Just about every federal agency uses cloud computing to some degree. Some no longer have their own data centers.
Four non-profits recently banded together to come up wide ideas for better cloud computing security. Just about every federal agency uses cloud computing to some degree. Some no longer have their own data centers. Joining the Federal Drive with Tom Temin with what the cloud safe task force came up with, from the MITRE Corporation, the director of strategic engagement and partnerships, Dave Powner. And the senior principal cybersecurity engineer, Mari Spina.
Interview Transcript:
Tom Temin And just tell us briefly about the organizational setup that led to this. Who’s on the task force along with MITRE?
Dave Powner Yeah. So, Tom, just a little background on this. So, there were some recent breaches that kind of caught the attention of policymakers, in particular members of Congress. There were some letters floating around going out to certain federal agencies based on these recent attacks. And we actually got together with three other groups. One was the Cloud Security Alliance, which represents a lot of industry cloud service providers, the IT Acquisition Advisory Council, and ATARC. So, John Yoe, John Weiler and Tom Souter and MITRE are we all kind of got together and we thought we had the government in place as well as industry, and we said, okay, let’s look at what’s happening out there. What are the big challenges and what do we need to do to fix this?
Tom Temin We certainly had everyone you need there under the tent. And I guess my second question is, is there anything we don’t know yet about cloud security? It must be about the most studied thing. You know, there is these days.
Mari Spina So David and I were talking about it just this morning. It’s not really rocket science. The issue generally is with management. It’s quite a difficult thing to manage. The other thing is that we’re kind of in an asymmetric battlefield. The adversary goes against our systems every day, all day finding our vulnerabilities. And we show up with compliance checklists, you know, and a point in time monitoring. We need to start thinking about leveling that battlefield.
Tom Temin We need to show up with baseball bats, you might say.
Mari Spina Yeah.
Tom Temin Well, the recommendations and the lists that you come up with, these are for people that are using cloud computing services commercially. Or is it for the commercial cloud providers themselves?
Dave Powner Clearly both, Tom, when you look at it. So, if you look at the challenges that are out there, if you look at the government side of things, you know, there are challenges to improve our certification, how we use third party assessors in that certification. So that’s on the government side, you know, can we make it quicker and cheaper and have the reauthorization process better? Sure. So, government owns that, right. But then on the industry side, can industry be more transparent with what their cloud environments entail? And, you know, can they help the government with how we monitor, with real time monitoring the metrics that Mari just mentioned? I mean, right now we measure cyber with a lot of lagging metrics, and can we do things in the cloud that we really could get real time monitoring of our cloud environments. And that’s where, you know, we would want help from industry on that. So again, I think it’s both the industry and government. They own it. They both have opportunities to improve. And that’s kind of where our recs lead, Mari.
Mari Spina The other thing is that our task force is really focused on a whole of nation approach, which is why we needed to bring in government. We needed to bring in industry. And the players that we have on it are really key to that.
Tom Temin And I wanted to ask you a question with respect to the multi-layered aspect. That is to say, an agency creates a workload and maybe it ran in their data center. So, it has to be secure and has to have not buffer overflow and everything else that goes into cyber security. But then it’s loaded into a cloud. So, if something is in a cloud and it’s secure, do you still have to worry about cloud security? Or by the same token, if you accidentally upload something that is vulnerable, can it be protected by virtue of being in that commercial cloud? That makes sense.
Mari Spina Yeah, so understand that we practice the shared responsibility model. And then you and I were talking about it. I actually published a framework a couple of years ago on it. When you move to the cloud and you put your workloads in the cloud, you’re talking about things you trust, things you use and things you deploy. And so, the things we trust and the things we use are managed and developed, provided by the cloud provider. And so those really do have to be secure, but you have to use them in a secure way as well. So, we need to get that balance correct.
Tom Temin And I guess what was the reaction of the big cloud service providers to this effort. Because, you know, you don’t just go up to Amazon and Microsoft and say, hey guys, you know what?
Mari Spina You know, it was.
Dave Powner They were very receptive, Tom. In fact, this is where the Cloud Security Alliance really came in, because they represent a lot of those CSPs. And I do think, you know, if you look at industry side of the House, there is some frustration with the certification processes. You know, can we make those quicker and cheaper? You know, when we have a certified environment and there’s an upgrade, can we go through a reauthorization or a certification much quicker than we currently do? Sure, we can improve those things. And then also too, if you look at like reciprocity across certain programs, CMMC, FedRAMP, you know, there’s a lot of opportunities to have reciprocity across the many programs, certification programs in the government. So that’s where I think industry, you know, when we got into this discussion about, you know, how transparent they should be, you know, that gets a little more sensitive in the whole bit. But there’s a lot of things they want to do to push the government to be more nimble and quicker. And at the end of the day, we want to be nimble and quick and secure. Better. That’s really what this task force is about.
Tom Temin We’re speaking with Dave Powner. He’s director of strategic engagement and partnerships and with Mari Spina, senior principal cyber security engineer, both at the MITRE Corporation and both part of the Cloud Safe Task Force. And maybe let’s review top line of what are some of the major recommendations you came up with. What should people do differently now that are let’s start with people that are using commercial cloud services. Mari.
Mari Spina There’s a couple of things that we’ve been kind of focused on continuous monitoring. We’d really like to move into continuous testing. Right. So, we’re doing more like the adversary. We’re actually going against our own systems and finding our own vulnerabilities before they do. That would really help. We think that moving assessment and accreditation operations to the left into the development pipeline can actually save some money. The notion of reciprocity at scale, this concept where the cloud providers get a lot of security certifications, and then they have to go apply for FedRAMP or DoD authorization. And it’s really onerous and to some degree actually really limits small business. So, we don’t want to do that, particularly when the small business innovation is about security. The other thing we’d like to see is zero trust. The government is pushing hard on zero trust. We like to see the cloud providers adopt that. We also think, and a whole of government approach, incentive for the cloud providers to actually operate securely, to be more open with their information and to share and to help us all to get better. And so that’s sort of the whole of government. And we also believe that AI/ML really has a place in cybersecurity, in the monitoring and threat detection and vulnerability analysis, that kind of thing.
Dave Powner And all these opportunities that Mary is highlighting. So, you know, what do we do with those? So, there are opportunities for on the congressional side of the House is we update there could be a standalone bill on, you know, securing the cloud. It could be a major component of the FISMA rewrite. We keep working on FISMA, but it doesn’t get passed. We’re still up with the 2014 version, right? So, there’s an opportunity in Congress and there’s also an opportunity if you look over at the White House with OMB, their last cloud smart policy was 2019. So, we’re now five years into it. And Mari came up with the term. You know, it would be great if the next cloud update was called Cloud Safe with the real emphasis on security.
Mari Spina So remember, Tom, we had Obama had Cloud First. And that was about using managed services to gain economies of scale. That was really good. And then President Trump came up with Cloud Smart, which said, hey, let’s do the acquisition, right. Let’s include security with it. But really, Cloud Safe is more a whole of government, whole of industry, whole of nation. We really want to get down to brass tacks and focus on security.
Tom Temin And yes, and we’ve talked about some of the recommendations for users. What would you have the big cloud service providers and maybe the not so big ones do differently.
Mari Spina So one thing and I know I, I think I caught David’s ear on this one day. It makes me laugh. I said, look, David, when I wake up in the morning, I check the weather, I check Dow futures and I want to check my cloud security dashboard. I want to know if I got to take action today and move my workload to another cloud. I want to know if we’re going to get hacked. So, this kind of real time reporting, almost a business intelligence, you know, that’s one of the things that, you know, we’d like to see in this whole thing.
Tom Temin And Dave, how all these recommendations get promulgated. You’ve got organizations together with MITRE here that you mentioned that have a lot of reach.
Dave Powner So a couple of things, Tom. And one, we really appreciate you highlighting this, because I think getting the word out through Federal News Network and other sources is a great start. But we are in addition, we are having discussions with OMB on this topic. We’re having discussions with congressional committees of jurisdiction. And the other thing we’re going to do is it’s not going to be a one and done time. We actually have additional meetings planned where we’re going to dive into these topics in greater detail. If you look at our paper and our recommendations, there’s a nice roadmap for recommendations, but we want to get into more specifics so that when legislation is being put in place and when there is an update to the cloud smart policy, we want to have even more meat on the bones. So again, we’re going to have those conversations with the key policymakers. And then we’re going to follow up with more detailed sessions. And there will be announcements on the ATARC and MITRE websites of these upcoming events. First one will be in April, and we welcome anyone who has anything to add to this discussion to come and join us.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED