CISA CTO to Government: Focus on Visibility and Resiliency When Moving to Multi-Cloud

The overwhelming majority – 81 percent – of Federal agencies are increasing their adoption of multi-cloud to support telework and mission needs related to COVID-19, according to a recent GDIT and MeriTalk report. However, nearly half – 42 percent – of Federal cybersecurity managers surveyed said their cyber strategies can’t keep pace with evolving multi-cloud environments.

During MeriTalk’s recent webinar, Brian Gattoni, Chief Technology Officer for the Cybersecurity and Infrastructure Security Agency (CISA), and Dr. Matthew McFadden, Senior Director of Cyber and Lead for the Cyber Center of Excellence for GDIT discussed the report findings. During the webinar, the two experts stressed that amid a changing cloud landscape, Federal agencies must modernize their cybersecurity strategies to keep pace.

The research study surveyed 150 Federal cybersecurity managers to explore multi-cloud cybersecurity challenges and opportunities, current efforts and aspirations, and opportunities for future-proofing multi-cloud cybersecurity.

Concerningly, only 37 percent of multi-cloud users say their current visibility is excellent. Luckily, almost all respondents – 93 percent – have taken steps to improve.

“The challenge is now that agencies have taken this cloud-first mentality and provided an enterprise view of deploying to the cloud, they have to have controls and mechanisms in place to provide situational awareness,” McFadden said.

He also touched on how many agencies that are now moving into the cloud, likely had component agencies or departments that had already ventured to the cloud. “From a visibility perspective, you have to ensure that you are building a secure cloud at the enterprise level, as well as adopting first users into the secure capsule,” he said.

While Gattoni heaped praise on the private sector for its cloud innovation, and stressed the benefits of the government working with industry versus trying to build their own cloud, he did raise a security concern.

“Each cloud service provider offers a different security solution,” Gattoni explained. “It can be challenging for individual enterprises to baseline the security capabilities agencies are getting from their vendors to verify and validate the technology is meeting the security controls as part of their due diligence and oversight functions … agencies are using to make sure they are secure and giving themselves the trust that they’ve done what they need to do. Mapping all of that to what’s offered from their cloud service provider is a challenge.”

Essentially, McFadden explained, it boils down to “you can’t defend what you don’t know you have.” He did say that “agencies are taking the steps needed to understand what they have and to ensure they have the right technologies to secure their environments.” Agencies need to ask themselves, “do [we] have the right capabilities to provide awareness and can [we] centralize those capabilities?”

The report also found that while multi-cloud users are taking steps to address resiliency in their environment, only 37 percent say their current resiliency is excellent.

Gattoni put it bluntly, “When you shift to the cloud, you have to understand you are not shifting your risk away.” Meaning, agency IT leadership still has to “ensure that [their] vendors and support staff are implementing sufficient security standards.”

When it comes to resiliency, Gattoni highlighted CISA’s Trusted Internet Connections (TIC) 3.0 guidance, released July 3, which accounts for the latest technology evolutions in the Federal government. “In this [COVID] environment, it’s more important than ever to understand how this guidance can help [agencies] make decisions,” he said.

Looking to the future, both Gattoni and McFadden had similar views on the long-term benefits of multi-cloud – both stressed redundancy, resiliency, flexibility, and cost savings.

In terms of multi-cloud benefits, Gattoni zeroed in on two benefits in particular. He explained that multi-cloud adoption “enables an organization to not depend on or be locked into one vendor.” He further said, “We learned through several generations of compute services that vendor lock-in can be a real problem on the backend.”

On top of that, multi-cloud provides an added layer of security. “For instance, if all of the resources powering your business are on one cloud, and that cloud doesn’t have the needed degree of ransomware or Distributed Denial-of-Service (DDoS) protections as part of the services it affords you, it can cause significant harm to your services,” Gattoni explained. “With a multi-cloud approach, and designing that redundancy into your operations, you can increase your resiliency against those attacks.”

McFadden also touched on other ways multi-cloud is a “game-changer” – time to implementation and increased mission performance. “From an implementation standpoint, if we are going to adopt a cloud platform, our ability to scale to implement is dramatically increased,” he said. From a mission aspect, McFadden said that cloud service providers are moving toward providing micro-services to support an agency’s mission. “As agencies move to the cloud, they will have highly targeted services available to them on demand.”

A key concern for agencies during their migration is the need to future proof cybersecurity for multi-cloud. McFadden said that GDIT has learned a great deal about how to future proof cyber, highlighting how the company has developed secure playbooks and has a deep understanding of what and how to automate in the cloud. When working with agencies, he said that “ultimately our goal is we want to have a multi-cloud approach, we want it to be cloud-agnostic, and we want it to be modular.”

To hear what else Gattoni and McFadden had to say, and for a deeper look into the research findings, watch the webinar on-demand.

Kate Polit
About Kate Polit
Kate Polit is MeriTalk's Assistant Copy & Production Editor covering the intersection of government and technology.

Categories

Recent