It’s been three years since the federal government established the Cloud Smart strategy, which laid the foundation for agencies to support remote work over the course of the pandemic. Rather than automatically defaulting to a cloud approach (Cloud First), Cloud Smart recommended evaluating workloads and selecting the right environment based on mission requirements – accessibility, and data sensitivity.
The impact of this orientation resulted in our nation’s now sprawling cloud infrastructure – and federal workloads living in a mix of public, private, and hybrid cloud environments. In addition to telework, hybrid cloud and multi-cloud infrastructure give agencies new opportunities to analyze and use data collected by the growing universe of Internet-of-Things (IoT) and edge devices.
The result has been a broader attack surface for bad actors, who are, as we know, taking advantage of every opportunity. There’s more to secure in today’s hybrid environments, especially now that traditional perimeter-based security approaches simply don’t work.
Given the current threat landscape and the missions that depend on cloud-based applications and data, federal leaders are focused on modernizing cyber defenses, aligning with the Biden administration’s Executive Order on Improving the Nation's Cybersecurity (EO) guidance. Now, we are collectively shifting from Cloud Smart to Cloud Secure.
The EO outlines a number of actions, including a significant directive for the Department of Homeland Security to develop a federal cloud security strategy that moves the government closer to a true centralized enterprise model based on the principles of zero-trust.
IT leaders agree on the criticality of this issue – our recent research with AWS and CrowdStrike found that 78% believe the steps outlined in the EO are necessary to protect our nation and 82% feel that it’s vital for national security to move staff and budget to zero-trust initiatives.
So how can agencies achieve Cloud Secure? What are we learning and what does improved cloud security mean for federal agencies?
What we’ve learned so far
Almost every agency and Department of Defense Command now manages a complex hybrid IT environment – in the cloud, edge, and on-premises. Secure Access Service Edge (SASE) or, using Gartner’s terminology, Secure Service Edge (SSE), offers the best way to secure these environments.
Think of SSE as a subset of the SASE framework with its architecture squarely focused on security services. SSE comprises three core services: secure access to the internet and web by way of a secure web gateway (SWG); secure access to SaaS and cloud apps via a cloud access security broker (CASB); and secure remote access to private apps through zero-trust network access (ZTNA).
The EO recommends a series of steps that break from traditional security guidance – including not relying on VPNs, moving away from traditional boundary-focused security technology, and enabling internet-based access to some applications.
SASE, SSE, and zero-trust will let agencies secure modern, multi-cloud, and hybrid-cloud IT environments – supporting more cloud data storage, more devices, and more users logging in from more locations. While there’s no “easy button” to zero-trust implementation, agencies can benefit from lessons learned to date that offer clear direction for maturing a zero trust-protected environment from a technology and human/security culture standpoint.
Our team has successfully managed more than 150 SASE/SSE and zero-trust deployments in the federal government, and discovered four avenues to success:
- Migrate to a Trusted Internet Connections (TIC) 3.0 zero-trust architecture. Following a TIC 3.0 adoption strategy with a cloud-first zero trust solution can accelerate cloud migration, enhance user productivity, and improve support for cloud applications.
- Achieve good cloud security posture management. Deploying a set of tools that offer configuration assurance is a real win when the agency needs a secure baseline over multiple cloud vendors. This reduces the risk of cloud security breaches because of misconfiguration and human error, improves user experience, and reduces overall costs
- Communicate securely between services across multiple cloud vendors. Broker communication between vendors yields unacceptable latency for organizations. To connect two objects such as apps, users, or data using the most secure cloud pathway, agency IT teams should adopt inline cloud-native SASE and zero-trust architectures.
- Keep looking forward. With hackers constantly looking for new ways to outmaneuver existing security measures, agencies must prioritize cyber talent. Improved information sharing with private-sector partners also ranks as important to supply chain and cloud security, as well as endpoint detection and response.
Over the past 10 years, private industry has spent billions of dollars securing the cloud. We’ve also seen Cybersecurity and Infrastructure Security Agency (CISA) and Federal Risk and Authorization Management Program (FedRAMP) leverage industry partners and knowledge.
The public sector can continue building on this foundation, for example – evolving the FedRAMP program and achieving the “certify once, use many” goal. Leaders can look at opportunities to integrate programs – such as providing CMMC reciprocity for FedRAMP audits.
CISA recently released the draft of TIC 3.0 for public comment, including the new Cloud Use Case, describing the architecture and security considerations for deploying different cloud services – this will offer important guidance for agencies to continue to mature their environments and deploy efficient, flexible on-demand services for employees and citizens.
Of note, CISA takes a collaborative approach, publishing the draft and inviting comments and input from the private sector. It’s how we move forward: collaboratively.
Federal digital transformation has dramatically accelerated, and we now have an urgent need to accelerate cybersecurity modernization, including industry best practices like zero-trust. We can achieve Cloud Secure with strong public/private collaboration and a commitment to build on what we are learning as we manage the networks and information ecosystems that deliver responsive, strong, and resilient government.
Stephen Kovac, chief compliance officer, head of global government affairs, Zscaler
