Moving applications to the cloud requires agencies to refocus their security away from the network and onto users and data, according to experts who spoke at the American Council for Technology and Industry Advisory Council (ACT-IAC) Executive Leadership Conference on Oct. 30.

“The network defense has already been stretched to the breaking point, and having these big internally soft, externally hard shell networks just does not work in this day and age,” said U.S. Digital Service engineer Andy Brody. “The boundaries are less physical and more logical.”

Brody explained that agencies don’t yet have the “budget or the appetite” to move everything to the cloud in one fell swoop, resulting in a network of applications that is split between new and old infrastructure. This split makes network perimeter-based defenses particularly hard.

“The modern network, really what we’re seeing with the introduction of cloud is a change in the landscape in terms of how we look at security,” said Sara Mosley, Trusted Internet Connections lead for the Department of Homeland Security. “You still need the perimeter protections because everybody still has regular networks, traditional networks, but at the same time you really need to look at what it is you need to protect.”

According to Steve Kovac, vice president of global governments and compliance and Zscaler, data needs to be safe and accessible from almost any location because of the cloud and increasing popularity of remote access.

“It’s not protecting the network, it’s protecting the user — so that user has to have the same experience whether they’re sitting in a Starbucks, or they’re sitting on the battlefield. It’s got to be the same experience,” said Kovac. “If you put policy around the user, the network just becomes a form of transit.”

The cloud environment also blurs the line between public-facing and internal-facing access points, according to Brody.

“It’s not solely serving either of these populations,” he explained. “And this means that the identities employees use to access that information require simplification.”

“You may be a government employee, but you’re also a citizen, so that identity transcends both sides of that coin,” said Jeff Frederick, senior solutions engineer at Yubico. “And so, giving individuals one token to authenticate either business and government apps or their citizen-facing apps is going to be a much more cost-effective method than trying to provide multiple tokens for multiple individual roles.”

According to Mosley, these differences in cloud-based security require agencies to keep their security teams in on the discussion thorough the transition to cloud.

“You’ve got to really bring in the security folks from the beginning in terms of planning it because they have to understand how they will be monitoring,” said Mosley. “You’re not going to look at it from the protection of your network, you’re going to look at it from the protection of your data.”

Agencies will also be left straddling new and old systems, as rules and resources prevent the largest networks from quick transition.

“A lot of the barriers are policy, a lot of the barriers are just investment in physical infrastructure and people and processes that are hard to change,” said Brody. “You can’t just take a giant enterprise network and say, ‘OK, now we’re in the cloud.’”

Mosley added that in cloud transitions, small agencies will have the advantage of speed because they don’t have as much to migrate, but will be at a disadvantage with security.

“There’s definitely smaller agencies that are much more agile, they can kind of move faster, but from a skillset perspective I think there’s some challenges there, so they’re relying on a third-party or outsourced provider to provide that,” Mosley said.

About Jessie Bur

Jessie Bur covers federal IT and management.

Share:
In Other News
Load More