Shifting from on-premise IT infrastructure to hybrid cloud solutions comes with new security risks but also new security and data management benefits, according to the Cybersecurity and Infrastructure Security Agency (CISA).
Grant Dasher, Identity and Cloud Engineer with the Office of the Technical Director for Cybersecurity at CISA, said the agency leverages multiple cloud capabilities for data analytics.
“We also work closely with the private sector organizations on cyber information-sharing so we have systems that leverage the benefits of cloud and also the benefits of premise technologies in a hybrid fashion to combine all those data sets and try to make them helpful for our mission,” Dasher said during the FedInsider Hybrid Cloud: Adopt for the Flexibility, Stay for the Security Webinar on Tuesday.
Dasher believes agencies can reap many security benefits through hybrid cloud applications.
“Concretely, the cloud services — that managed service characteristic of it, and the ability of the provider to scalably patch their infrastructure, in many cases, up to the compute and storage layers that you depend on without you having to take any action — that is a huge cybersecurity benefit,” Dasher said during the webinar. “Just to reduce the complexity around patching and vulnerability management — now obviously it’s not reduced to zero, agencies still have to do those activities in some cases — but the burden sharing is quite different.”
Data management and network security look different in on-premise infrastructure versus the cloud.
“The cloud is a programmable surface area. The infrastructure is programmable and creates new security risks, but also opportunities for increasing things like immutable workloads,” Dasher said. “It’s such a radical shift that it requires fundamentally different approaches, and in other cases just adjustments. But in general, if cloud is done well, it can be a strength from a security point of view.”
Common threats such as phishing attacks can harm hybrid cloud environments, but Dasher wants to call attention to the way organizations connect user identities between on-prem environments and the cloud.
“It’s important to have a team in an organization that feels they own the cloud platform in terms of providing capabilities out to the business, and to answer strategic questions like how much authority needs to be delegated into the business teams versus retained centrally," Dasher said.
Dasher also feels it’s important from a security important point of view to make sure those governance structures are in place both organizationally and in technology.
“I think focusing on that structural set of governance topics and the base foundational capabilities of your hybrid cloud environment, and making sure that you have a way for the business team to fit into that framework with the right level of authority given to the business that works for your organization,” Dasher said. “That’s a critical maturity level that people need to work towards.”
Dasher added, “Keeping those principles in the back of your mind as you’re working through your cloud journey, I think that’s critical to ending up in a secure state where you can leverage the security benefits of the cloud, especially hybrid environments.”