Agencies need to prepare for the fact that when they go to the cloud, there’s a shared responsibility for protecting the data, Rubrik's public sector CTO says.
Federal IT shops have numerous irons in the fire: digital modernization, cloud adoption, zero trust and advancing overall cybersecurity. But the biggest challenge? Compliance can’t keep pace with cyberthreat actors.
Bad actors have no restrictions on how they operate, whereas the complexity of federal acquisitions can be a hindrance to implementing and operating capabilities at scale, said Travis Rosiek, public sector chief technology officer at Rubrik.
Agencies cannot detect and prevent every attack. That’s why they need to go above and beyond compliance and instead measure their success in the realm of cybersecurity by the agency’s ability to survive a cyberattack, Rosiek said.
“The cyberattack could be a sophisticated threat actor using a zero day vulnerability, it could be a human error misconfiguration, it could be an insider threat, or it could be a software supply chain attack,” Travis Rosiek, public sector chief technology officer at Rubrik, said during Federal News Network’s Cloud Exchange 2024.
“With the assumed breach mentality, you’re basically trying to redesign the network and environment under worst case conditions. So in the worst case condition, something bad is going to happen, and you need to protect the critical assets — the data systems in your environment — reconstitute them as quickly as possible, such that you minimize downtime in the field and for your customers. And you do so into a trusted known good state with the highest level of confidence.”
That’s why the standard agencies need to start holding themselves to is the ability to protect their data through a breach and recover as quickly as possible. But in a cloud environment, the scale, scope, speed and impact of cyberattacks are much greater, while the complexity of the environment makes it much more complex to defend. And that’s a particular challenge for agencies, as they struggle to compete with the private sector for talent with the skill sets to manage that complexity.
Further complicating matters is what Rosiek referred to as a “gap in understanding” about the shared responsibility model of protecting cloud environments and software as a service applications. The end customer, he said, is responsible for more of the protection of the data they push into cloud environments than they tend to realize. It doesn’t all fall on the cloud service provider.
“There was a misconception that if you go to the cloud, you’re going to have all of the security. All the security aspects are going to be solved. You’re transferring all of that risk from a cyber perspective,” Rosiek said. “There’s going to be a shared responsibility model that you can never just transfer 100% of that cyber risk, and the organization or the customer is going to still be responsible for certain things. And then when you move to the cloud, the necessity to upskill your security team and combine your IT operations, cloud operations and security operations teams is going to become more imperative.”
That’s becoming even more pertinent, as a recent Rubrik Zero Labs report found that the rate of data growth per organization is expected to grow by seven times what it is now over the next five years. That’s a massive amount of data.
Meanwhile, 94% of cloud tenants were targeted by threat actors in 2023, and of those, 62% were successfully compromised. Rosiek said data backups are high-value targets for threat actors. That’s where the majority of these attacks are targeted.
So how can agencies be more proactive about protecting their data as they move to the cloud?
Rosiek said the key is for agencies to reverse engineer their cloud migrations. Start with the desired end state: What is it, exactly? That needs to be defined early — doing something for the sake of doing it doesn’t make sense, Rosiek said.
He suggested starting with a cost-benefit analysis. What are the gaps in capabilities? In security? Does moving to the cloud fix those, and if so, how? How does that transition happen?
The biggest thing agencies can do, Rosiek said, is to have a plan that spans the entire organization. Moving forward in a single silo is a recipe for disaster that has gone wrong many times in the past. The entire enterprise needs to be engaged in the process as early as possible to avoid complications, he advised.
Then, it’s time to look at the environment from an adversarial perspective.
“What are avenues of attack? What are the worst case scenarios? What areas do we feel like we’re weak in, that an adversary could manipulate? How do we build in mitigations or segmentation, so if something bad happens, the impact is dramatically lessened?” Rosiek said. “I’m very much a fan of putting in place fail-safes or processes to mitigate or increase levels of assurance. Building for the desired state, a cyber- and data-resilient environment, we build security into the process from the beginning.”
Discover more articles and videos now on Federal News Network’s Cloud Exchange 2024 event page.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.