As you continue to evolve your agency’s hybrid multicloud infrastructure, how are you defining the role of your team and your CSP when it comes to specific cloud...
Corporations have adopted commercial cloud computing for many of the same reasons as federal agencies: to gain optimal flexibility and scalability in their infrastructures. But the congruence ends there, in the view of Doug Hudson, vice president for public sector at Orca Security.
“On the federal side of the public sector, it’s been a much slower adoption rate,” Hudson said.
Why? “I think the main difference, the big difference, is the view of security around the cloud,” he said at Federal News Network’s Industry Exchange Cloud 2023. There is often a perception among federal IT teams, Hudson said, that they have more control over access to agency data centers than they do to resources in the cloud.
But to get over that hurdle and help ensure the best hybrid mix of on-premise and cloud compute, agencies need to broadly adopt a shared responsibility model, Hudson advised.
The thinking “that ‘It’s somewhere else, and I can’t touch my server,’ has led to some irrational slowness in adoption … more by mandate than necessarily taking advantage of the scalable, flexible services that are in the cloud,” he said.
But a shared model lets IT staffs choose from a variety of cybersecurity services they themselves buy and operate or that they acquire from commercial cloud service providers (CSPs), Hudson said.
The question then becomes: What exactly is the best security architecture for an agency’s hybrid cloud computing environment?
For new applications built for the cloud, “you have a much more robust way to build in that security from the ground up,” Hudson said. “You’re able to inherit more controls. You’re able to have better control from an operations standpoint.”
Moving data center–hosted applications and data to the cloud “requires a different level, I’ll say, of technological sophistication because the app was built to work in a data center,” Hudson said. “The [cybersecurity] services aren’t a one-to-one match necessarily in the cloud.”
He offered a data center versus cloud example. In the data center, the IT team can lock specific ports to and from specific applications because they are associated with specific hardware. By contrast, in the cloud, “you’re going to deal with things like scalability and containers — serverless features,” Hudson said. “Those use a lot of ephemeral ports. You end up, when you’re transitioning, with a lot of bolt-on security in that cloud instance.”
Hudson said that cloud services providers in general provide a base level of access controls to physical assets and to software assets such as operating systems, virtual servers and containers.
“So you get the opportunity to go and layer your application, your service, on that prebuilt, compliant environment,” he said. The agency can come to an agreement with a cloud provider to nail down which party has responsibility for maintaining each particular security service.
With this shared responsibility model in place, the agency can “start that better transition or migration to that cloud service,” Hudson said. The details about the services and assigned security responsibilities must be built into the service level agreement between an agency and each of its cloud services providers, he added.
Agencies can also take advantage of the fact that “CSPs come out with new features, new services almost on a daily basis — if not an hourly basis,” Hudson said. “Keeping up with that can be extremely challenging. Understanding how you can manage that is another new skill set to be developed.”
That human capital investment is another factor that agencies need to plan for up front, he recommended. “Make sure you’ve got the right resources to be able to manage.”
To help agencies manage across their hybrid environment, Orca Security developed a cloud-native application that Hudson described as a security posture management platform.
“We are able to see across cloud ecosystems, both commercial and federal — everything that is in that environment, whether it’s one CSP or multiple CSPs — all the way down to the foundational level to identify the risks and vulnerabilities that could cause harm to an organization.”
To discover more cloud tips and insights, visit our Industry Exchange Cloud 2024 event page.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Vice President for Public Sector, Orca Security
Host, Federal Drive, Federal News Network
Vice President for Public Sector, Orca Security
Doug works with C-Suite and cyber executives on risk management, governance, cyber strategy, compliance, and technology transformation. With over 20 years experience across industries and public sector groups, he brings a unique perspective on organizational global value chain and associated cyber inflection points.
Prior to Orca, Doug developed and ran the Strategy, Privacy, and Risk practice at Coalfire, leading delivery of a broad range of security advisory services for numerous global enterprises and periodically serving as a vCISO. Before Coalfire, he was a Sr. Manager at Accenture in the Security Strategy and Risk Management Practice, leading multiple projects for organizations in the F-100.
Doug holds a Bachelor of Science degree from University of Iowa and a Masters of Applied Science, Information Systems and Security from the University of Denver. His certifications include CISSP, CCSP, CCSK and Open FAIR.
Host, Federal Drive, Federal News Network
Tom Temin has been the host of the Federal Drive since 2006 and has been reporting on technology markets for more than 30 years. Prior to joining Federal News Network, Tom was a long-serving editor-in-chief of Government Computer News and Washington Technology magazines. Tom also contributes a regular column on government information technology.