Federal agencies are beginning to implement hybrid cloud solutions – a blend of public and private clouds and agency-controlled data centers – as the way to achieve all the benefits of a diverse, digitally rich environment. But that diversity increases the need for a uniform, yet tailored, security policy suited to each kind of cloud.
“Each hosting environment offers some unique value,” said Phil Quade, Fortinet CISO, during MeriTalk’s “To Cloud or Not to Cloud” webinar. “We ought to be postured to embrace those unique hosted environments, but that means your security strategy [has to be] highly optimized, done in a way that policy is consistent across those environments.”
Sharilyn Cook, Manager, Enterprise Strategic Planning and Management Division, at the Department of Treasury’s Bureau of Printing and Engraving, said her own agency is an example of that. The bureau has been working on cloud solutions ever since the 2010 Cloud-First directive.
Cook said moving to the cloud has been aimed at both cost savings and providing flexibility to stand up and stand down capacity according to what is needed at any given time. “But I would say that managing our data out in the cloud is much more difficult.”
A recent MeriTalk survey found that data protection is the top security concern for federal IT, but the second is compliance with federal mandates.
“With the addition of FedRAMP certification I thought it would be easier,” Cook said, but FedRAMP uses NIST’s 800-53 for security, which has over 800 different security controls a cloud services provider can choose from. “Here at the bureau, the Department of Treasury adds another 300 controls, so it’s hard to find a perfect match … you have to weigh the cost of adding those additional controls, for data and access and such, in the FedRAMP environment, and possibly invalidating any third-party validation of the FedRAMP certification.”
Quade and Cook discussed the challenge of finding ways to simplify security even as the compute environment becomes more complex. Cook said it is important to have automated tools that are better integrated across the different clouds. She credited the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program for its emphasis on automated tools that work within a common governance structure.
“To address the problems of speed and scale you have to embrace automation and integration,” Quade agreed. “By integrating your security solutions you’ll be able to defend [assets] at a time and place of your choosing, rather than your adversaries’ choosing.”
Listen to the full webinar for more, including discussion of a security “fabric” as one way to incorporate tools from different vendors and the role of the Cyber Threat Alliance.