The Right Way To Address Multicloud Cybersecurity
This blog was originally published by Booz Allen here.
Written by Brad Beaulieu, Booz Allen.
Tailoring security for multicloud’s unique challenges
As the industry’s cloud service vendors race to differentiate themselves with exclusive new features and innovations, federal agencies are riding the innovation wave. Enterprise multicloud is providing technology teams with new levels of quick, flexible access to the tools and environments that best fit their needs, which are often highly specialized and particular.
It is no surprise that multicloud is widely seen as a natural and enduring future state for agency IT. But the same qualities that are accelerating this natural evolution toward multicloud—diverse toolsets, strong return on investment, enhanced flexibility, and rapid scaling—create a complex security environment.
Effective protection of cloud assets requires cyber and IT leaders to think and act differently in a few key areas: centralizing operations and data, empowering the security team, and providing smart governance and the tools to succeed. Here’s a closer look at each of these points.
Consolidate Security Operations to Avoid Blind Spots.
In legacy on-premises environments, standing up a server required significant lead time along with assistance and oversight of multiple organizational units as equipment was approved, ordered, assembled, configured, and integrated. Now, a single person can spin up a new server in almost no time at all. But unless project teams are perfectly in sync with their agency’s cyber operations, that kind of velocity can easily lead to isolated environments and blind spots— creating substantial risk, as securing an enterprise truly does require full, real-time awareness across the entire network.
In today’s multicloud enterprise, cyber operations should be consolidated and centralized, so security teams can:
- Monitor activity across the network and all clouds in real time
- Have comprehensive access to take control of systems as needed
- Quickly detect incidents and take immediate action in response
Rather than leaving individual project teams responsible for determining their own route to compliance, a central security team provides the framework and services necessary to help all teams maintain compliance using a consistent suite of centrally managed security tools and services.
Most importantly, in the event of an incident, this centralized model gives the security team the information and access it needs to engage in all necessary investigative and mitigative activities within and across the enterprise’s myriad technology environments.
“The reality of cybersecurity is that organizations don’t know what information they will need to analyze in the future.”
Save All Logs and Store Them Centrally. You’re Going to Need Them.
Maintaining enterprise-wide, real-time awareness is just the first step. An effective security team also needs access to a full accounting of the network’s past state over time—who and what has accessed it, how everything’s been configured, and what activities have taken place when and where.
Accumulated over years, these logs represent a mind-boggling, storage-capacity-busting amount of data, but it really is necessary to keep them accessible for threat hunts and investigations. With the availability of abundant, affordable cloud storage, particularly for infrequently accessed archival storage, an insufficient budget is no longer an excuse.
For example, if an organization recently discovered a possible network intrusion, past data can help the security team start to piece together investigative details such as:
- Details about the attacker, human or not
- When the intrusion began and how long attackers had access
- What software came into the network, and how it changed over time
- How the attackers moved laterally inside the network and what information they had access to
- What was exposed, damaged, or lost in the attack
The reality of cybersecurity is that organizations don’t know what information they will need to analyze in the future. While there are times when attack patterns are known and recognizable, there will always be new attacks that follow unknown patterns. Clear governance and tools guiding the retention of past data allow organizations to support forensics at scale and streamline investigations by making pre-processed historical logs available to the security team on demand.
Augment Human Intuition with Automation and Machine Learning.
If simply storing such a large volume of data is a major challenge, what about making sense of it? From real-time monitoring to forensic dives into past logs, this analysis requires thousands of hours annually of highly specialized human labor from a notoriously short-handed workforce.
Human intuition and skill guide much of what threat hunters do every day. But between managing a constant flow of new information sources, sorting through the data, and flagging abnormal activity, even the most skilled cyber professionals are quickly outpaced by the data deluge. To address this, complex organizations with critical missions can augment and empower their cyber workforces through automation, machine learning, and artificial intelligence. Leveraging innovation in these areas can scale the bandwidth and reach of small cyber teams by assisting with activities like normalizing the data, establishing baselines, detecting anomalies, automating repetitive tasks, rapidly retrieving information, and automatically enforcing standardized security policies and configurations.
“Through an agency-run platform that offers teams the capabilities and workflows they need to quickly scale up infrastructure, IT leaders can provide a mission delivery pipeline that is preloaded and configured for security compliance.”
Backup Security Policies with Technical Governance to Automate Compliance.
One of the greatest challenges to cloud security is human error. Imagine the following scenario: Someone in your organization provisions an application quickly and inadvertently fails to encrypt data, or accidentally exposes the administrative interface to adversaries. Unfortunately, even the most clearly written and communicated security policies cannot compete with the inevitability of innocent mistakes. This is especially true in a complex enterprise environment that includes multiple cloud vendors and platforms.
Protecting the mission is a non-negotiable priority, and traditional governance has a clear role in helping to define configuration standards. But how can organizations enforce those standards, make them easily available to all people, and ultimately prevent non-compliance?
Agencies are increasingly looking to shared technical governance as an elegant means to address this challenge. Through an agency-run platform that offers teams the capabilities and workflows they need to quickly scale up infrastructure, IT leaders can provide a mission delivery pipeline that is preloaded and configured for security compliance.
The U.S. Department of the Treasury has taken this approach with its Workplace Community Cloud (WC2), a pair of Treasury-owned cloud environments designed to host the agency’s mission-critical applications, systems, and workloads at the FedRAMP Moderate and High impact levels. By providing reusable environments that come preconfigured with security and other controls that are tailored for government needs and compliant with federal regulations, Treasury is empowering its teams to continuously modernize with great speed and cost efficiency.
As the move to multicloud accelerates, agency IT and security leaders must continue to work together to manage the transition in a way that both secures and empowers mission delivery. Tomorrow’s most successful multicloud enterprises will be the ones that take a strategic approach to integrating existing cloud environments while moving toward a new shared services model.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.