In today’s IT landscape, the cloud migration journey can happen for a variety of reasons – financial, reliability, access to analytics tools, and scalability. Consider the following scenario:
Over the last ten years, this has become a common story as more agencies turn to the cloud. With initiatives like the data center optimization initiative (DCOI) and , it’s becoming easier for agencies to find the money up front for IT projects like cloud migration. These projects enable greater IT agility and hybrid solutions, allowing agencies flexibility and greater budgetary control. But what they often don’t realize, at least until the migration is under way, is that cloud requires a different approach to network security. Additionally, proposed guidance in the OMB mandate from Director Mulvaney directs agencies to strengthen access to government networks and information, whether in the cloud, your data center or colocated to an identity-centric methodology.
“As organizations move to cloud environments, that really represents a new set of challenges because these cloud environments are very capable, and if used properly can be as secure as an on-premises or collocated environment.” said Jason Garbis, Vice President of Secure Access Products at Cyxtera. “But they use a different toolset, they use a different set of management consoles, policies and processes for securing their program environments.”
This new approach to security has been evolving over the last decade as well. Attacks and breaches have become more frequent, and in response, controls have gotten tougher and compliance requirements stricter and more complex.
And as the compliance landscape gets harder to navigate, agencies are starting to find that regulatory requirements are not aligned with the way legacy systems operate. Government needs to continue its journey in adapting established industry tools such zero trust networking implemented through software defined perimeters to create single positive control security boundaries around their users and network allowing the government to have single pane of glass tying the true identity of the user to the network and the device access. Removing the need to spend hundreds of man-hours compiling and parsing logging data for evidence of .
But often, compliance requirements focus on identity — who has access to what, why they need access, when, and for how long?
“What agencies and departments really need to do is challenge themselves to adopt industry standard SDP technology. And say ‘we need to have a set of security compliance and reporting tools that help us span on-prem, the data center and the cloud, and allow us to set as much as we can — a single set of policies, a single set of processes — that are going to be responsible for managing, reporting, provisioning and overall operating across this hybrid architecture,’” Garbis said.
Because cloud requires a different perspective on the identity lifecycle. Employees need to be able to access systems from the office, from home, and from the field, on multiple different devices. Hardware-based firewalls, network-based firewalls and Virtual Private Networks (VPNs) have been around for a long time, but are maintenance intensive, narrow solutions that grant over-privileged network access and do not provide comply-to-connect secure access.
In order to move to more identity-centric, comply-to-connect scenarios, the government needs to move away from VPN solutions that rely on TCP/IP. In today’s hyperconnected and highly adversarial threat landscape, this approach puts organizations at risk, and has enabled far too many data breaches
“It’s oftentimes difficult for these agencies to change the way they’re doing this and embrace new technologies or approaches that can provide them with a higher level of security, a higher level of compliance and a higher level of agility but requires changing the way that they’re investing their people’s time and money,” Garbis said.
Agencies need to be looking at more secure data storage environments, like co-located service centers. They should be transitioning to security services based on threat analytics, and security products like software-defined perimeter networking software that takes a more modern, holistic approach to managing user access.
So what happened with that federal regulatory agency from the beginning of the story?
They partnered with Cyxtera and began using a software-defined perimeter product called AppGate SDP. It provides a FIPPs 140-2 compliant encrypted individualized network connection for each specific user to the specific resource they’re accessing. No one else in that organization or on the internet could get access to that data. Each instance gets logged for compliance purposes, and when the user is done, that connection is immediately deleted from the cloud environment. In other words, access is uniquely granted and then revoked every time a user connects to the cloud environment.