As more Federal agencies prioritize migration to the cloud, especially during this era of telework, it is essential to maintain consistency between data centers and provide the workforce with proper cybersecurity tools and strategies.
Here are a few recommendations for agencies approaching cloud compliance and security regulations:
Securing Application and Platform Security
Given the rise of cloud-based systems, various public and private sector organizations have offered appropriate frameworks for agencies to evaluate the security postures of their web services and cloud platforms. In addition to these guidelines, however, it’s becoming increasingly crucial to adopt more secure applications and to better manage critical data.
First, in regards to the necessary tools, the ones that the public sector must look to are those that provide visibility across multi-cloud architectures. We see the greatest number of issues with cloud storage – not only must agencies keep up correct permissions settings, they must also ensure those authorized users are working compliantly.
As more organizations outsource IT management and email applications, it’s necessary to continue close coordination and monitor the third party providers. “There needs to be tools in place that allow for an agency to get real time visibility into the security posture, to manage what they have now and how those applications’ metrics are being utilized,” says Felipe Fernandez, Director of Systems Engineering, Fortinet.
“There are shortfalls in the one-size-fits-all application, software, or platform-as-a-service delivery model,” he states, “Unfortunately, you can’t deploy the most granular control because it could break things and reduce performance. So it’s important for agencies to supplement whatever security those email applications provide with additional security tools that are focused on cloud-based email.”
When it comes to platform security, Fernandez praises Gartner IT’s view on taking customer responsibility into consideration. He points out that within the next few years, nearly all cloud misconfigurations and security breaches will be due to customer negligence.
Challenges of Maintaining Cloud Compliance
An increase in the number of cloud-based applications and amount of data storage means a similar increase in cyber threats. Taking the shared responsibility model into account, agencies should aim to minimize their own vulnerabilities while meeting all compliance requirements.
Though frameworks can be used as a foundation for improving specific aspects of security that are within an agency’s responsibility, we often see that the bare minimum is being achieved. This is because being compliant only means having a programmatic approach to the overall security program.
“Compliant doesn’t mean secure,” Fernandez explains. “Agencies still need to evaluate and utilize other tools that provide capabilities that aren’t mentioned in the standard frameworks or the security recommendation guides,” he continues, “Particularly for web applications, agencies should look at cloud native variants of tools such as web application firewalls that are delivered as a service from the cloud and integrate with cloud APIs, so they can provide more granular protection for a particular cloud app.”
The main focus needs to be protecting every face of security and being container-aware – from container to container rather than just separating from the rest of the world.
Another significant challenge facing agencies arises from transitioning different workloads across the multi-cloud. Especially within the constantly evolving IT landscape, it’s difficult to maintain consistency of security configuration when dealing with multiple environments. The most pressing goal for many vendors is having all security offerings available and supported natively on all clouds, simultaneously.
This is where Fortinet can come into play. Fernandez highlights the capabilities of the Fortinet Fabric Management Center, which provides organizations dynamic mapping of all types of applications while keeping unique meaning for each cloud. It’s time to take advantage of these services to ensure security tools and strategies are deployed consistently on various platforms.