Between January and April of this year, the government sector saw a 45% increase in enterprise cloud use, and as the work-from-home norm continues, socially distanced teamwork will require even more cloud-based collaboration services.
Hybrid and multi-cloud architectures can offer government agencies the flexibility, enhanced security and capacity needed to achieve what they need for modernizing now and into the future. Yet many questions remain surrounding the implementation of multi- and hybrid-cloud architectures. Adopting a cloud-smart approach across an agency’s infrastructure is a complex process with corresponding challenges for federal CISOs.
I recently had the opportunity to sit with several public and private sector leaders in cloud technology to discuss these issues at the Securing the Complex Ecosystem of Hybrid Cloud webinar, organized by the Center for Public Policy Innovation (CPPI) and Homeland Security Dialogue Forum (HSDF).
Everyone agreed that although the technological infrastructure supporting hybrid and multi-cloud environments has made significant advancements in recent years, there is still much work ahead to ensure government agencies are operating with advanced security.
There are three key concepts for federal CISOs to consider as they develop multi- and hybrid-cloud implementation strategies:
There is no one-size-fits-all hybrid environment
Organizations have adopted various capabilities that have unique gaps that must be filled. A clear system for how organizations can successfully fill these gaps will take time to develop. That being said, there is no one-size-fits-all hybrid or multi-cloud environment technology for groups looking to implement a cloud approach across their infrastructure.
Zero-trust will continue to evolve in terms of its definition
Zero-trust has been around for quite some time and will continue to grow in terms of its definition. In concept, zero-trust is an approach that requires an organization to complete a thorough inspection of its existing architecture. It is not one specific technology; it is a capability set that must be applied to all areas of an organization’s infrastructure to achieve a hybrid or multi-cloud environment.
Strategies for data protection must have a cohesive enforcement policy
A consistent enforcement policy is key in maintaining an easily recognizable strategy for data protection and threat management. Conditional and contextual access to data is critical for organizations to fully accomplish cloud-based collaboration across teams.
Successful integration of a multi-cloud environment poses real challenges for all sectors, particularly for enterprises as large and complex as the federal government. Managing security across different cloud environments can be overwhelmingly complicated for IT staff, which is why they need tools that can automate their tasks and provide continued protection of sensitive information wherever it goes inside or outside the cloud.
At McAfee, we’ve been dedicating ourselves to solving these problems. We are excited that McAfee’s MVISION Cloud has been recognized as the first cloud access security broker (CASB) with FedRAMP High authorization. Additionally, we’ve been awarded an Other Transaction Authority by the Defense Innovation Unit to prototype a Secure Cloud Management Platform through McAfee’s MVISION Unified Cloud Edge (UCE) cybersecurity solution.
We look forward to engaging in more strategic discussions with our partners in the private and public sectors to not only discuss but also help solve the security challenges of federal cloud adoption.
The post Multi-Cloud Environment Challenges for Government Agencies appeared first on McAfee Blogs.
Let’s start with the good news. Agencies are adopting cloud services at an increased rate. Adoption has only increased in times of coronavirus quarantine lockdowns with most federal, state and municipal workforce working from home. What’s even better news is that we also see increased adoption of cloud security tools, like CASB, which is commensurate with the expanding cloud footprint of US Public Sector agencies.
So now we have security tools in place to secure our cloud assets in SaaS, PaaS and IaaS. The next step is to determine what security controls need to be implemented. What DLP policies should the agency adopt? What capabilities of a cloud services should be enabled or disabled to maintain a robust security posture? How does an agency actually go about measuring the effectiveness of the security controls that were implemented? How do we find out how we stack up against our peer organizations?
To answer these questions, McAfee developed MVISION Cloud Security Advisor (CSA). Cloud Security Advisor is a portal that is provided “out-of-the-box” with your organization’s MVISION Cloud CASB tenant. CSA provides a comprehensive set of recommendations for organizations to prioritize efforts in implementing their cloud security controls. The recommendations are broken down into Visibility and Control metrics. There is also a section that provides quarterly reports on various parameters, which we will discuss in a little bit.
When you first access Cloud Security Advisor dashboard you are presented with a “magic quadrant” that shows your organization’s security posture relative to other peer organizations on the scales of Control and Visibility and provides a maturity score for both.
There is even an option to select a vertical market to see how your organizations stacks up to organizations in other business sectors.
On the right of the main dashboard are check list items that provide a short description and current progress in following Cloud Security Advisor’s recommendations. CSA scans the organization’s MISION Cloud environment once every 24 hours. Any changes to MVISION Cloud will be reflected in the next scan. In the screenshot below, for example, we see an environment that is not enforcing controls on publicly shared links in Collaboration SaaS apps.
From here, a security admin can simply click on the check list item and then on Enable Policy. This will automatically take the user to the DLP Policy Templates page to select the appropriate policy for enforcement.
Another powerful capability of MVISION Cloud Security Advisor is providing quarterly Cloud Security Reports. These are accessible from the main CSA dashboard by going to View Reports and then selecting a quarter for which you would like to see the report.
From there we can start examining our organization’s cloud footprint to identify total number of Shadow IT services discovered that quarter as well as some additional Shadow IT statistics.
Next we can look at IaaS resources in all our AWS, Azure and GCP environments.
We then proceed to look at summary statistics for DLP and access policy violations. Incidents show policy violations of each type detected across all of the organization’s cloud environments secured by MVISION Cloud CASB.
Next screen shows user behavioral anomalies and threats uncovered by MVISION Cloud UBA machine-learning engine.
The Malware section of the report provides insights into malware uncovered in SaaS and IaaS environments connected to MVISION Cloud.
The Data at Risk report is probably the most pertinent to gauging the effectiveness of the MVISION Cloud CASB solution. This report shows how much of the organization’s data was at risk and how it was secured using MVISION Cloud CASB. As seen from the image, there is a downward trend, indicating progress is being made to secure organization’s data.
The Sensitive Data report shows how organization’s sensitive data is distributed across all cloud services in use by the organization. This report also provides insights into cloud adoption trends for your organization.
The “Users” report is a pivot table of the Sensitive Data report that organizes incidents and policy violations by individual users. Ultimately, the report shows how much of a risk an organization’s users pose to organization’s data.
The Mobile Devices report shows incidents for each type of detected mobile device.
The next three pages of the CSA report provide a deeper dive into the data on the front page of the CSA portal we saw in the beginning of this blog. On the Scores page we see the “magic quadrant” with Control and Visibility axis, together with progress relative to previous quarters. Visibility score and Control score, both on a scale of 100, gauge your organization’s maturity in securing its cloud footprint.
Next, the Visibility metrics page. Visibility metrics measure how well an organization has been doing in gaining visibility into what is out there in their cloud environment and how secure it is.
Finally, the Control metrics page shows how well an organization has performed in placing controls and mitigating security risks for its cloud environment.
And that, in a nutshell, is it. By reviewing the screenshots from the Cloud Security Advisor dashboard you should now have a good idea of the metrics at your disposal to quantify cloud security effectiveness for your organization.
To see MVISION Cloud Security Advisor in action, please check out the video below:
When the COVID-19 pandemic began, I heard that many of our Defense customers would be working from home and immediately thought, “We have to help them do this securely.” Very quickly, however, another issue arose: How were some of them going to do it at all, as they were not set up to enable such an unparalleled transition to remote work environments?
While DoD had virtual private networks (VPNs) in place, some services needed 10 times the number of available seats on those VPNs. We immediately went to work assisting them in managing these massive needs while maintaining security at the same time. Since then, we’ve continued to support our customers in whatever ways they’ve needed, so they can accomplish their mission with a secure, remote workforce.
One way we’ve helped customers maintain their security is through an existing contract with DISA for DoD. Under the terms of this contract, McAfee enterprise software is installed on every managed endpoint across the DoD, and DoD employees have access to McAfee Total Protection software for their home use personal devices. Active DoD employees have access to a one-year subscription to McAfee Internet Security for PCs and Macs, preventing malicious attacks and keeping users safe while surfing and downloading files online.
Not surprisingly, the Home Use Program has been very popular with subscribers in the past couple of months. Given the COVID-19 pandemic, we quickly decided to go beyond our contract requirements and extend the Home Use Program to DoD contractors as well. The Department relies on a talented group of private contractors who sit alongside public sector employees and often perform the same jobs. It made sense to offer them the same at-home protections at no charge, and so we did so.
At McAfee we’ve been offering advice and assistance since day one of the pandemic. We’ve published several pieces containing advice for working remotely and staying safe, such as: “Working From Home? 5 Tips to Stay Secure,” “Staying Safe While Working Remotely,” and “Scams Facing Consumers in the New Digital WFH Landscape“.
We’re constantly looking for new ways to help our customers adjust to the changes we’ve all had to make over the last few months – changes that will likely influence how we work and serve those who depend on us long into the future. We’re determined to do whatever we can to assist in these transitions and to ensure that security is a central part of them.
For more information on the McAfee/DISA home use program, please see the DISA Antivirus for Home Use website: https://www.disa.mil/Cybersecurity/Network-Defense/Antivirus/Home-Use.
More and more organizations are making the decision to move their legacy, in-house applications to the cloud mainly due to the cost savings. One of the major concerns about moving applications to the cloud is how to secure an application that was originally designed to be on-premise.
When these applications were behind on-premise network security there was not a concern about who would be able to access them and what they were doing in the application. Moving to the cloud now introduces this dynamic and with it concerns around how to control who accesses the applications once they are in the cloud.
This move to the cloud now also opens the door to accessing applications from anywhere in the world and potentially any device. Being able to have visibility into where a user is logging in from geographically as well as what activities a user takes beyond an initial login and the context upon which that access occurs will help keep the data secure.
These same applications may have relied on a local directory to store attachments or documents. Moving to the cloud would likely mean storing those same attachments or documents in a cloud-based directory like Amazon Web Services (AWS) Simple Storage Service (S3) or Microsoft Azure Blob Storage.
When on-premise access to the application or information within the application would typically be limited to a corporate-wide incident. If access settings in the cloud are misconfigured, then the exposure is much larger.
Having the ability to easily and quickly add these capabilities to applications being moved to the cloud can be addressed by leveraging an API framework into the model. Incorporating an API framework would provide the following capabilities:
- Prevent unauthorized sensitive data from being stored in cloud collaboration, file-sharing, or storage devices
- Capture a complete audit trail of all user activity for forensic investigations
- Detect malware, compromised accounts, privileged access misuse and insider threats
- Successful/failed login attempts
- Who is accessing the application, device type, IP address, role of the user and geographic location
- How much data is being accessed, created, updated, deleted, downloaded, shared, or uploaded
MVC for Custom Applications will enable organizations to enforce CASB policies without the need for developers to spend a lot of valuable time writing code. This will allow legacy applications to have the MVC CASB enforce security policies enforced on it, whether the application is in a private data center or in the cloud.
To learn more about McAfee’s cloud solutions, check out McAfee MVISION Cloud Portfolio.
Given the title of this article I suspect you are reading this because you have been in a recent situation where you have been asked the question “What is the difference between Zero Trust and SASE?”. I further suspect that the next question you were asked of course is “Which approach is right for my organization?”. The reality is they are built upon a similar foundation of least privilege management and both matter in the bigger picture. The real question is how do you apply ZTA and SASE to your organization.
The answer is complex. Yes, this may seem like a classic consultant’s default position on just about any complicated question. In this case, it really does depend on several factors. First let’s look at the basic definitions of ZTA and SASE and their origins.
The term Zero Trust was first originated by the industry analyst Forrester a little over a decade ago. The initial concept focused on segmenting and securing the network across locations and hosting models and promoting the idea of the Zero Trust model — the need to challenge and eliminate the inherent trust assumptions in our security strategies that made us vulnerable to external and internal attacks.
Fast forward to the present, Zero Trust has evolved to a framework and or strategy as described by some industry experts. The current definition further extends the concept for secure network connectivity where the initial security posture has no implicit trust between different entities, regardless of whether they are inside or outside of the enterprise perimeter. Least-privilege access to networked capabilities is dynamically extended only after an assessment of the identity of the entity, the system and the context.
Secure Access Services Edge [“pronounced SASSY”] is a term defined by Gartner in 2019. SASE builds on the ZTA concept however credits digital business transformation and specifically introduces the concept that the future of network security will be in the cloud. The SASE model or framework promotes the concept which inverts network and security service design patterns, shifting the focal point to the identity of the user and/or device — not the data center. SASE suggests that Security and risk management leaders will need a converged cloud-delivered secure access service edge to address this shift.
The National Institute of Science and Technology (NIST) has also weighed in on its definition of Zero Trust with the release of NIST SP 800-207. NIST goes on to define ZTA is not a single network architecture but a set of guiding principles in network infrastructure design and operation that can be used to improve the security posture of any classification or sensitivity level.
Many organizations already have elements of a ZTA and or SASE in their enterprise infrastructure today. Organizations should seek to prioritize the identification of architecture gaps against its current state and incrementally implement zero trust principles, process changes, and technology solutions that protect its data assets and business functions towards a future desired state outcome with measurable success criteria well defined in advance.
Most enterprise infrastructures will operate in a hybrid Zero Trust-SASE/Legacy mode for the next several years while continuing to invest in ongoing IT modernization initiatives and improving organization business processes. Organizations need to implement effective information security and resiliency practices for zero trust and SASE to be effective. When complemented with existing cybersecurity policies and guidance, identity and access management, continuous monitoring, and good cybersecurity best practices, ZTA and SASE can reinforce an organization’s security posture using a managed risk approach and protect against common and advanced threats.
Final thoughts on the path forward. Crawl, walk, run towards ZTA and SASE. Engage your security vendors and have them assist you with ZTA/SASE Workshops to assist with identifying your organizations priorities. Shared experiences with implementing ZTA and SASE are key to successful adoption. When exploring ZTA and SASE, remember you need a comprehensive device to cloud strategy.
The post Zero Trust, SASE-Digital Enablers or Adding Complexity to Cyber Ecosystems appeared first on McAfee Blogs.