By John Chirhart, Federal Technical Director at Tenable, Inc.
As federal agencies move to adopt a cloud-first strategy and reduce their reliance on government-owned data centers, IT managers should be rethinking the way they deal with cybersecurity.
The cloud offers a multitude of benefits including more agile and efficient networks, but when you modernize away from traditional data centers, you move into a whole new world of cyber exposure where the threat landscape changes drastically. Because of this, it is important for agencies to deeply understand the different layers that make up the cloud as well as the attack vectors specific to their respective workloads. For example, cloud environments may consist of Infrastructure as a Service (Iaas), Platform as a Service (PaaS), and Software as a Service (SaaS). These new offerings are often protected/managed by the Cloud Service Providers (CSP) but still require independent verification and inclusion into the organization’s System Security Plan (SSP). Failure to do so may leave gaps in coverage by assuming security is being handled when it’s not.
Achieving this level of understanding and interaction doesn’t happen overnight. Beyond the incredible amount of training involved, it’s not an easy lift transferring some of the world’s most sensitive data to the cloud after decades of data center storage.
Currently, the federal government spends about 70 percent of its budget managing legacy IT systems – some of which are so old that eBay is the only place to find hardware that works with the network architecture. That means you can’t just move everything at once. Federal agencies can’t simply go offline over the weekend and move systems over.
And even if they could, it would be irresponsible to do so. While modernization in the federal space is crucial, if we don’t modernize correctly, we’ll be promoting bad practices that could last for decades. Though the security problem will not be solved in my lifetime, what we do today will set the tone in security for the next 20 to 30 years.
That’s why the federal government should be leveraging public-private partnerships now, more than ever. Federal IT teams don’t always have the time, money or technical expertise to sustain and operate complex cybersecurity monitoring on state-of-the-art cloud networks. And that’s understandable considering the tightened agency budgets. It’s tough for the agencies to attract top talent when private sector companies promise a lot more for innovation.
You need both the experience and the talent to navigate the modern attack surface and private sector companies like Tenable have already put the time in to develop the freshest cybersecurity solutions. Cybersecurity is Tenable’s core competency. By focusing on coverage of all types of assets (IE: Containers, SCADA/ICS, Web Apps, etc.), Tenable is able to provide a single authoritative source for all consumers of security data.
In fact, cybersecurity companies are becoming so cutting-edge and forward thinking that they are pulling talent from some of the biggest consumer tech companies in the world. Tenable, in April, brought on Christos Kalantzis as its vice president of cloud engineering. Previously, Christos had been the man who, for nearly five years, handled the development and operations of Netflix’s streaming service.
Leaders like that help create a workplace driven by innovation. That makes it possible for Tenable engineers to come up with the most creative solutions, like Tenable.io – a cloud-based cyber exposure platform that eliminates blind spots in the cloud and on mobile devices, containers and web applications.
Often, government leads the way in innovation. Many government funded projects lead to commercial success (IE: the Internet). In cybersecurity, the private sector is leading the way by constantly building institutional cybersecurity knowledge and discovering leading-edge ways to handle security in a virtualized world through broad experience securing global commercial businesses.
Today the federal government has a lot to be excited about as agencies continue their migration to the cloud. But all of the gains associated with a move away from data centers won’t amount to much if the networks aren’t secure. The time has come for better collaboration between private and public cybersecurity teams to help government solve these complex problems and to reduce the government’s cyber exposure.
Tags: agile > cloud > cloud first > cybersecurity > data centers > federal IT > IT Modernization > legacy IT > Network > security