In the current moment, chief information officers have become chief resiliency officers, tasked with ensuring connectivity and security in the face of a pandemic. Months ago, 90 percent of the workforce was working in the office on corporate networks. Now they’re working from all over on untrusted devices and networks.
Virtual private networks, or VPN, the traditional mode of telework, have become a chokepoint, as many agencies don’t have sufficient bandwidth for everyone to utilize it. The cloud can help solve this problem, which transforms the entire security paradigm. A perimeter-based approach that emphasizes protecting the data center as if it were a castle surrounded by a moat goes out the window. As data and applications leave the corporate data center, there’s no need to route users through it for access.
Many civilian agencies already go direct-to-cloud for certain capabilities, and the U.S. Department of Defense recently announced that it had rolled out a Commercial Virtual Remote Environment to support the collaboration needs of nearly a million workers.
According to a recent survey, 83 percent of federal agencies are increasing multi-cloud adoption to support telework. With this trend in mind, let’s take a look at how agencies can reap the full benefits of going direct-to-cloud.
1. Hire people with cloud knowledge
Agencies cannot pivot to direct-to-cloud without thinkers who are really cloud-smart. The cloud is extremely complex, and some employees lack the intellectual capital, time and/or experience required to fully unlock its benefits. Too many agencies set up virtualization capabilities and think they’re “in the cloud.”
A software-defined wide area network, which offers flexibility, requires a tremendous amount of creative and critical thinking, and so does the best usage of resources in GovCloud. You must know where assets are located, how they are running and how security is being applied — just to name a few.
The government must bring in more cloud thinkers, but there’s residual resistance within the community to hiring commercial industry personnel. Job shares could offer a good first step. Regardless, deep expertise is required to capitalize on the cloud and stay connected.
2. Secure the cloud
Today, 42 percent of agencies are attempting to adapt cybersecurity strategies to the cloud, but it’s not happening fast enough. Most are moving at least some of their assets to the cloud, but only half are taking critical security steps, such as encrypting data.
Once again, securing the cloud is different than securing the data center. Too many people assume their cloud service provider is providing protection in the cloud, when they’re really providing protection of the cloud. If anyone attacks Amazon Web Services, you’re protected. But if they go for your data that’s stored there? You’re on your own!
A zero-trust cybersecurity approach, as the DoD is exploring, can be effective for protecting data stored in cloud and software-as-a-service, or SaaS, applications. Nobody inside or outside the network is trusted by default; instead, users are authenticated through ICAM (identity, credential and access management) and IDAM (identity and access management).
That’s just the starting line for organizational cloud security, though. The next steps are understanding what these authenticated users are actually doing on the network, activating real-time response to suspicious or anomalous behavior, and ultimately feeding that telemetry back into the security system. Spotting anomalies requires a baseline understanding of user behavior as well as the ability to monitor and react to changes in real time.
3. Become flexible
Flexibility is one of the biggest benefits of going direct-to-cloud, but agencies sometimes lock themselves into a given direction, erasing this benefit before it really begins. With a traditional perimeter approach, it’s relatively easy to count your firewalls or any tangible assets. In the world of SaaS or infrastructure-as-a-service, where you’re spinning resources up in six-hour increments, it’s far more difficult to diagram and understand.
The complexity of the cloud can be costly and risky, but the rewards are exponential. Cloud service providers have tremendously efficient IT stacks. They run on hyper-thin margins and are required to be hyper-efficient, which isn’t the case with traditional data centers. Back to our first point, these benefits can only be realized if agencies have the needed cloud expertise to execute.
Not everyone was cloud-ready or cloud-savvy when COVID-19 hit. Many agencies were forced to massively increase their VPN bandwidth and continue with their legacy moat-and-castle approach to security. Still, direct-to-cloud is gaining momentum and driving much-needed evolution from a traditional setup to a more modern security approach required for today’s dynamic threat landscape.
Agencies must ensure they obtain the talent needed to stay secure, flexible and connected during this crisis and beyond. The world is changing rapidly, and so must government agencies IT operations.
Eric Trexler is vice president of global governments and critical infrastructure at Forcepoint.