With Federal agencies moving to the cloud and adapting to agency needs, the move away from a network-focused viewpoint compliments a zero-trust architecture, said IT officials from the Department of Homeland Security (DHS) and the Defense Logistics Agency (DLA).
In a discussion at GovernmentCIO Media’s Cloud Summit on November 19, speakers noted how a zero-trust approach to security fits well with the expansion of the perimeter that cloud brings.
“Going to the cloud kind of removes the old mental model of having this perimeter defense where you knew what was coming in and what was going out – you don’t have that anymore, so I think there’s a good symbiosis between zero-trust and the cloud,” said George Duchak, CIO at DLA.
Duchak noted that his agency recently moved its enterprise resource planning (ERP) system to the cloud, and is looking at how to refactor applications to work better in the cloud. He also stated his goal of creating a platform approach over an individual system approach that will let users pick the capabilities they need.
The move to cloud also requires agencies to take new approaches to get to the visibility and levels of risk they currently maintain.
“We’ve started leveraging a cloud access security broker, and that allows us to extend our existing policies we have on-premises into the cloud environment in addition to also providing us the visibility that we need to cross the multiple [cloud] environments,” said Luis Coronado Jr., director of IT operations at DHS.
Coronado also praised pilots for a security validation platform, which “allows us to test our defense in-depth,” and a cloud security gateway, which “enables us to be able to access your cloud services straight from an endpoint and still do it securely.”
Both Duchak and Coronado noted that their predecessors had built out robust telework capabilities, which allowed their agencies to quickly adjust to COVID-19 and free up time to bring cloud-based capabilities to customers. In describing challenges on cloud and zero-trust, Duchak noted his office’s push to be involved in the acquisition process earlier, while Coronado talked about the desire for more standardized encryption options for cloud offerings.