Historically, IT has been responsible for infrastructure provisioning, and, before the cloud, was primarily focused on the challenges on the ground. The security team is charged with scanning that infrastructure for vulnerabilities, but they often don’t know what to scan due to a disconnect with IT on an updated threat list. Managing infrastructure and related assets has always been demanding, but in the cloud, where everything is faster and more ephemeral, getting security involved early and hardcoded into the provisioning plan is a challenge and struggle for many governments.
In terms of the cloud, government security teams are largely not prepared to enable the business, neither in terms of skills nor talent. In the cloud, the priority is information protection. More and more, we’re finding that the way data is being deployed in the cloud is often not necessarily resilient. We’re not simply talking about multiple availability zones, but the ability to recover critical assets if there’s a major breach.
We also see two camps that seemingly operate at opposite ends of the security spectrum. On one side are the old-school practitioners who have been working in security architecture for 20 years or more but haven’t fully adapted to life in the cloud. On the other side, you’ve got cutting-edge security professionals who fully embrace today’s technology and are trying to promote and enable the cloud mindset so security can be embedded by design and at scale. As governments continue their migration to the cloud, getting these factions on the same page is a priority.
Guiding principles to help create a safe and secure life in the clouds
Become a learning organization
One of the things that attracts cloud talent, beyond money, is culture. Prospective employees should know they’re not joining a classic, hyper-risk-averse, slow-moving organization. Creating a culture that’s open to innovation and experimentation can help attract new talent.
Know your environment
Build an understanding of what data you hold, what can be appropriately stored off-premise versus on-premise, and then implement controls to help ensure this data is classified and stored correctly. More than most organizations, governments can hold the key to highly sensitive data. If this data gets into the wrong hands, it could harm national security.
Think small — act fast
Send the message that you can build things fast, break things faster, and then rebuild based on what you’ve learned. Most organizations have already proved that they can move fast in reacting to the pandemic, so now is the time to translate any lessons learned into business as usual. Security can enable success through incremental steps. For example, go live with a new container protection strategy in small bites, and enable the business to move fast.
Shift security to the left into the early stages of your software testing cycle
Doing so can help to enhance value to both customers and users. Apply security — again, in small bites — as far left in the process as possible, which can typically involve infrastructure as code. You can help make it happen by empowering developers to hard code the required security measures without the security team’s involvement, which the cloud can facilitate.
Have an appreciation of the underlying code
The ability to read and write code can earn the respect of DevOps engineers. Increasingly, we will likely need security professionals with an ability to code, as we continue to move away from that traditional security architecture role of measuring diagrams and handing it over to a solution designer or solution, which then goes to an engineer to stand up physical infrastructure.
Work to understand — and communicate to the entire enterprise
Help the enterprise understand the connection between business enablement, business resilience, and information protection. It’s not much of a departure from how you would do it on premises, but it can be a little bit different when you’ve got critical data in the cloud. Making this part of your DNA can help you weed out the “noise” from an operations perspective so you can focus on bigger security priorities.
The excerpt was taken from the KPMG Thought Leadership entitled Securing the cloud — the next chapter in public services.