Cloud security and lessons from private sector

In this edition of CyberChat, host Sean Kelley, former chief information security officer of the Environmental Protection Agency, digs into cloud offerings,...


In this edition of CyberChat, host Sean Kelley, former chief information security officer of the Environmental Protection Agency, digs into cloud offerings, security and compliance and how Silicon Valley startups can help the government with cybersecurity and innovation.

Kelley was joined by Steve Grewal, former deputy chief information officer at the General Services Administration, and former CIO of the Education Department. Grewal is now the Chief Technology Officer of Cohesity and is a member of the Exabeam Advisory Board.

Grewal said there is a learning curve around the compliance frameworks when a company first enters the government ecosystem.

“Solution providers with emerging technologies that can really help the federal government struggle with how to onboard and get started from a compliance element,” Grewal said. “I would say that’s probably the biggest challenge as a solution service provider, whether you’re a product company or you want to do business in the federal space.”

Once a company makes the decision to do business with the government, Grewal said there are a variety of compliance elements and certification areas that have to be addressed. Grewal called them “investments where the ROI is a multiyear.”

A cyber hardening is a key focus.

“In the government, you have a variety of secured configurations, baseline standards or CIS benchmarks. These can be elaborate exercises to go through for a product, [so] the company has to benchmark it and harden it, and that really costs money,” Grewal said. “There is a good level of effort to this process and it’s not only a onetime process, it’s a continuous process.”

Grewal said a lot of security elements of cloud were underdeveloped when the Cloud First policy was first introduced in 2010.

“Now fast forward, here we are nearly 10 years later and we’re seeing more adoption,” Grewal said.

The adoption of cloud offerings has more to do with the fact that “we’re now in a perimeter-less world,” Grewal said. “Cybersecurity is more focused on data and software-defined perimeter where as in the past, the focus was on protecting the physical boundaries. Now, it is protecting the logical boundaries.”

Another focus in the government is identity management and credentials.

“If you look at a lot of cyber-attacks, always the common theme is credentials. When you’re looking at your enterprise security architecture, you’re thinking about proliferation, you’re thinking about fragmentation, you’re thinking about all these sources of data transactions growing. [But], you really need solutions that can scale from a threat landscape perspective, cover all your onsite assets and your off-site assets,” Grewal said. “So, it’s scalable solutions and technologies.”

Takeaways:

  • The federal acquisition service is much stronger as one voice/one buyer when it comes to negotiations and contract procurements to leverage the buying power.
  • The government has to move towards doing IT in a unified way. This will greatly increase the continuum of maturity. Some organizations are still struggling with legacy IT while others are on the bleeding edge. Given an agency’s strategic roadmap — where they want to go, what they want to do — organizing and coordinating the timing of those efforts is another challenge.
  • We are starting to see some of the consequences of not having centralized control of the cloud spend. Agencies didn’t necessarily have the visibility, monitoring and policy controls. With the implementation of Cloud Access Security Brokers (CASB) and other technologies, agencies have centralized policy control across that entire ecosystem of cloud services.
  • From a best practices, cyber health and hygiene perspective, agencies will start to focus on behavioral aspects to successfully secure an agency.
  • Silicone tech companies should partner with an established federal contracting company to avoid costly mistakes. There is a learning curve around the compliance frameworks, understanding the language and contract vehicles when a company first enters the government ecosystem.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories