The Department of Defense is in an interesting place when it comes to modernization and cybersecurity. Agencies have successfully made the transition from “Cloud First” to “Cloud Smart” and are actively reaping the benefits of that move. But the move to the cloud comes with added complexity in the form of hundreds, if not thousands, of applications, making it difficult to successfully secure IT environments.
Recently, Bruce Crawford, retired U.S. Army Lieutenant General and former U.S. Army CIO, and Chris Hughes, president and co-founder of Axonius Federal’s partner Aquia, had a conversation about how DoD agencies can secure their rapidly growing SaaS infrastructures. It comes down to three things: good data governance, a well-executed Zero Trust architecture, and the people and processes that power both of these initiatives.
Crawford: Chris, how would you describe the state of SaaS security today?
Hughes: When it comes to SaaS, people get a false sense of security thinking that the cloud provider handles all data protection. But the reality is that agencies still have to be responsible for their SaaS configurations, get a handle on things like overly permissive access controls, and plan for the possibility of a data breach. That’s why it’s so important to have a clear understanding of their SaaS environments and what applications they’re using.
At the same time, many SaaS providers, especially some of the more mature ones, have been through the FedRAMP certification process. They have robust security teams and programs in place to mitigate risk. So while there’s still risk there, agencies can trust these cloud providers based on their compliance postures and still gain efficiency benefits.
Crawford: I love that you mentioned users’ responsibilities for their data because I think that’s something agencies need to continue to hear, especially as they pursue a Zero Trust framework. What strategies and best practices can federal security professionals use to implement a Zero Trust architecture that encompasses various environments and asset types?
Hughes: First, know that Zero Trust is a journey. No enterprise, environment, or program is going to have a foolproof implementation right now – or ever, really. It’s always going to be a work in progress.
That said, there are some great resources to help agencies get started. For instance, CISA’s Zero Trust maturity model has five pillars pertaining to identity, devices, networks, data, and applications. Security managers can ask, “Where do we stand in those five domains? Where are our gaps or deficiencies, and how do we reconcile them?
It’s important to understand that Zero Trust cannot be bought. Sure, agencies need tools and technologies to achieve a true Zero Trust framework, but the most important component of that framework will be the people who are involved in the process. Without that foundation, organizations will be building their houses on sand instead of concrete.
Crawford: I completely agree; technology is really just a means to an end. You also mentioned moving away from perimeter-based models. Let’s talk about the new perimeter and how to protect data given those new parameters.
Hughes: Security policies must be oriented around data, wherever it resides. That requires visibility – after all, agencies can’t protect data if they don’t know it’s there, or where it is. Unfortunately, there are still a lot of challenges associated with data silos and being able to accurately inventory assets and data.
Crawford: And organizations can’t address those challenges using technology alone.
Hughes: No, they need people, processes, and technology – in that order. More than anything, protecting the new, expanded perimeter and implementing Zero Trust requires a cultural shift. Just like DevSecOps, it’s a methodology, a way of working. To achieve true Zero Trust calls for a cultural transformation.
Crawford: That cultural shift is important and I think it ties tightly to the global race for talent. Although we have been blessed with some tremendously talented and trusted professionals in DoD, the challenge remains not only retaining the talent they have which includes re-skilling but also inspiring and recruiting the next generation of leaders. My sense is the people we need are motivated and incentivized in a different way than past generations. Things like “work-life balance” are as important as past legacy incentives. Given that, is there anything you’ve seen work particularly well for solving this challenge?
Hughes: As someone who has worked on both the federal and civilian sides, I recognize that it can be hard for the government to attract and retain technical talent. But while there are some things that agencies can’t change overnight, like pay and compensation, there is still a lot they can do to empower employees.
For instance, they can trust their teams to make the right decisions. They can support them and ensure the work they do matters. Those actions can go a long way toward making every employee feel like they’re part of the mission and the journey to Zero Trust.
Crawford: All of that connects to culture, identity and being a part of something bigger than self, which are critical enablers to long-term success. It's got to be a variable when implementing, integrating, and leveraging technology to help agencies grow and deliver better products.
Hughes: I love that note on delivery, Bruce. The DoD workforce is ultimately there to serve the warfighter. It’s important to empower them with the technologies and capabilities they need to achieve the outcomes they’re after – outcomes that are in the best interests of our nation and national security.