Despite the focus on cybersecurity over the last 15 years and the brisk move to the cloud over the last decade, the gap between platform and people is growing wider.
Part of the reason for this disparity is agencies continue to focus modernization efforts on the platform or the infrastructure, and not the software.
Daniel Ellis, a staff solutions architect at VMware, said one way to close that gap is for agencies and other organizations to take more advantage of software-as-a-service.
“There’s organizations out there that have built SaaS services that have the ability to secure these organizations in the cloud,” Ellis said during Federal News Network’s DoD Cloud Exchange. “I think it’s really a merging together of that on-premise security posture into these new services that we see in the cloud.”
Mansour Yusuf, the chief cloud architect at Dell Federal, expanded on the gap. He said there are, at times, a lack of understanding of what each agency’s responsibilities are when it comes to cloud security.
He said customers just can’t assume that because they put their data and application in cloud service that received a moderate or high rating from the Federal Risk Authorization Management Program (FedRAMP) they are good to go.
“It’s really the hyperscalers’ [cloud service providers] ability to provide a secure underlying infrastructure and environment for the customer to utilize once there, then there’s still the ability to secure everything up and above in terms of their own workloads, their own infrastructures, if they require authority to operate (ATOs) for their applications. They’re still processes that have to be defined and look toward an understanding, whether it’s not just lift-and-shift, but infrastructure-as-a-service through software-as-a-service capabilities. Where can I align my requirements with potential security solutions to fit my needs, as well as checking the box?”
Agencies and cloud service providers need to clearly define responsibilities for security in hybrid environments that many agencies will continue to live in for the foreseeable future.
Ellis said one way agencies are starting to close the gap is through software factories and by implementing DevSecOps.
He pointed to the Air Force’s efforts with its Kessel Run, and Kobayashi Maru organizations as examples of the change that is happening.
“What we’ve seen in these established platforms is really the ability to merge people and process with a secure supply chain. It has had tremendous impacts with this,” he said. “We’ve seen proven success into production operations. Organizations like Kessel Run, and Kobayashi Maru over on the Space Force side have made tremendous strides to really drive themselves not only to support an on-premise production capability, but also extend that to the cloud. When we talk to organizations and the Department of Defense about security, really where they’re starting to see the most understanding is really in securing of the application.”
Yusuf said the move to SaaS also helps implement more features of a zero trust architecture. He said despite all the talk about zero trust over the last year, there still is a lot of confusion.
“One of the things that we recommend immediately on starting discussions [around zero trust] is doing a maturity mapping of what they have in place. A lot of times, I’ll actually sit down with an organization and talk about the capabilities that their security teams have today, and then I’ll actually have them look at the investments that they’ve made,” Yusuf said. “A lot of times these organizations don’t understand that the tools they are using have security capabilities built in that they aren’t using. They have the ability to be audited and utilized by cyber teams within these solutions that we provide. So ultimately, doing a mapping of what their investments are today, how they really do meet security and aligned to a zero trust model has had a tremendous amount of success.”
Then agencies, he added, can view their tools through a single dashboard and plan for future capabilities.
“We’re really heavily focused on not so much a single pane of glass, but very tight integrations when it comes to endpoint security, workload security and the identity of the users coming in,” Yusuf said. “If you think about situations like COVID, and the ability to secure the remote workforce, that’s key right now, and people are making these changes right now in real time. We really want to help them to align to these investments to give you remote worker capability, also have security and benefits that can support you.”
Those benefits, Ellis said, is getting capabilities to the warfighter more quickly and more securely.