter” for network infrastructure, said Richard Wheeler, enterprise network solutions architect at Leidos.
“That identity becomes really that control point, if you will, for access to both the resources applications and the datasets that are in there,” Wheeler said. “For us to safeguard access to the data, it’s critical that identity becomes the hallmark for everything that we’re doing, both for the user, but also for the device.”
The approach will ultimately rely on “policy decision points,” or PDPs, established by agency customers but ideally embedded within a cloud service provider’s infrastructure, explained Wheeler. PDPs will rely on metadata associated with user identity to make risk-based decisions about whether or not to allow a specific user to access certain types of data.
“I can’t afford to have that centralized and then backhaul all that traffic or make all those decisions centrally, and then try to push that back into the cloud environment for enforcement,” Wheeler said. “It’s really important that we have a distributed zero trust environment that works across all of the different clouds. And as I bring multiple clouds together, I need to replicate that across multiple cloud instances, so that I have an effective enforcement at the edge, at the server, at the resource in real time, so that as incidents are occurring, I can shut that off and stop that access immediately without having latency involved.”
Maintaining an always-on monitoring approach
Last August, OMB also directed agencies to adopt improved logging, log retention and log management capabilities to ensure agencies have “centralized access and visibility for the highest level security operations center of each agency.”
That task becomes more complicated in a multicloud environment, but as Ni explains, “visibility is still the king.”
“You need to bring in a lot of the modern technology into cloud for using data analytics and machine learning,” Ni said. “In addition to the same tools that we used to have, you can automate a lot of these detections and also bring intelligence from different data feeds — and then act in a much faster fashion and provide better incident response capabilities.”