In today’s IT landscape, the cloud migration journey can happen for a variety of reasons – financial, reliability, access to analytics tools, and scalability. Consider the following scenario:
When one federal regulatory agency decided to move to the cloud, it did so not only for the obvious financial benefits, but to gain access to Big Data analytics capabilities that the cloud can provide.
The agency had been operating on-premises data centers for decades, but the cost was becoming too high. One major problem was that while the compute resources were in high demand during working hours, they were mostly idle during off hours. So the agency decided to take advantage of the tools often provided by infrastructure-as-a-service cloud providers and began rewriting their data analytics platform on top of this cloud platform. During this process it recognized that it needed a way to secure user access into that environment in a way that was very dynamic, that was tied to the individual since it had very strict compliance reporting requirements, and it needed a way to connect very tightly into its dynamic DevOps style of operations.
Over the last ten years, this has become a common story as more agencies turn to the cloud. With initiatives like the data center optimization initiative (DCOI) and Technology Modernization Fund, it’s becoming easier for agencies to find the money up front for IT projects like cloud migration. These projects enable greater IT agility and hybrid solutions, allowing agencies flexibility and greater budgetary control. But what they often don’t realize, at least until the migration is under way, is that cloud requires a different approach to network security. Additionally, proposed guidance in the OMB mandate from Director Mulvaney directs agencies to strengthen access to government networks and information, whether in the cloud, your data center or colocated to an identity-centric methodology.
“As organizations move to cloud environments, that really represents a new set of challenges because these cloud environments are very capable, and if used properly can be as secure as an on-premises or collocated environment,” said Jason Garbis, Vice President of Secure Access Products at Cyxtera. “But they use a different toolset, they use a different set of management consoles, policies and processes for securing their program environments.”
This new approach to security has been evolving over the last decade as well. Attacks and breaches have become more frequent, and in response, controls have gotten tougher and compliance requirements stricter and more complex.
And as the compliance landscape gets harder to navigate, agencies are starting to find that regulatory requirements are not aligned with the way legacy systems operate. Government needs to continue its journey in adapting established industry tools such zero trust networking implemented through software defined perimeters to create single positive control security boundaries around their users and network allowing the government to have single pane of glass tying the true identity of the user to the network and the device access. Removing the need to spend hundreds of man-hours compiling and parsing logging data for evidence of compliance.
But often, compliance requirements focus on identity — who has access to what, why they need access, when, and for how long?
“What agencies and departments really need to do is challenge themselves to adopt industry standard SDP technology. And say ‘we need to have a set of security compliance and reporting tools that help us span on-prem, the data center and the cloud, and allow us to set as much as we can — a single set of policies, a single set of processes — that are going to be responsible for managing, reporting, provisioning and overall operating across this hybrid architecture,’” Garbis said.
Because cloud requires a different perspective on the identity lifecycle. Employees need to be able to access systems from the office, from home, and from the field, on multiple different devices. Hardware-based firewalls, network-based firewalls and Virtual Private Networks (VPNs) have been around for a long time, but are maintenance intensive, narrow solutions that grant over-privileged network access and do not provide comply-to-connect secure access.
In order to move to more identity-centric, comply-to-connect scenarios, the government needs to move away from VPN solutions that rely on TCP/IP. In today’s hyperconnected and highly adversarial threat landscape, this approach puts organizations at risk, and has enabled far too many data breaches.
“It’s oftentimes difficult for these agencies to change the way they’re doing this and embrace new technologies or approaches that can provide them with a higher level of security, a higher level of compliance and a higher level of agility but requires changing the way that they’re investing their people’s time and money,” Garbis said.
Agencies need to be looking at more secure data storage environments, like co-located service centers. They should be transitioning to security services based on threat analytics, and security products like software-defined perimeter networking software that takes a more modern, holistic approach to managing user access.
So what happened with that federal regulatory agency from the beginning of the story?
They partnered with Cyxtera and began using a software-defined perimeter product called AppGate SDP. It provides a FIPPs 140-2 compliant encrypted individualized network connection for each specific user to the specific resource they’re accessing. No one else in that organization or on the internet could get access to that data. Each instance gets logged for compliance purposes, and when the user is done, that connection is immediately deleted from the cloud environment. In other words, access is uniquely granted and then revoked every time a user connects to the cloud environment.
“As organizations look at migrating to the cloud, it’s important for leaders to challenge themselves and challenge their organizations, and really build a vision for where they want to be,” Garbis said. “It may not be something that can be fully accomplished in the short term, but agencies should try to build a vision for where they want to go and recognize that there are very clear and concrete steps they can take to make demonstrable progress toward that vision in the short term. Fully implementing granular SDP controls in the short term might not be feasible for all agencies and departments. The journey and the vision for who they want to be and how they want to get there should be clear and concrete to ensure the steps taken will yield progress on the long-term vision needed to secure America’s data and users accessing it.”