Cloud security has come a long way since the Obama administration launched the Federal Risk Authorization and Management Program (FedRAMP) in 2011.
The cloud security program is leaner. Its processes are smoother. And, for the most part, it’s working quite well.
But Dave Zukowski, a principal technical consultant for public sector at Akamai, said the one thing that still is missing is a greater understanding of why it’s so important.
“Consider FedRAMP, similar to the Agriculture Department when you go to a meatpacking plant, it verifies that the processes have been followed, and that what’s coming out of that plant is basically consumable for humans. So it’s the similar approach to the cloud service offerings,” he said during Federal News Network’s DoD Cloud Exchange. “Someone’s done an assessment, the third-party assessment organizations, they’ve looked at all these things that are coming together, and they said, ‘Okay, this stuff is capable to run government and military workloads,’ but it doesn’t stop there. Just like when the ingredients hit the supermarket, they don’t stop there either. If you don’t cook a piece of chicken appropriately, you’re going to get salmonella. And that’s essentially how all this works, FedRAMP gives you a basis to start with. Too many people have kind of grabbed onto that as the end game. And it’s not, it’s really the beginning of the journey.”
Too much of the time, agencies view FedRAMP and its security controls at the low, medium and high levels as a ceiling of sorts instead of the floor.
“As an experiment, one of my teammates and I one day turned on an instance of SQL Server in the cloud, which is FedRAMP’ed. We just turned it on and watched. We had monitors and logs going on there. And within an hour, we saw traffic and potential penetrations coming in from China. That’s akin to just grabbing a piece of chicken and biting into it raw and hoping you don’t die,” Zukowski said. “Once you kind of understand that’s the philosophy of the cloud, they’re really easy to turn on but it doesn’t mean that the easy things are the right thing. You got to make sure you’re putting in the proper security groups. You’ve got all the right incident response in place. You’ve got operational monitoring, password management and all that stuff still exists, but the cloud just makes it easier to operationalize a lot of that work compared to on-premise.”
He said it’s important for chief information security officers and other IT employees to realize they are still running a full IT operations organization, even if they’re in the cloud.
This is why concepts like zero trust and a renewed focus on identity credentialing and access management (ICAM) have come to bear, particularly over the past year.
Zukowski said the goal of this zero trust is to ensure the proper establishment of trust between an end device, the network and application.
“You want to assume the enemies in the network and never trust the network. You want to take every single enterprise resource and authenticate and validate every transaction. There is no such thing as implicit trust and zero trust,” he said. “If you ever hear somebody say, ‘well, we’re really good over here because our private network is super secure, so we’re just going to trust that,’ then they don’t get zero trust and walk away really fast. Bring to them what they need to understand that it’s about protecting the resources now, not the network.”
Zukowski said the Defense Department and other large agencies need to break down the siloes that seem to emerge as everyone is testing and piloting new concepts, lean on automation through artificial intelligence and, maybe most importantly, tackle the often challenging culture change aspect of this new approach to cybersecurity.
“Understand that it takes the enterprise and it takes collaboration to get there. It is a journey and you probably already have all the key components you need,” he said. “You might need a few product gaps to fill in, but if somebody tries to sell you ‘zero trust in a box,’ it doesn’t exist. It’s an architecture. It’s a journey. Find people that will take it together with you.”