As federal agencies accelerate their effort to move data, applications and services to the cloud, they often run into an obstacle: Their existing cyber policies and processes were developed with a physical IT infrastructure in mind, not the virtual infrastructure that is the basis of so many modern solutions.
TIC 3.0, FedRAMP and other evolving policies are geared toward helping agencies make this move to the cloud. But “in order for these new policies to pave the way for data center modernization, you have to make sure that the old policies and legacy data centers can align and be flexible when it comes to adopting these new technologies,” said Ethan Palmer, Senior Pre-Sales Solutions Engineer, VMware GEH Team at Carahsoft.
In an interview with GovLoop, Palmer highlighted four policies that agencies should consider.
Zero Trust Architecture
Conceptually speaking, zero trust involves shifting from a blacklist mindset, which depends on identifying and blocking malicious or suspicious activity, to a whitelist mindset, in which users or systems must be explicitly approved before accessing a network resource.
Practically speaking, it requires a defense-in-depth approach in which firewalls are not just at the perimeter, but throughout the enterprise. Better yet, agencies can deploy security controls in the virtual layer, which makes it possible to monitor network activity and enforce security policies at the application layer, Palmer said.
A “demilitarized zone,” or DMZ, is a place on a network where an organization can provide access to a limited set of resources or services without exposing their internal systems. In a traditional network, the DMZ has its own hardware stack, with physical firewall devices protecting the network perimeter.
In today’s virtualized enterprises, however, agencies can set up DMZs anywhere within the enterprise by using logical firewalls at the software level – which eliminates the need for a dedicated hardware stack, reduces the number of physical firewalls that an agency must buy and provides much more granular security control, Palmer said.
Secure Remote Offices
While data center consolidation is a priority, agencies know they will always have remote offices that need local compute power. In a traditional IT environment, that requires a local hardware stack and complex network infrastructure, with all traffic backhauled through security controls back at the data center.
A software-defined wide area network (SD-WAN) simplifies this environment by enabling agencies to extend security controls to the edge and to optimize network traffic between a remote office and the primary data center. This approach provides those offices with optimal connectivity to resources both in the central data center and in the cloud.
Secure End Users
Increasingly, agencies recognize they need to think about security at the level of individual end-users wherever they are working – and they need the ability to enforce those policies automatically.
A secure end-user model requires a combination of technologies and policies. First, device management ensures that the end user’s device complies with security policies around authentication, encryption and other security measures. Second, the practice of least privilege management applies identity and access management controls to ensure that end users can access only those resources that they need to do their jobs.
Carahsoft and VMware provide solutions that enable agencies to build a modern cloud-based infrastructure that enforces security policies throughout the enterprise. By adopting VMware’s NSX, agencies can achieve zero-trust and DMZ anywhere. Also, they can extend their network and security to the edge with VMware SD-WAN by VeloCloud. Finally, they can secure endpoint devices and manage users with VMware WorkspaceONE and VMware Carbon Black’s next-generation anti-virus solution.