Why Cloud-Ready, Centralized AppSec Must Underpin State Government Cloud Adoption

This blog was originally published by Checkmarx here.

Written by Rebecca Spiegel, Checkmarx.

State and local governments are accelerating their use of the cloud as they focus on delivering more digital services with fewer resources and continue responding to pandemic pressures. In a recent FedRAMP survey conducted by Maximus and Genesys, 49% of state and local government respondents said most of their systems and solutions were in the cloud, with a further 9% saying all of them were. Unsurprisingly, 69% said cloud computing is essential to their agency’s operations.

The reasons for switching away from on-prem include scalability and cost control. Things changed quickly too, of course, when agency offices closed in 2020 to slow the spread of COVID-19. Citizen services switched to online delivery, and agency workforces needed remote access to vital work applications as state and local governments found themselves on the front lines of pandemic response.

Compelling Benefits of Public Sector Cloud Adoption

Agencies face budget constraints on top of a citizen base with high expectations of digital services that match their experiences with commercial software. Citizens quickly question agencies’ credibility when digital services don’t provide the seamless, personalized experience to which they are accustomed. As a result, agencies have been under pressure to develop cost-effective software infrastructure that can deliver flexible online services and scale up instantly to meet peak demand during emergencies.

The cloud simplifies rapid application deployment, allowing resources to scale on demand with flexible, consumption-based billing models. Agencies no longer have to provision and maintain costly on-premises infrastructure just in case emergencies arise; instead, they can shift costs from capital to operational budgets, knowing they will be covered in a peak demand event.

Migrating to the cloud also allows agencies to implement turnkey solutions that use consistent processes and protocols while ensuring regulatory compliance. It’s more difficult to implement or map to such standards in on-premises environments that are typically heterogeneous, having grown as needed while reflecting a team’s changing personalities, skillsets, and priorities over the years.

Despite the benefits of the cloud, any change brings new risks. Agencies have put their faith firmly in the cloud and must ensure citizens’ private data is safe within modern application development components.

Ultimately, with all its speed and complexity, cloud native modern application development needs software security designed to quickly scale so agencies can uphold their part of the shared responsibility model.

The Shared Responsibility Model for Cloud Security

Cloud services offer State and Local Government agencies protection beyond anything an individual agency could deliver in-house. This built-in cloud security eliminates a considerable operational burden as the cloud service provider (CSP) is responsible for the host operating system and virtualization layer, down to the physical security of the data centers in which services are deployed. In fact, 72% of state and local respondents to the Maximus/Genesys survey felt that mission-critical data was more secure in the cloud than on-premises.

This is only half of the equation, however. Agencies cannot hand over all security responsibilities to a CSP. While the cloud itself may be secure, the security of applications developed and released to production in the cloud remains the agency’s responsibility. Application security ultimately protects citizen data, and when development is cloud native, there are more kinds of code and application building blocks to secure.

Learn more: Make Security Intrinsic in Your AWS Cloud Deployment >>

Centralizing AppSec Strategy to Realize Cost, Efficiency, and Security Benefits

Agencies must develop a comprehensive AppSec strategy that covers all the different code components of cloud native application development. They need an optimized solution that can mature and scale with their team as their journey in the cloud continues.

A centralized, consolidated approach is critical to success. Otherwise, agencies might purchase multiple point products to scan all their code across different languages and frameworks (containers, infrastructure as code [IaC], third-party packages, APIs, etc.). This is expensive and makes life difficult for developers, who have to assimilate and respond to alerts from multiple sources that often integrate poorly, if at all.

Alternatively, agencies that can only afford a few solutions with limited breadth and depth might not adequately scan their code to begin with. Missed vulnerabilities could put citizen data at risk.

SLED agencies need to choose vendors that take a centralized approach to AppSec tooling, with scan engines that offer a breadth of language support and cover the entire software development life cycle (SDLC), aggregating more insightful results for faster remediation at a lower total cost of ownership. This optimized strategy benefits public sector budgets as well as the developer teams responsible for delivering secure cloud native applications by resolving tensions around cost, security, efficiency, and speed.

Accelerating AppSec for Cloud Native Development Processes

Speed is central to devising an optimized AppSec strategy and choosing the right supporting tools. If an agency’s AppSec testing tools are not developer-centric, not tightly integrated into DevSecOps processes, and not connected to one another, code scans can be time-consuming. Consequently, an agency may scan less frequently—perhaps only daily, or only weekly—and inundate their teams with large numbers of discovered vulnerabilities, interrupting workflows and delivery schedules.

Cloud native development requires a faster, more iterative solution that helps agencies move toward DevSecOps, integrating and automating security scans at every stage of the SDLC.

Agencies must also scan cloud native code, whether it’s developer-written IaC pushed rapidly to production, third-party code, or APIs essential to rapid application development. The open source KICS project by Checkmarx allows fast, frequent scans of IaC to identify any issues that may lead to vulnerabilities.

Using AppSec tools that fully integrate into the CI/CD pipeline, agencies can maintain the pace of cloud native application development without introducing additional risks.

Evolving AppSec for Different Levels of Cloud Maturity

Public sector agencies vary in their AppSec maturity and place in their cloud journey, but wherever they are, finding a scalable AppSec approach as they build cloud solutions will accelerate and optimize their processes.

Download our SLED issues brief to find out more about how consolidating application security can address five out of ten State CIO priorities. >>

Related Resources

• Why It’s Time for State and Local Governments to Take a Centralized Approach to AppSec
• Developing Digital Citizen Services: Our Duty to Keep Digital Government Secure
• Why Centralized Risk Management and Governance Are Key to Modernizing Legacy Applications

About the Author

Rebecca brings nearly 10 years of experience to her role as Product Marketing Manager at Checkmarx. She spearheads strategy for North America Channel and Global Strategic Alliances, and between marketing and product, she lives and breathes acronyms from GTM and KPI, to IaC and SCA. Her approach to writing is no different from her approach to the rest of her role: always informed by the audience’s objectives, highly researched, and backed by validation.