Corporations have adopted commercial cloud computing for many of the same reasons as federal agencies: to gain optimal flexibility and scalability in their infrastructures. But the congruence ends there, in the view of Doug Hudson, vice president for public sector at Orca Security.
“On the federal side of the public sector, it’s been a much slower adoption rate,” Hudson said.
Why? “I think the main difference, the big difference, is the view of security around the cloud,” he said at Federal News Network’s Industry Exchange Cloud 2023. There is often a perception among federal IT teams, Hudson said, that they have more control over access to agency data centers than they do to resources in the cloud.
But to get over that hurdle and help ensure the best hybrid mix of on-premise and cloud compute, agencies need to broadly adopt a shared responsibility model, Hudson advised.
The thinking “that ‘It’s somewhere else, and I can’t touch my server,’ has led to some irrational slowness in adoption … more by mandate than necessarily taking advantage of the scalable, flexible services that are in the cloud,” he said.
But a shared model lets IT staffs choose from a variety of cybersecurity services they themselves buy and operate or that they acquire from commercial cloud service providers (CSPs), Hudson said.
The question then becomes: What exactly is the best security architecture for an agency’s hybrid cloud computing environment?
Identifying the right cybersecurity controls
For new applications built for the cloud, “you have a much more robust way to build in that security from the ground up,” Hudson said. “You’re able to inherit more controls. You’re able to have better control from an operations standpoint.”
Moving data center–hosted applications and data to the cloud “requires a different level, I’ll say, of technological sophistication because the app was built to work in a data center,” Hudson said. “The [cybersecurity] services aren’t a one-to-one match necessarily in the cloud.”
He offered a data center versus cloud example. In the data center, the IT team can lock specific ports to and from specific applications because they are associated with specific hardware. By contrast, in the cloud, “you’re going to deal with things like scalability and containers — serverless features,” Hudson said. “Those use a lot of ephemeral ports. You end up, when you’re transitioning, with a lot of bolt-on security in that cloud instance.”
Hudson said that cloud services providers in general provide a base level of access controls to physical assets and to software assets such as operating systems, virtual servers and containers.
“So you get the opportunity to go and layer your application, your service, on that prebuilt, compliant environment,” he said. The agency can come to an agreement with a cloud provider to nail down which party has responsibility for maintaining each particular security service.
With this shared responsibility model in place, the agency can “start that better transition or migration to that cloud service,” Hudson said. The details about the services and assigned security responsibilities must be built into the service level agreement between an agency and each of its cloud services providers, he added.
Agencies can also take advantage of the fact that “CSPs come out with new features, new services almost on a daily basis — if not an hourly basis,” Hudson said. “Keeping up with that can be extremely challenging. Understanding how you can manage that is another new skill set to be developed.”
That human capital investment is another factor that agencies need to plan for up front, he recommended. “Make sure you’ve got the right resources to be able to manage.”
To help agencies manage across their hybrid environment, Orca Security developed a cloud-native application that Hudson described as a security posture management platform.
“We are able to see across cloud ecosystems, both commercial and federal — everything that is in that environment, whether it’s one CSP or multiple CSPs — all the way down to the foundational level to identify the risks and vulnerabilities that could cause harm to an organization.”