Is your agency ready to function in a secure hybrid cloud?
- By Walter Maikish, Doug Cowan
- Mar 11, 2019
According to many federal CIOs, 2019 looks to be the year of hybrid cloud. As they moving from a "cloud first" to a "cloud smart" mindset, agencies are looking at how the technology can effectively improve their network and architecture, even while using on premise solutions. They realize that tracking how data flows throughout the network can help them build a more effective hybrid cloud environment.
Most agencies already have a Continuous Diagnostics and Mitigation dashboard in place, which allows them to start exploring data flow traffic within and outside the network and create actionable data that will improve security processes and functions. But will those CDM insights enable secure service in a hybrid cloud environment?
The Department of Homeland Security's CDM guidelines offer steps toward gluing an agency’s hybrid environment together and delivering the “capabilities and tools to identify cybersecurity risks on an ongoing basis, prioritize these risks based on potential impacts, and enable cybersecurity personnel to mitigate the most significant problems first.”
The CDM adoption guidelines highlight what agency IT teams should keep in mind when setting up a hybrid cloud environment to ensure data can move in a secure manner:
Know what is on the network. The first guideline for CDM adoption and an critical step in setting up a hybrid cloud environment is determining what can and should go to the cloud. It’s important to remember that “cloud smart” does not mean everything must migrate. Agencies should identify their key, high-value assets, those most critical to protect to sustain operations. A security strategy for agency data won’t succeed if priority assets can’t be identified.
Know who is on the network. The second guideline calls for visibility into the users on the agency’s network. Users access different types of data and tap into it in various ways. Agencies must know who is on the network, how they are functioning and what types of security protocols should be put into place to keep data secure no matter how it’s being used. Once an agency knows what type of users are on the network and how they are accessing data, it can better determine where data should live (cloud or on premise) and how it should be protected.
Know what is happening on the network. Full visibility into the network means knowing how workloads are moving across locations. How is data moving from the cloud to on premise and how must agencies set up their application architecture in order to support that?
Applications are the lifeblood of any organization, and visibility into how those applications should run is key. If an agency can build applications easily and get them running quickly then it can better support the agency’s workforce and processes. But if they get bogged down worrying about where those applications run, agencies can miss opportunities to further their mission. To develop and deploy applications anywhere they want, across public and private clouds, without constraints, agencies' networks must be robust enough that performance isn’t affected no matter where applications reside (in the cloud or on premise).
Know how data is protected. Once an agency has visibility into what users and applications reside on its network and what is happening across applications, it can then properly identify how to protect the network both in the cloud and on premise, ensuring data is protected in as it moves and where it resides.
Using the CDM dashboard, agencies can continuously identify cybersecurity risks, prioritize each risk based upon its potential impact and give cybersecurity personnel the right tools to mitigate threats. A few solutions agency security teams should keep in mind include:
- Stateless profiles for data: Data comes with a network profile that describes how it should be treated. If the profile is “stateless,” then it doesn’t matter where the data is; on or outside the network, it will always be treated the same way. If the right cybersecurity posture is part of that stateless profile, then the data will be secure even when it resides outside the network.
- Application automation: The most efficient way agencies build applications is with automation. Automation also creates a consistent security posture across the network and throughout an agency’s environment.
Security is the most important priority as agencies increasingly deal with data that moves in and out of cloud spaces. Knowing what’s on the network, how it’s being used and by whom is essential before security protocols for a hybrid cloud environment can be correctly set up. Following the above guidelines will help create the security posture a hybrid cloud environment needs to function.
Walter Maikish is director of federal civilian at Cisco.
Doug Cowan is federal security manager at Cisco.