Palo Alto Networks Prisma architect says agencies need to be “a lot more intentional” about scaling their cloud cybersecurity alongside their cloud operatio...
The federal government’s ongoing shift to the cloud has helped agencies improve their cybersecurity posture. But at the same time, the use of cloud computing also brings with it new risks and security models.
Eden Tesfay, Prisma cloud solutions architect at Palo Alto Networks, said the security model has changed dramatically from the traditional perimeter security approach.
“When we go to the cloud, we operate in a boundaryless, fluid environment,” Tesfay said during Federal News Network’s Cloud Exchange 2024. “Our data is going to be leaving our on-premise network. It’s going to be in the cloud service provider, and we are looking at not only lifting and shifting applications, but we’re also looking to modernize those applications. We’re looking to really take advantage of the cloud so that we can reap benefits.”
In the cloud, both the agency and the CSP need to secure different aspects of the IT environment. Those responsibilities are often outlined in a “shared responsibility model.”
“The security operation model for the cloud requires us to be a lot more intentional,” Tesfay said. “It requires us to define and understand how we scale our security operations alongside our cloud and our cloud operations. And it allows us to rethink and redesign the processes that we have for on premise to fit the dynamic nature of the cloud.”
One of the main concerns for agencies and other organizations moving to the cloud is data security. Data is often touted as one of the least mature pillars for federal agencies as they adopt zero trust cybersecurity architectures.
“The typical security risks that we see that expose them to the data security risks are misconfigurations,” Tesfay said. “When we think about cloud services and how they’re spun up, it’s not very easy to standardize. Because every application requires unique needs. And if we go a layer deeper, and we talk about new ways of architecting applications and microservices, every container has requirements, every functionality has requirements that are dynamic, that change.”
Under the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model, organizations should be striving for both visibility and governance. But Tesfay said both can be difficult to achieve, especially with cybersecurity often treated as an afterthought during cloud migrations.
“There’s really no end-to-end visibility across cloud operations, and being as it’s multicloud, that complicates it [further],” Tesfay said. “So the main things that I see as a hiccup for customers that I’ve worked with is they incur too much technical debt. So to make any progress at all in their migration journey, they have to try to go into a greenfield environment. They have to walk it back to define a strong foundation.”
Tesfay said it can also be cumbersome to employ zero trust’s principle of least privileged access when organizations have a multitude of users and cloud services that have permission to access other services in the cloud and zero visibility into the access patterns across the multicloud deployments or a method to govern overly permissive identities in the cloud.
But threat actors in many cases exploit overly permissive identities to escalate privileges within a network.
“These are the risks that organizations and agencies have to be aware of when thinking about cloud migration and getting started,” Tesfay said. “Even if you are in the middle of a cloud migration journey, even if you have cloud presence, there’s always a need for defining a unified security approach to your responsibilities in the cloud.”
“AI is going to help our agencies and our organizations understand best ways to optimize their workload — refactor applications much faster,” she said. “And in that same way that AI is going to help us, I think that it’s going to introduce new security risks.”
Agencies such as CISA have warned about the potential for AI to exacerbate cyberattacks and other digital threats.
Threat actors, Tesfay said, will be able to “reverse engineer and understand how to exploit different applications. They’re going to be able to be fast in finding different threat vectors within our environment.”
What’s more, agencies will also have to build AI applications with security in mind. CISA, the National Security Agency and other government partners in April issued guidance on deploying AI systems securely.
Tesfay said software development practices like DevSecOps will be crucial in ensuring that AI applications use both trustworthy data and code.
“We have lots of data, and we have the mathematical model. So it’s algorithms that are going to train and learn from that data. And we have the application, where that intelligence is surfaced for us to interact with,” she said. “So if you’re looking at it from those building blocks, then securing the code and also the continuous integration and continuous delivery — or CI/CD — process is equally as important as securing the data. And ensuring that we’re able to have end-to-end visibility into our AI application is imperative. That is DevSecOps. DevSecOps is ensuring that security is job zero and that it is a shared responsibility amongst all stakeholders.”
Discover more articles and videos now on Federal News Network’s Cloud Exchange event page.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Follow @jdoubledayWFED