As citizens demand digital access and more software is delivered as a service, government organizations need new technologies to offer these services. But adopting them makes security and regulatory compliance more difficult. In addition, securing devices and infrastructure that are outside of your environment is a key challenge.
This means IT teams must manage and secure a continuously evolving landscape. New vulnerabilities emerge regularly, from external attacks and internal issues caused by human error or malice. However, organizations can often view security teams as blockers to rapid productivity, rather than supporters. How can this be flipped to enable innovation?
To discuss how government can better do this, GovLoop and Shawn Wells, Chief Security Strategist, U.S. Public Sector Red Hat spoke as part of GovLoop and Red Hat’s Gov Security in the Digital World Virtual Summit in Wells’s session, New Era of Digital Security.
The fact is that when new technologies are adopted, the security team has to get involved, Wells said. “The way we develop, deploy and manage IT is changing dramatically,” he pointed out. There's everything from a menacing threat landscape, to cloud computing, to devices outside of IT control. Meanwhile, the costs of any security breaches are rising rapidly and costing the government both money and the trust of citizens.
Additionally, Wells said, funding for cloud infrastructure is taking a clear priority in 2017, with security and management still mandatory investments to keep it all under control.
So today the fact is that traditional network-based defenses are no longer enough in this new era of digital services. The question is, how do you use new tools and techniques to allow people to innovate quickly without creating new security risks or causing delays?
“Security most evolve today,” Wells said. “Security must be continuous and integrated throughout the IT lifecycle.”
Security policies and procedures in today’s environment must do all of the following, Wells said:
- Identify security requirements & governance models
- Built-in from the start; not bolted-on
- Deploy to trusted platforms with enhanced security capabilities
- Automate systems for security & compliance
- Revise, update, remediate as the landscape changes
Open source approaches offer ways to do this in today’s landscape, Wells said. “Open source projects drive the technology that enables today innovations,” he said. “But not all open source projects are created equally. So how can you evaluate where and when to use open source to address these issues?”
The idea is that the culture of open source is at the heart of its power, he said. “We hear about culture in every strategy and conversation,” Wells said. “That means collaboration and transparency. Shared problems can be solved much faster than those worked on alone in government. But these frameworks and approaches need to be standardized.”
In short, you need agility with proper security. The problem is that applications require complicated installation and integration every time they are deployed and this can cause issues between the developers and the IT operations team. The DevOps approach handles some of the se problems, but don’t take care of everything.
The solution, Wells said, is adopting a container strategy that will allow applications to be easily shared and deployed.
What are containers? It depends on who you ask, Wells said. “Containers are both an infrastructure and packaging format. They provide a consistent environment and tools for both developers and IT ops to package, deliver and manage the applications regardless of what the apps look like in development or the framework you’re using. They provide a common set of building blocks for everybody.”
And, according to wells, containers are critical to this new era of digital security. “They can provide a revolutionary change in how developers and line of business work with IT operations while not compromising security and compliance.”
Wells explained how Kubernetes, an open-source system for automating deployment, scaling, and management of containerized applications, can help government. In short, it can eliminate many of the manual processes involved in deploying and scaling containerized applications. In other words, you can cluster together groups of hosts running Linux containers, and Kubernetes helps you easily and efficiently manage those clusters. A container application platform based on Red Hat’s Docker and Kubernetes will allow for building, distributing and running containers at scale.
Red Hat is able to help adapt these approaches, Wells said. They offer a tested, supported portfolio of stable open source infrastructure and application development solutions for enterprise adoption of emerging technology that allows government to take advantage of security built into each phase of the application life cycle.
In short, in this new era of digital security in government, new approaches must be taken. Containers and DevOps practices give developers the freedom to work on applications while operations can focus on the infrastructure and while everything is kept safe and secure.
This blog post is a recap of a session from GovLoop’s recent Gov Security in the Digital World Virtual Summit. For more coverage, head here. To watch the Gov Security in the Digital World Virtual Summit on demand, head here.