Security in the Cloud Requires Zero Trust Architecture: Sponsored Content
To deal with the coronavirus pandemic lockdown this year, the Department of Defense had to massively and immediately ramp up remote teleworking capacity all across its global network. This forced march to the cloud—unprecedented in speed and scale—makes it imperative that the department also move to implement a new generation security architecture. Without it, the cyber attack surface will expand as the remote workforce and the tools they use become new vectors for adversaries.
Before the lockdown in mid-March, on an average day, up to 90,000 people were teleworking across the Defense Department, Pentagon CIO Dana Deasy said recently. By June, that number was about 1.2 million. That 11-fold-plus growth was enabled by the roll-out of a new COTS cloud environment, dubbed “commercial virtual remote” or CVR—paid for by $300 million in CARES Act funding allocated for Defense Department IT networks.
The speed with which the expansion happened is also unprecedented. CVR was rolled out March 27 and onboarded 250,000 users within the first two weeks. “Normally a program of this scale and complexity would take over a year to design, engineer and deploy,” Deasy told reporters in July.
The lockdown acted as a fast forward button for the Defense Department, forcing the emergency adoption of cloud-based collaboration tools at a speed that its size and the usual pace of government procurement would make impossible. It’s not just CVR, the number of VPN connections sustained on an average day has also skyrocketed.
Following some early struggles, department networks, like those across the federal government, have reached a “steady state,” said Ned Miller, the Chief Technology Strategist for McAfee’s U.S. public sector business unit. “They’ve managed it very well, considering all the circumstances,” he added.
New cloud, new threats
But the speed and scale of the telework-driven cloud expansion have also brought additional risks and costs, Miller said. Many organizations inside and outside government have wrestled with how to structure the costs of ramping up cloud services by an order of magnitude. “The actual cost implications [for DOD] are still working their way through the system and it will be interesting to see FY2020 planned expenditures versus the actuals,” said Miller.
And beyond the expense, there may be other costs, as well, if enterprises fail to carefully weigh the risks of creating easy access for their workforce. How should the Defense Department manage those new risks? What can it learn from the commercial sector and from other government agencies?
McAfee recently aggregated anonymized data from 30 million users of its cloud security products in all major industry and government verticals between January and April 2020. The data show a 50 percent growth in the use of cloud services following the lockdown in mid-March—but a more than six-fold growth in the numbers of external attacks on them.
“Threat actors are targeting these cloud services,” said Miller.
Miller noted one of the most alarming findings from the data—the skyrocketing numbers of unmanaged personal devices on enterprise networks due to the new telework expansion.
“The data suggests cloud traffic from these devices more than doubled following the lockdown,” said Miller. “These devices are not managed by the enterprise, and there is no way to recover sensitive data from an unmanaged device,” he added, “so this increased access is a data breach waiting to happen. That raises important questions about BYOD policies.”
But the problem of unmanaged devices is also an aspect of a much larger challenge—the increasing complexity of the modern IT environment. “In the era of hybrid cloud, containerization and everything-as-a-service, knowing exactly where your key data assets are has gotten a lot harder,” said Miller, “That’s why the focus needs to be on protecting the data itself—wherever it happens to be at any given time.”
The Defense Department was forced to occupy this new IT territory at lightning speed, but don’t look for it to withdraw so fast—or indeed at all. “There will be some permanency to what we have here,” promised Deasy. “There is going to be an enhanced teleworking capability that will be sustained at the end of COVID-19.”
This new post-pandemic environment urgently requires a new approach to security, according to Miller. “The perimeter has been eroding for a long time, but this dramatic shift to cloud services has really finally broken the legacy security model—and the tools that go with it.”
As a for instance, he noted that many agencies still required their remote workers to connect to the home network via VPN before accessing cloud services. Such a hub-and-spoke architecture is designed to route cloud traffic through security appliances in agency data centers, but can cause latency and bottlenecks—especially when there is a huge ramp-up. “In reality, employees tend to do whatever is easiest and fastest to accomplish their mission. If they feel they have to, they will just turn off the VPN and access applications in the cloud directly,” Miller explained.
“These dated legacy models like hub-and-spoke are being challenged by the new normal of work from home,” he said. Moving to a direct cloud access model doesn’t mean sacrificing security, but it does mean adopting a new security architecture, based on Zero Trust principles.
“There are a series of understandings of Zero Trust that have emerged over the past decade that everyone has been talking about it,” said Miller. “My own view is to see it as a reference architecture with many components. I don’t think there’s a product you can buy that will make you Zero Trust.”
The principles of Zero Trust are simple, he said. A Zero Trust architecture grants no implicit trust to assets or users just because they are (apparently) on-prem or using the local area network, rather than connecting remotely over the internet. In Zero Trust, authentication and authorization of both user and device are separate functions that must be completed before access is allowed to any enterprise resources. Zero Trust focuses on protecting those resources—like data, services, workflows, network accounts, etc.—not network segments, because where an asset is on the network isn’t really important any more when it comes to determining how secure or how important it is. “In the post-Snowden world, it’s clear that being in the building or having authorized access to the network doesn’t mean someone isn’t a threat,” said Miller. “And in the cloud era, many of your most important assets aren’t even on your own network anymore.”
Looked at from this point of view, Miller said, it’s easy to understand why Zero Trust has been getting so much attention recently. “It deals with all that stuff we’ve been talking about: Remote users, BYOD and how key assets often are beyond the network perimeter.”
According to Miller, McAfee is recommending seven must-have capabilities for this new security architecture. “To do this right,” he said, “you absolutely must be able to do the following things:”
• Enforce data loss prevention policies on data in the cloud, in sync with enterprise DLP strategy;
• Prevent unauthorized sharing of sensitive data;
• Block the syncing or download of agency data to personal devices;
• Detect compromised user accounts, insider threats and malware;
• Encrypt cloud data with keys only the agency can access;
• Gain visibility into unsanctioned applications and control their functionality; and
• Audit cloud holdings and services for misconfigurations against industry benchmarks and automatically fix incorrect settings.
Into the future, fast
Over the next six to 12 months, Miller predicts four cloud trends that security practitioners in the Defense Department and elsewhere will have to get their arms around.
1: Managing the complexity of securing multiple hybrid cloud infrastructures especially as container technologies become more pervasive. “The dynamic workloads and microservice architectures which make containers such a powerful tool also push the boundaries of traditional security policies,” noted Miller.
2: Delivering a comprehensive data protection strategy across the enterprise from the device or endpoint to all things cloud. “All the cloud and collaboration services that the department has rushed to adopt since the lockdown require a data protection strategy,” said Miller. “Legacy security tools can’t provide complete protection for cloud-based information exchanges and collaboration tools.”
3: Providing security governance models for thousands of legacy applications that are moving to the department’s cloud infrastructure either through complete modernization efforts or leveraging container technologies. “Just being in a government authorized cloud isn’t enough,” said Miller. Comprehensive data protection and user behavior monitoring of these custom cloud applications will have to be addressed. “It’s the customer’s responsibility to secure the data and monitor the users’ behavior.”
4: Evolving Zero Trust architectures to Adaptive Trust architectures. “Zero Trust concepts currently tend to focus on ‘North-South’ data flows—from the cloud or the network to the device or user. But ‘East-West’ flows—from one cloud or network to another—are just as significant as a security vector.” Moreover, Miller argues, scaling the contextual and conditional access required by a pure Zero Trust model will be challenging. “In practice, mission-oriented organizations in connected and disconnected environments will have to move to a more flexible Adaptive Trust architecture.”
For more information: www.mcafee.com/publicsector