Over the course of U.S. history, antagonists have leveraged vulnerabilities to initiate attacks against our critical infrastructure. Security approaches that mitigate these risks are vital to helping secure the nation. As cloud infrastructure continues to grow in importance, securing it has become a central area of focus across government. Therefore, implementing cloud-native security is a key area of focus.
An Example from History
Just over 200 years ago, on January 8, 1815, the British military attempted to capture New Orleans, which was considered a backdoor into the US heartland, via the nation-critical infrastructure of the Mississippi River. Fortunately, a motivated and diverse cadre of Americans (that included Native and African Americans) singularly routed the invading British force at the doors of New Orleans in 30 minutes by some calculations.
Fast Forward to Today
In some ways, cloud infrastructure has replaced the “riverways of old” as nation-critical infrastructure. Vulnerabilities to the systems and environments in the cloud expose us to analogous grave threats, given application capabilities, as well as the amount and sensitivity of data.
Importance of the Cloud Is Only Growing
The continued sprint to the cloud makes this risk-area even more serious. Several factors have combined to spur this accelerating cloud migration, including substantial technology advancements, the impact of COVID on workforce deployments, and the ever-present challenges in hiring and maintaining IT and IT security teams.
Key Strategies to Secure the Cloud:
As we move an increasing number of systems to the cloud, applications and data can be at risk from flaws and vulnerabilities. In forming our defensive arsenal, combating these risks will take several interrelated areas of focus:
- Shift Security Focus and Responsibility “To the Left”
The shift-left cloud security mindset incorporates security testing and validation earlier in the cloud-native development process. Cloud-native development introduces new development assets, like infrastructure as code (IaC) files, container image specifications, APIs for microservices and cloud deployment artifacts, to name just a few. With these new assets also comes new attack vectors. These new attack vectors, combined with the speed and scale of the cloud, demand that vulnerabilities and security risks cannot be left for the security team or SOC to address during operational deployment. They must be identified and addressed during the development process, preferably by the developers themselves. By “shifting left” the timeline in which security issues are identified and mitigated, agencies are able to reduce both the cost of remediation, as well as the risk of exposure or breach of cloud-native applications.
2. Cloud-Native Applications Require Cloud-Native Security Solutions
As mentioned above, cloud-native application development generates assets unique to cloud-native deployments. The process for developing, testing and deploying such applications is also distinct and introduces several security risks that require cloud-aware or cloud-native security solutions to address them. Whether it’s addressing containerized application vulnerabilities, cloud infrastructure security misconfigurations, cloud-aware malware, overprivileged cloud permissions, or insecure APIs supporting microservice based architectures, these risks cannot be addressed by legacy security solutions. Only cloud-native security solutions will have the cloud awareness, scalability and end-to-end application lifecycle coverage to address these risks from development through deployment.
3. Right-Size Security Investments to Address the Elevated IT Complexity
A recent McKinsey study considered that, “the budgets of many if not most chief information security officers (CISOs) are underfunded.” This can mean challenging decisions on where to make investments. It could mean scaling new projects to account for the bandwidth and cyber teams’ training. Additionally, it can mean new and creative approaches to obtaining additional dollars for cyber investments, including technology modernization funds or grants. Gartner’s recent report on Cloud Native-Application Protection Platforms (CNAPP) is a good resource to start the process of ideating the investments needed.
4. Leverage a Proven Vision in Zero Trust to Your Cloud Security Strategy
Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction. This approach includes securing on-prem, cloud or multi-cloud public environments.
Zero Trust is just as relevant to the cloud world as it is to your traditional environments. In a multi-cloud world, compliance and visibility are the linchpins of maintaining a Zero Trust approach. We have found that inconsistencies in configurations across different cloud platforms can lead to substantially elevated risk.
Securing Our Nation from Today’s Threats
At first glance, the Battle of New Orleans and the fight to secure our cloud-native government infrastructure appear totally unrelated. In reality, they both share nation-critical consequences. If the British had won the Battle of New Orleans, it could have had far-reaching implications for our nation, potentially undermining our independence and radically changing the day-to-day lives of all Americans. Similarly, if today’s cyber adversaries are able to successfully penetrate the government’s cloud application development, there could be serious consequences for agencies, nation-critical data, vital IT systems, as well as a grave impact to our day-to-day lives.