In March 2023, technology leaders gathered at an executive roundtable with government C-suite leaders to discuss the myriad rewards and potential risks posed by the Federal government’s adoption of cloud-native technologies. This article describes how cloud-native technologies can speed digital transformation while also introducing new security challenges – and highlights steps Federal leaders can take to realize the vast potential of these innovative emerging platforms.
The Federal government is rapidly moving to cloud-native technologies to drive digital transformation and accelerate IT modernization, seeking to reap the benefits of cloud computing as agencies overhaul legacy systems. By 2025, according to research firm Gartner, cloud-native platforms will serve as the foundation for more than 95 percent of new digital initiatives — more than double their pace in 2021. As the migration to cloud plays out across the government, what are the primary benefits of cloud-native technologies, what are the risks – and how do Federal leaders ensure a secure, cloud-native future?
Benefits of Cloud-Native Technologies
Cloud-native applications are software designed for continuous delivery with microservices, containers, and dynamic orchestration. They provide a consistent development and automated management experience across private, public, and hybrid clouds. Cloud-native technologies allow organizations to accelerate the adoption of cloud computing, resulting in faster development times that aid digital transformation and IT modernization.
Among the other myriad benefits of cloud-native technologies are reduced costs for backup, maintenance and usage of resources; greater adaptability and scalability, eliminating the need for hardware and allowing for regular software updates; and enhanced flexibility, including the ability to reuse code and work with multiple cloud providers. The restrictions inherent in traditional architectures are removed, while the adoption of agile methodology and DevOps allows for automated solutions.
Sean Murphy, head of security customer engineering at Google Public Sector, said bringing cloud-native applications to Federal agencies improves security, which is especially important as the government faces a cybersecurity talent shortage. “If you can apply the cloud provider’s expertise and intelligence at scale, using the capabilities of cloud,” he said, “you can begin to address personnel shortages and expertise shortages and move toward a more autonomous security operations platform, where you can use automation to do detection, analysis, and remediation.”
Joe Sangiuliano, regional vice president-public sector, Prisma Cloud at Palo Alto Networks, said the “proliferation of cloud and could-native technologies” represents “a massive convergence of capability that is going to make it easier for organizations to have a better security posture.” For Federal agencies, he added, cloud-native “will lead to greater ease of use and better citizen services.”
One agency that has undertaken a successful journey to cloud-native applications is the Bureau of Alcohol, Tobacco, Firearms and Explosives, with mission payoffs that include increased functionality and deployment speeds that far exceed the previous legacy environment.
Risks of Some Cloud Technologies
While cloud technologies bring multiple benefits, the different levels of security of providers within a dynamic multi-cloud environment also introduces weaknesses from some legacy providers that bad actors are increasingly seeking to exploit. With the security expertise of many agencies geared to traditional on-premises IT systems, new cloud applications from legacy providers can present potentially daunting challenges.
Legacy cloud providers are prone to infrastructure misconfiguration mistakes such as leaving ports open on the Internet, and poorly protecting passwords and encryption keys. Misconfigurations can leave the door open for ransomware attacks and other malicious activity.
Other risks of legacy providers include vulnerabilities in open-source code; overprovisioned access resulting from the increased number and complexity of users, roles, and permissions; insecure application programming interfaces; and evolving methods of malware that criminals can use to take advantage of the new vulnerabilities.
Getting the Most Out of Cloud-Native
How do Federal agencies overcome the risks of cloud technologies so the government – and the citizens it serves – can reap the rewards? To start, they should also consider the cloud provider’s security track record and whether the cloud provider simply lifted and shifted vulnerable code to the cloud to build services. Then they can be judicious in moving to the cloud, taking into account risks such as disruption of essential activities, along with the costs associated with legacy systems.
“Rather than replacing every legacy system,” one expert said, “agencies should focus on the systems and applications that will significantly impact mission and business outcomes with enhanced scale and flexibility.”
Once they have selected the functions to migrate, IT leaders should consider rethinking their approach to security amid the increasing complexity of multi-cloud environments that include vulnerable legacy vendors and the expanded attack surfaces they bring.
Experts offer a number of suggested best practices for smart cloud-native security, including making cloud-native platforms the default for new application development; including security teams in development projects at the earliest possible point; using security tools designed for cloud-native applications; and automating security for a variety of functions.
One promising approach is utilizing a cloud-native application protection platform (CNAPP) that integrates security and compliance capabilities to secure cloud-native applications throughout the development lifecycle. Experts say this breaks down operational silos in security, providing the end-to-end visibility often missing in other cybersecurity solutions.
Organizations today “are looking for a broader set of capabilities that can provide them with visibility and security from build to production and across DevOps, DevSecOps, and cloud infrastructure,” notes analyst firm Frost & Sullivan. “… CNAPP solutions that cover the entire stack … can help them achieve a holistic security strategy and reach a zero trust security state across different cloud environments.”