Cloud computing adoption by federal agencies has matured because IT staffs have gained more understanding of which workloads do well in the cloud and which don’t.
“Oftentimes, cloud is not as cost-effective as it first appears,” said Peter Romness, cybersecurity principal for the CISO Advisors Office at Cisco. “So a lot of organizations are starting to pull back some applications — for better cost control and better control of their own data.”
Yet, he observed, even when they operate both cloud instances and their own data centers, agencies want a unified way of handling data protection. This desire spawns the question: “How much visibility can you give to the people that have to manage to all of their data, no matter where it is?” Romness during Federal News Network’sIndustry Exchange Cyber 2024.
“At Cisco, we’ve worked really hard so that it’s almost transparent as to where your data is,” he added. “You have many of the same capabilities of managing it and protecting it, whether it’s in your data center or it’s in one of the major cloud provider data centers.”
Romness noted that customers also demand a unified set of tools for their cloud and on-premise environments to make management operations less complex.
And make no mistake, Romness cautioned: Security for an agency’s data in the cloud is ultimately the agency’s responsibility, no less than for on-premise data. Applications or data maintained insecurely on premise won’t be more secure by moving those applications to the cloud. And agencies, he said, need to use FedRAMP and other certifications to have assurance that cloud providers maintain a high level of security.
To unify security, start at the edge
Wherever housed, all datasets have one thing in common. They will be accessed with an application operating from an endpoint. That fact, Romness said, has given rise to the concept of the secure service edge (SSE), also called the security service edge.
“Security service edge takes the idea of, where does my control start and where does it end? And the place that I see it at most is on the endpoint,” Romness said.
SSE should protect users and their data as it goes in and out of their endpoints, he said. Security operations need “a secure channel to all users so that [security team] can see what’s going on in their machines and control it,” Romness said. “As part of that control, I want to not only protect data, but I also want to give good user experience.”
Providing a good user experience requires a risk-based policy approach, he said. Policy might let a user go directly to an external website or application but require a sign-on to a secure channel to access enterprise applications. For still other applications, policy might require multifactor authentication.
“I can granularly control access to every bit of data and applications that a user would go to and protect it along the way,” Romness said. “And that’s kind of what this whole secure service edge is all about.”
SSE is a state, but it requires a product stack to get there, Romness said.
“It’s a matter of putting the different tools in place,” he said. “Often, you already have the tools.” He cited Cisco’s AnyConnect client for endpoint devices, a virtual private network product enhanced with security controls and visibility into the security operations center. Only a small agent resides on the device that communicates to cloud-hosted security services, he said.
Whatever product stack you use, Romness said, it’s important to monitor and “be able to see what’s in your environment and be able to react to it. And having this secure connection is what’s important for that.”