The government’s cloud initiatives provide a secure infrastructure for agencies to transition their application and services to the cloud. But is your security architecture up to the task?
Digital Transformation, and the associated shift to the cloud, requires government agencies to extend and evolve their security architecture. This addresses the unique challenges of distributed architectures and increased integration with commercial cloud services.
In partnership with CDM Media, Fidelis Cybersecurity’s CISO Chris Kubic (also former CISO of the National Security Agency), participated in the CDM Solution Spotlight podcast to discuss security strategies to accelerate the government’s digital transformation activities.
Highlighted in this podcast:
- What digital transformation is and how it would benefit the government
- The impact digital transformation has taken on security architecture
- Emerging security technologies critical to digital transformation
- How agencies should stay prepared for the future
JD Miller, CDM Media: Welcome to this week’s episode of CDM Media’s Solution Spotlight. I’m happy to be joined by today by Chris Kubic, the CISO from Fidelis Cybersecurity. Chris has been with Fidelis just shy of a year but spent 32 years at the National Security Agency and was the NSA’s CISO for many of those years. If you’re familiar with Fidelis, they have a great tagline: Detect, Hunt, Respond. Today, we’re going to get on the topic of paving the way to digital transformation. Now, the government’s cloud initiatives provide a secure infrastructure for agencies to transition their application and services to the cloud. But is your security architecture up to the task?
Digital Transformation, and the associated shift to the cloud, requires agencies to extend and evolve their security architecture. This addresses the unique challenges of distributed architectures and increased integration with commercial cloud services.
Thank you for joining us on Solutions Spotlight.
Chris Kubic, Fidelis Cybersecurity: Well, I’m happy to join you today.
JDM: What is Digital Transformation and how would it benefit the Government?
CK: Having come from the Government, I know it can be a challenge for the Government to adopt cutting edge technology and embrace digital transformation – and this is for lots of reasons including the need to protect sensitive information and the challenges of working through the security authorization process. But, over the past several years, many steps have been taken to lower bar for Government adoption of cloud computing technology, which is where digital transformation comes in. Digital transformation is the process of modernizing existing legacy systems through the adoption of newer, faster digital technologies to provide better solutions and experiences for our customers.
Digital transformation is especially critical in our current times as the cloud becomes a crucial dynamic with much of the country working remotely. New digital capabilities and technologies provide improved efficiencies, streamlined services, improved accessibility to Government services, and allow for the Government to more easily adopt cutting edge commercial capabilities. It’s worth noting that IT modernization is never done as it is a constantly evolving journey in which agencies must always be looking ahead in order to continuously deploy new digital capabilities.
JDM: You mentioned that the Government has taken many steps over the last couple years to aid in digital transformation. Can you speak to what some of these Government initiatives are?
CK: Cloud computing is a critical enabler of digital transformation and the Government has done a lot of great work in this arena over the past few years (the past decade really) to make secure cloud computing services available to Federal, State, and Local Government agencies and their partners. The key here is to pool resources and expertise from across the Government to make secure cloud computing services that meet the Government’s stringent security and compliance requirements available to government agencies and eliminate the work needed by each agency to independently develop and accredit these systems.
JDM: Do you mind elaborating more on specific initiatives the Government has taken action on?
CK: As far as specific initiatives, I’ll start with FedRamp, which has been foundational to Government adoption of commercial cloud services. FedRamp provides a standardized approach to assessing, authorizing, and monitoring commercial cloud services for use by government entities. Just to give some background – government agencies have been talking about the cloud for more than a decade. However, security was a key sticking point for many agencies who were hesitant to move their systems into the cloud, with uncertainty around whether the cloud was secure. FedRamp was created to assuage those concerns and has resulted in the major cloud computing vendors obtaining a FedRamp certification in order to be able to sell their products and services to Government agencies. This includes Amazon with their AWS GovCloud services and Microsoft with their Azure Government services as well as hundreds of Software-as-a-Service providers. FedRamp leverages the NIST security controls and the NIST security authorization process and allows commercial cloud vendors to make their products available at Low, Moderate, or High impact levels to match up with the differing security needs of their Government customers.
Another major initiative has been the DoD Joint Enterprise Defense Infrastructure (or JEDI procurement) – JEDI is similar to FedRamp and is geared toward making secure cloud computing services available to DoD services and agencies. JEDI leverages some great work done by DISA in the development of secure cloud computing specifications for the DoD – namely the Cloud Computing Security Requirements Guide (or SRG). The SRG uses a FedRamp Moderate certification as a baseline and defines four Impact Levels to support the range of DoD mission needs from Publicly released unclassified information up to protection of Secret information within a commercial cloud environment. To meet DoD’s requirements, commercial cloud service providers must be FedRamp certified and then receive an additional DoD certification at one of the DoD Impact Levels.
Finally, the Intelligence Community Commercial Cloud Services (or C2S) initiative has made secure cloud computing service available in the classified arena opening up commercial cloud services for the National Intelligence community.
JDM: What is the value of FedRamp and these other Government initiatives to CISOs and their agencies?
CK: Government agencies have seen real value in using standards to improve cloud security and using the same requirements to evaluate their cloud service providers, also known as CSPs. FedRamp allows Government agencies to leverage the FedRamp certifications as a basis for a new application or service they are developing and then authorize only the portions of their service that were not already covered by the FedRamp certification. The ability to inherit the FedRamp security controls and authorization and then build upon that certification significantly lowers the bar for Government adoption of cutting edge technologies and allows the Government to better keep pace with evolving technology. This results in time and cost savings for development of new Government applications and services and the ability to ensure that the vendors they have chosen meet rigorous security requirements enabling agencies to quickly move forward with their digital transformation and modernization efforts. We certainly see this value in this at Fidelis Cybersecurity and I am happy to say that we are on the path to having a FedRamp certified solution available for our Government customers in the first half of 2021. This will allow our existing Government customers to seamlessly shift their workflows to the cloud while continuing to use the Fidelis Cybersecurity tools and applications they currently have deployed within their on-premise networks.
JDM: What impact does digital transformation have on security architectures?
CK: Digital Transformation generally involves automating and digitizing workflows, moving them to the cloud, and leveraging existing cloud software services where possible. As a result, data and services become distributed across multiple systems both on-premise and within the cloud – and these cloud services could be ones that you operate and manage or may be operated and managed by a third party (for instance collaboration services, Customer Relationship Management Software, accounting or payroll services software managed by a third party). The key here is deployment of a set of tightly integrated services – some of which you operate, manage, and maintain, and some that are operated, managed, and maintained by a third-party. In many cases, this causes the enterprise boundary to become a bit fuzzy – making it difficult to define a clear boundary between the Enterprise and the Internet where traditional network security solutions can be deployed. Digital transformation also leads to systems being accessed by a wider range of users and devices For example, employees accessing from corporately managed devices, employees accessing from personally owned devices (BYOD), or customers accessing from their corporate accounts or their personally-owned mobile devices and home computers. Work at Home has accelerated digital transformation and forced companies and Government agencies to adapt to this new normal much sooner than they were prepared to do so. In a nutshell, Digital Transformation makes it really challenging to determine which users and systems should have access to your applications and data – and this is where the newer technologies and security architectures are coming into play.
JDM: What are some of the emerging security technologies that are critical to digital transformation?
CK: I’ll start with something Gartner calls eXtended Detection and Response (or XDR) solutions – This is probably the most straightforward to implement because it is an evolution of traditional security solutions and the key here is to adopt solutions that can operate seamlessly across on-premise and within the cloud to provide an integrated view of security for your transformed enterprise. Point solutions and solutions geared to only on-premise or the cloud are certainly not cutting it in this space. XDR provides expanded visibility, detection, and response capabilities across an organization’s network, endpoints, email, web, and cloud infrastructure giving you full visibility across your transformed applications and workflows. XDR is an important shift in the market space, because it draws attention to the necessity of this expanded visibility for the analyst or threat hunter to more quickly detect and respond to advanced threats without using multiple technology sets that do not integrate well with each other. XDR is an area that Fidelis Cybersecurity has invested heavily in over the past decade and is a recognized industry leader – providing an integrated approach to security across our Network Detection and Response, Data Leak Protection (or DLP), Endpoint Detection and Response, and Deception solutions – whether your workflows live on premise or in the cloud.
JDM: That’s a lot of great information on XDR. Do you mind sharing some other emerging security technologies that are critical to digital transformation?
CK: Sure thing – there are lots of technologies out there but Zero-Trust Architectures in particular have been gaining lots of traction recently – Zero trust is an evolving security paradigm that shifts focus from defending a static network boundary to protecting and defending individual transactions between users and resources – essentially making access to data, systems, and services dependent on the sensitivity of the resources being accessed, the “need to know” of the user, and the ability of the user’s end device to protect the data. While Zero Trust can be complex to implement, it aligns well with digital transformation and the resulting workflows that tend to be distributed across multiple infrastructures. As far as Government adoption, I’d say the Intelligence Community is already pretty far down the path in implementing Zero Trust through the PKI and attribute based access controls that have been in place for quite a while to protect sharing of sensitive data within the Government and with external partners. I’m also happy to see NIST, DISA, and NSA working on a broader Zero Trust architecture for the Government as I see this as a way to accelerate Government adoption of cloud technology and accelerate Digital Transformation initiatives.
I also see an emerging technology called Secure Access Service Edge (or SASE) as a critical driver for digital transformation – although the technology is still evolving and not yet very widely adopted. SASE builds upon the transactional nature of Zero Trust by inserting the right security services into the communications path no matter where the data and services a user is accessing actually reside – on-premise, in a Government or Commercially managed software service, on the Internet, or at a third party site. The key here is to migrate traditional security services to the cloud as a set of Software Services and use then use software defined networking to intelligently route the user’s transaction through the appropriate set of security services that are hosted in the cloud.
JDM: You mentioned earlier that IT modernization is never done. Given what seems to be the unrelenting, continued evolution of threats, what do you think agencies need to be prepared for as we continue to look forward?
CK: I think the key here is adoption of integrated approaches to security that provide visibility across the entire transformed terrain as well as the ability to analyze threats and respond wherever your digital workflows reside.
Given the added complexity of transformed workflows, I also think improved automation is critical. Network defenders are already overwhelmed and the added complexity of a distributed architecture will further tax the defenders. Being able to dial up a playbook and kick off a response action across all elements of a distributed workflow make digital transformation a more manageable problem set.
Finally, I view Machine learning and AI as critical to moving defense of a digitally transformed enterprise from responding to attacks to predicting attacks. I believe that early detection and response is the most effective strategy for defending against malicious actors. This is even more important today because cyber attacks continue to innovate and evolve their capabilities – increasingly with the help of adversarial machine learning. Responses should be automated, when possible, to improve the efficiency and speed with which security teams are able to identify potential cyber incidents, investigate and validate the anomalous activity, and then ultimately respond to a cyber incident. This will reduce dwell time of a cyberattack, which continues to be measured in terms of months and days, instead of hours or minutes.