It’s been three years since the federal government implemented the Cloud Smart strategy, which laid the groundwork for agencies to support remote work during the pandemic. Rather than automatically defaulting to a cloud-first approach, Cloud Smart recommended assessing workloads and selecting the right environment based on mission requirements – data accessibility and sensitivity.
The impact of this focus has resulted in our nation’s now sprawling cloud infrastructure — and federal workloads living in a mix of public, private, and hybrid cloud environments. In addition to remote working, hybrid cloud and multi-cloud infrastructure offer new opportunities for agencies to analyze and use data collected by the growing universe of Internet of Things (IoT) and edge devices. .
The result has been a wider attack surface for bad actors, who, as we know, take advantage of every opportunity. There’s more to secure in today’s hybrid environments, especially now that traditional perimeter-based security approaches simply don’t work anymore.
Given the current landscape of threats and missions that depend on cloud-based applications and data, federal leaders are focused on modernizing cyber defenses, aligning with the Biden administration’s executive order on improving of the nation’s cybersecurity (EO) orientations. Now we are collectively moving from Cloud Smart to Cloud Secure.
The EO outlines a number of actions, including an important directive for the Department of Homeland Security to develop a Federal Cloud Security Strategy that moves the government closer to a true centralized enterprise model based on the principles of zero trust.
IT leaders agree on the importance of this issue: our recent research with AWS and CrowdStrike revealed that 78% believe the steps outlined in the EO are necessary to protect our country and 82% believe it is vital for national security to shift staff and budget to zero trust initiatives.
So how can agencies achieve Cloud Secure? What are we learning and what does improved cloud security mean for federal agencies?
What we have learned so far
Almost every Department of Defense agency and command now manages a complex hybrid IT environment – in the cloud, on the edge, and on-premises. Secure Access Service Edge (SASE) or, in Gartner’s terminology, Secure Service Edge (SSE), offers the best way to secure these environments.
Think of SSE as a subset of the SASE framework with its architecture focused entirely on security services. SSE comprises three main services: secure Internet and web access through a secure web gateway (SWG); secure access to SaaS and cloud applications through a cloud access security broker (CASB); and secure remote access to private applications via Zero Trust Network Access (ZTNA).
The EO recommends a series of steps that break away from traditional security advice – including not relying on VPNs, moving away from traditional border-focused security technology, and allowing internet access for certain apps .
SASE, SSE and Zero-Trust will enable agencies to secure modern, multi-cloud and hybrid IT environments, supporting more cloud data storage, more devices and more users connecting for more locations. While there is no “easy button” for implementing zero trust, agencies can benefit from the lessons learned to date that offer clear direction for maturing an environment protected by zero trust. technology and human/safety culture perspective.
Our team has successfully managed over 150 SASE/SSE and Zero-Trust deployments across the federal government, and discovered four paths to success:
- Migrate to a Trusted Internet Connections (TIC) 3.0 zero-trust architecture. Following an ICT 3.0 adoption strategy with a first-zero-trust cloud solution can accelerate cloud migration, improve user productivity, and improve support for cloud applications.
- Achieve good cloud security posture management. Deploying a set of tools that provide configuration assurance is a real win when the agency needs a secure baseline across multiple cloud providers. This reduces the risk of cloud security breaches due to misconfiguration and human error, improves user experience and reduces overall costs.
- Communicate securely between services from multiple cloud providers. Broker communication between vendors causes unacceptable latency for organizations. To connect two objects such as applications, users, or data using the most secure cloud path, agency IT teams must adopt cloud-native online SASE and zero-trust architectures.
- Keep looking forward. As hackers constantly search for new ways to circumvent existing security measures, agencies need to prioritize cyber talent. Improved information sharing with private sector partners is also important for supply chain and cloud security, as well as endpoint detection and response.
Over the past 10 years, private industry has spent billions of dollars securing the cloud. We also saw the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Risk and Authorization Management Program (FedRAMP) leveraging industry partners and knowledge.
The public sector can continue to build on this foundation, for example by evolving the FedRAMP program and achieving the “certify once, use many” goal. Leaders can look for opportunities to integrate programs, such as providing CMMC reciprocity for FedRAMP audits.
CISA recently released the ICT 3.0 draft for public comment, including the new cloud use case, outlining the architecture and security considerations for deploying different cloud services – this will offer important guidance for agencies moving forward. to mature their environments and deploy efficient and flexible solutions on -demand services to employees and citizens.
It should be noted that CISA takes a collaborative approach, publishing the draft and inviting comments and contributions from the private sector. This is how we move forward: in collaboration.
Federal digital transformation has accelerated dramatically, and now we urgently need to accelerate cybersecurity modernization, including industry best practices like zero trust. We can achieve Cloud Secure with strong public/private collaboration and a commitment to leveraging what we learn as we manage the networks and information ecosystems that deliver responsive, strong, and resilient government.
Stephen Kovac, Chief Compliance Officer, Head of Global Government Affairs, Zscaler