Author Archives: Ned Miller

Multi-Cloud Environment Challenges for Government Agencies

Between January and April of this year, the government sector saw a 45% increase in enterprise cloud use, and as the work-from-home norm continues, socially distanced teamwork will require even more cloud-based collaboration services.

Hybrid and multi-cloud architectures can offer government agencies the flexibility, enhanced security and capacity needed to achieve what they need for modernizing now and into the future. Yet many questions remain surrounding the implementation of multi- and hybrid-cloud architectures. Adopting a cloud-smart approach across an agency’s infrastructure is a complex process with corresponding challenges for federal CISOs.

I recently had the opportunity to sit with several public and private sector leaders in cloud technology to discuss these issues at the Securing the Complex Ecosystem of Hybrid Cloud webinar, organized by the Center for Public Policy Innovation (CPPI) and Homeland Security Dialogue Forum (HSDF).

Everyone agreed that although the technological infrastructure supporting hybrid and multi-cloud environments has made significant advancements in recent years, there is still much work ahead to ensure government agencies are operating with advanced security.

There are three key concepts for federal CISOs to consider as they develop multi- and hybrid-cloud implementation strategies:

  1. There is no one-size-fits-all hybrid environment

Organizations have adopted various capabilities that have unique gaps that must be filled. A clear system for how organizations can successfully fill these gaps will take time to develop. That being said, there is no one-size-fits-all hybrid or multi-cloud environment technology for groups looking to implement a cloud approach across their infrastructure.

  1. Zero-trust will continue to evolve in terms of its definition

Zero-trust has been around for quite some time and will continue to grow in terms of its definition. In concept, zero-trust is an approach that requires an organization to complete a thorough inspection of its existing architecture. It is not one specific technology; it is a capability set that must be applied to all areas of an organization’s infrastructure to achieve a hybrid or multi-cloud environment. 

  1. Strategies for data protection must have a cohesive enforcement policy

A consistent enforcement policy is key in maintaining an easily recognizable strategy for data protection and threat management. Conditional and contextual access to data is critical for organizations to fully accomplish cloud-based collaboration across teams.

Successful integration of a multi-cloud environment poses real challenges for all sectors, particularly for enterprises as large and complex as the federal government. Managing security across different cloud environments can be overwhelmingly complicated for IT staff, which is why they need tools that can automate their tasks and provide continued protection of sensitive information wherever it goes inside or outside the cloud.

At McAfee, we’ve been dedicating ourselves to solving these problems. We are excited that McAfee’s MVISION Cloud has been recognized as the first cloud access security broker (CASB) with FedRAMP High authorization. Additionally, we’ve been awarded an Other Transaction Authority by the Defense Innovation Unit to prototype a Secure Cloud Management Platform through McAfee’s MVISION Unified Cloud Edge (UCE) cybersecurity solution.

We look forward to engaging in more strategic discussions with our partners in the private and public sectors to not only discuss but also help solve the security challenges of federal cloud adoption.

The post Multi-Cloud Environment Challenges for Government Agencies appeared first on McAfee Blogs.

Zero Trust, SASE-Digital Enablers or Adding Complexity to Cyber Ecosystems

Given the title of this article I suspect you are reading this because you have been in a recent situation where you have been asked the question “What is the difference between Zero Trust and SASE?”. I further suspect that the next question you were asked of course is “Which approach is right for my organization?”.  The reality is they are built upon a similar foundation of least privilege management and both matter in the bigger picture. The real question is how do you apply ZTA and SASE to your organization.

The answer is complex. Yes, this may seem like a classic consultant’s default position on just about any complicated question. In this case, it really does depend on several factors. First let’s look at the basic definitions of ZTA and SASE and their origins.

The term Zero Trust was first originated by the industry analyst Forrester a little over a decade ago. The initial concept focused on segmenting and securing the network across locations and hosting models and promoting the idea of the Zero Trust model — the need to challenge and eliminate the inherent trust assumptions in our security strategies that made us vulnerable to external and internal attacks.

Fast forward to the present, Zero Trust has evolved to a framework and or strategy as described by some industry experts. The current definition further extends the concept for secure network connectivity where the initial security posture has no implicit trust between different entities, regardless of whether they are inside or outside of the enterprise perimeter. Least-privilege access to networked capabilities is dynamically extended only after an assessment of the identity of the entity, the system and the context.

Secure Access Services Edge [“pronounced SASSY”] is a term defined by Gartner in 2019. SASE builds on the ZTA concept however credits digital business transformation and specifically introduces the concept that the future of network security will be in the cloud. The SASE model or framework promotes the concept which inverts network and security service design patterns, shifting the focal point to the identity of the user and/or device — not the data center. SASE suggests that Security and risk management leaders will need a converged cloud-delivered secure access service edge to address this shift.

The National Institute of Science and Technology (NIST) has also weighed in on its definition of Zero Trust with the release of NIST SP 800-207. NIST goes on to define ZTA is not a single network architecture but a set of guiding principles in network infrastructure design and operation that can be used to improve the security posture of any classification or sensitivity level.

Many organizations already have elements of a ZTA and or SASE in their enterprise infrastructure today. Organizations should seek to prioritize the identification of architecture gaps against its current state and incrementally implement zero trust principles, process changes, and technology solutions that protect its data assets and business functions towards a future desired state outcome with measurable success criteria well defined in advance.

Most enterprise infrastructures will operate in a hybrid Zero Trust-SASE/Legacy mode for the next several years while continuing to invest in ongoing IT modernization initiatives and improving organization business processes. Organizations need to implement effective information security and resiliency practices for zero trust and SASE to be effective. When complemented with existing cybersecurity policies and guidance, identity and access management, continuous monitoring, and good cybersecurity best practices, ZTA and SASE can reinforce an organization’s security posture using a managed risk approach and protect against common and advanced threats.

Final thoughts on the path forward. Crawl, walk, run towards ZTA and SASE. Engage your security vendors and have them assist you with ZTA/SASE Workshops to assist with identifying your organizations priorities. Shared experiences with implementing ZTA and SASE are key to successful adoption. When exploring ZTA and SASE, remember you need a comprehensive device to cloud strategy.

The post Zero Trust, SASE-Digital Enablers or Adding Complexity to Cyber Ecosystems appeared first on McAfee Blogs.