The software and infrastructure leader at Maximus shares why agencies need to revise cloud security tactics.
Agencies should revise their cybersecurity approach when dealing with cloud applications and infrastructure. Why? Because cloud, as a shared model, has different “contours” than government data centers, Maximus’ Frank Reyes said.
“We’re starting to see where the existing tools, processes and even skill sets are a little bit lacking in that new operating model of being in the cloud,” said Reyes, managing director for software and infrastructure capabilities at Maximus.
As an example, he pointed to passwords and credentials. In the traditional way of working, a database administrator maintains the database of login and authentication information. That’s not how it necessarily works in the cloud, though, Reyes said during the Federal News Network Cloud Exchange 2024.
In the cloud, DevSecOps and cloud engineers are provisioning databases and controlling credentialing. That means “taking those credentials, those passwords, that login information and centralizing them has to be a new muscle memory for an organization,” he said, and added, “It’s the same thing in the other piece parts of computing, networking and storage.”
Besides new cybersecurity skills, agencies need to develop chops in at least one other important cloud technology, Reyes said. Realizing maximum flexibility and economy in the cloud, he said, requires knowing and understanding containers and containerization. Plus, containers can help manage security risks as well.
Containers — reusable software modules each with a highly specific function — have superseded virtual machines in efficient cloud operations, Reyes said. The skill needed involves using containerizing tools to render elements needed for a workload, then optimizing container sizes so as to use only the cloud resource necessary for the workload.
“We want to keep each container small as possible to make it just do exactly what that container needs to do in your application,” he said. “Because these containers are brought up dynamically — and they are eliminated dynamically — they’re only brought online when they’re needed. So you want to keep them as small as possible.”
Containerizing itself changes how IT staffs go about cybersecurity and software development itself, Reyes said. Containers must communicate with one another to form workloads, but they also must remain secure.
Reyes named the steps of writing code, establishing a development pipeline, creating a reusable image and storing it in a repository, and then orchestrating the entire process. It all means acquiring skills in new tools and operating methods, he said.
Because containers have dynamic IP addresses, hackers have difficulty attacking them, Reyes noted. Yet sending malicious code even to a dynamic IP address poses a threat when the address gets reassigned to another container.
“That’s actually one of the challenges, when you have container workloads and you’re using, I would argue, legacy security tooling that just looks at vulnerabilities as an IP address,” he said. Agencies should therefore look at emerging, container-oriented security tools that give visibility into the containers themselves.
Cloud-native application development pipelines tailored for cloud infrastructures mean that, ultimately, security operations centers (SOCs) must modernize, Reyes said. Government SOCs need to move away from the traditional model of monitoring logged activity and toward what he called a CyberOps mode, he said.
“They’re going to have to start changing their operating model to account for this new ecosystem. You have to have these integrated teams that really are with developers, and the teams that are responsible for maintaining and operating the capability once in production, working together.”
Discover more articles and videos now on Federal News Network’s Cloud Exchange 2024 event page.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED