When the coronavirus forced remote work upon the federal workforce, it upended the traditional defense architecture—an old-school castle-and-moat approach with limited device security—that agencies had spent decades investing in. In a final grasp towards a strong perimeter defense, many agencies implemented the short-term solution of adding more virtual private networks (VPNs), which served to increase latency and cut agency bandwidth in half.
The rush to extend internal resources and applications to users at home also led to the use of unsecure web servers, with agencies falling behind on traditional maintenance operations like patching. To avoid the adoption of short-term solutions that compromise security, federal IT pros must have a future-focused approach to the cloud. At its core, the cloud is about rethinking architecture with an eye towards flexibility. Visibility, data protection and behavioral analytics are critical components of an architecture that allows for such flexibility going forward without compromising security now. Let’s take a look at each.
Once again, security cannot be an afterthought when it comes to the cloud. A cloud-enabled architecture must include sufficient monitoring and control. On-premise solutions should not simply be thrown into the cloud, as monitoring the cloud is fundamentally different. It requires not just logs, but the application of reverse proxies and APIs. Additionally, agencies must consider unsanctioned clouds in addition to those they actually maintain and operate. Because of forced remote work, many employees have been setting up private Zoom calls and Slack channels or relying on personal Dropboxes and Gmail accounts for government work. The question, then, is how agencies can protect their data when every account is owned by a different person. The answer: visibility is key. Agencies must know what is being accessed, where it’s being accessed, and by whom.
Such visibility is a prerequisite for securing both the edge and the cloud. Once you have visibility, you can focus on what the user is doing, regardless of where they are coming from. Your architecture needs to function the same whether an employee is in the agency building, in a coffee shop, at home, or at a hotel; it should simply be tailored to the risk of that environment. To that end, in order to secure both the edge and the cloud, agencies should implement a zero trust architecture, which requires all users to be authenticated on an ongoing basis. The name is a bit of a misnomer, as it’s not an all-or-nothing approach, but an adaptive one. Once again, data is best protected when access is granted based on acceptable levels of risk. To measure those levels of risk, behavioral analytics is essential.
Far too many agencies focus on external threats but never look at what’s happening inside. With people as the new perimeter, monitoring and analyzing user behavior is critical to avoiding noise. Indicators of Behavior, or IoBs, play a leading role in understanding users. If a user changes hotels on a single day or appears to be in different parts of the world at the same time, those are clear red flags—but ones that would be missed with a myopic focus on threat intelligence. Other IoBs include a user hoarding or downloading large amounts of data. If someone is accessing large amounts of data, that could suggest a compromised account. Negative and anomalous behavior can also be flagged with proper monitoring of data sources such as email, chat, and web proxies. Once again, though, behavioral analytics should be part of a broader zero trust architecture, which first requires visibility into sanctioned and unsanctioned clouds.
Finding the balance
Agencies that adopted the cloud prior to forced remote work were better able to grant employees access to the data they needed in the midst of the pandemic. Agencies with a castle-and-moat mentality, on the other hand, started buying VPNs and found out they weren’t any more secure. And while many organizations had invested in continuity of operations, their scenarios were largely premised on an attack or outbreak that would force relocation to another building—not forced remote work.
Now, agencies are being forced to rethink how their employees operate from the ground-up. The cloud, at its core, is all about change. A cloud-based approach can enable not just greater flexibly—granting access from a greater number of places, for instance—but greater resiliency. The key is not to cut corners on important security measures as the transition is made.
Petko Stoyanov is Global Government CTO for Forcepoint