The recent push to be Cloud Smart means agencies are rethinking how to be security-smart as well. Agencies need to be able to react to evolving threat landscapes agilely, collaboratively and in real time. And they can leverage cloud technology to help.
To achieve compliance, optimization and security with the cloud, these two aspects were highlighted at GovLoop’s virtual summit on Wednesday: shared responsibility and transparency between the cloud service provider and user.
When the Small Business Administration (SBA), an agency that provides support for entrepreneurs and small business owners, transformed from being on-premise to multi-cloud, it needed to make proactive decisions and adjustments to secure their systems and applications, sharing the responsibility of security with their cloud service providers.
This meant adjusting their tools to fit their new cloud environment. The agency first tried to use its on-premise host scanner on the cloud to search for vulnerabilities. The effort took a long time and led to scanning irrelevant information that wasn’t SBA’s data, due to being in a cloud environment with a shared tenancy.
“Our old way of doing things — we couldn’t just kind of lift and shift and apply from a security standpoint,” said Ryan Hillard, IT Specialist and Systems Developer at SBA.
To make the adjustment, the agency used a system native to one of the cloud service providers it was already using to scan only the relevant hosts. The adjustment led to a cheaper and more effective security environment in the cloud.
Hand in hand with assuming shared responsibility is transparency, which allows the cloud service provider and user to monitor what is happening in the user’s networks. Continuous monitoring is critical, especially when implementing new tools, so that it ensures the cloud service is maintaining the security posture it needs to uphold, said Matt Jordan, Vice President of JHC Technology.
Under the Federal Risk and Authorization Management Program (FedRAMP), transparency reports are available for agencies to monitor cloud services and buy the right packages from the right provider.
When a cloud service provider goes through the authorization process, FedRAMP provides a System Security Plan (SSP) for agencies to see exactly how a provider implements security controls or if there are any remaining residual risks. On top of that, FedRAMP releases monthly monitoring reports for agencies to continuously monitor their cloud services.
Agencies can download the one-page monthly report and evaluate a cloud service’s performance regularly, said Brian Conrad, FedRAMP Program Manager for Cybersecurity at the General Services Administration.
“[The agency] can say, ‘OK, this particular cloud provider’s slipping a little bit. What’s the issue? Or, ‘They had a spike in vulnerabilities last month. What happened?’” Conrad noted.
“It’s a treasure trove, quite frankly, of information,” Jordan said.
But the important thing for agencies to remember is the shared responsibility component, Jordan said. Agencies need to ensure internally, in the cloud, that their systems and applications are meeting the necessary compliance and security measures, which is the agency’s responsibility.
“FedRAMP does a fantastic job getting you the information and package that you need,” Jordan said, “but that’s not the end of the story.”
This online training was brought to you by: