Data breaches are on the rise, which is too often the result of a misconfigured system within a cloud infrastructure as was the case in the recent theft of the personal details of more than 106 million credit card applicants from cloud storage. This latest incident really highlights the need for extending on-premises defense in depth approaches used into the cloud.
Therefore, it is critical that government IT decision makers have venues where they can learn about the latest best practices and tools fellow government IT and information security executives are applying to secure their migration to the cloud.
On August 6, Symantec hosted the “Navigating the Government Cloud Security Voyage Lunch” event focused on how to effectively secure cloud migration.
We had a great lineup of government agency technical experts who talked about their migration to the cloud and shared best practices. We wrapped up the event with Symantec’s John Emerson, director of cloud product sales, who spoke about our cloud security portfolio and touched upon some unique capabilities that Symantec offers and why they are important.
Daniel Jacobs, Senior Security Architect, Centers of Excellence, within the Technology Transfer Services of the U.S. General Services Administration (GSA), gave the opening keynote. The key takeaway: The greatest challenge for agencies in their cloud journey is “to change the narrative away from incentivizing product-heavy, siloed security models. Some of those may look great on dashboards,” he said.
“But we need to move the incentive toward outcome-based, cooperative systems that are directly aimed at the relative credible threats that you are experiencing today. In your cloud journey, it is critically important that you work with partners and consider all your objectives,” Jacobs said.
“Agencies which operate their security in a vacuum should expect to suffocate,” because there are too many resources available to help agencies branch out and expand – from Bug Bounties to threat intelligence programs and services.
Cloud and Security Opportunities
A consistent theme running among the government executives who participated in the panel discussion was that the migration to the cloud offers the opportunity to consolidate and modernize their approach to security. In summary, each panelist was asked to give one piece of advice they could give attendees about mitigating cyber risk and taking advantage of the cloud.
“Use an agile approach and take small pieces at a time, and do your lessons learned,” said Denise Hill, Acting Deputy Chief Information Officer for Enterprise Policy, Portfolio Management and Governance with the Department of Energy. Additionally, agencies should adopt governance models “because that is where you get a lot of the collaboration” within agencies.
“When you are designing, design for your marginal communities,” Andrew Marquardt, Chief Enterprise Architect with the U.S. Bureau of Reclamation, advised. “If you do that average design, you are going to fail all the time. Because there is no such thing as an average user,” such as the case with the Bureau which has workers in low-bandwidth locations and in many cases offline.
A consistent theme running among the government executives who participated in the panel discussion was that the migration to the cloud offers the opportunity to consolidate and modernize their approach to security.
Agency managers should make sure they are achieving the goals they want as their agencies move to the cloud, according to John Evans, Chief Information Security Officer for the State of Maryland. “A lot of agencies in the state wanted to do a simple lift and shift into the cloud. We determined that wasn’t a great way to do things for most of our use cases in the state,” Evans said. The state would have missed out on the opportunities to look at business process reengineering, leverage the cloud service providers native offerings, employ containerization and micro-segmentation. Plus, the agencies would continue to accrue more technical debt as they maintained legacy systems. Consequently, “it is worth doing a rebuild of applications versus lift and shift.”
“Take more risk, but ensure those risks are calculated,” said Jeff Harris, Chief of Cyber Security Operations with the U.S. Small Business Administration (SBA). “SBA is a risk-tolerant organization and is like being at Google, which is agile focused. This allows the agency to take advantage of ideas and creativity of its people,” he noted.
From a Symantec perspective, the areas that agencies need to secure are email, network, endpoints and cloud apps. Agencies are leveraging security services across determination points such as user behavior, threat protection, data protection, Emerson said.
“The ideal architecture is where you are leveraging those core services across the agency for the aspect of your organization you are trying to secure,” Emerson said. If done right, it is built once and put in place for the whole organization rather than having multiple systems for virus protection, anti-malware or data protection.
Emerson described how agencies can extend their data protection services into the cloud with solutions such as Symantec Data Loss Prevention and gain visibility into the cloud with Cloud Security Access Broker.
Symantec’s Smart Government: Cyber Redefined Lunch Series gathers government experts and leading cyber practitioners to discuss the issues most pertinent to government IT decision makers and help them learn how access governance, information protection and advanced threat protection can mitigate the risks inherent in government cloud adoption.
As part of this program, Symantec is regularly publishing thought leadership content and recaps of the events on a separate microsite, dedicated to federal, state and local cyber professionals. For more content please click here.