How can the DoD employ a Cloud Strategy that is flexible and secure while reducing the number of “experts” necessary to implement and maintain the infrastructure?

How can the DoD employ a Cloud Strategy that is flexible and secure while reducing the number of “experts” necessary to implement and maintain the infrastructure?

Let’s start by breaking down the issues at hand.  When you move from your own datacenter to the cloud there are multiple challenges in Networking, Security and very importantly with People and Process Challenges.

Network Challenges

• Restricting access-based IP addresses and ranges prevents segmentation
• Multi-cloud network dependencies impede connectivity
• Lack of network automation, orchestration, and predictability

Security Challenges

• Workloads exposed to lateral attacks in cloud subnets
• Root workload SSH exposure through key sharing
• Lack of consistent security controls across clouds

People and Process Challenges

• Network configuration errors impact agility
• Lack of network and security programmability slows DevOps

How do we make it more palatable to move to the cloud and still maintain a semblance of control?

Moving to the cloud requires some planning.  Not every cloud provider is the same.  However, connecting and protecting applications and data across on-premises and separate cloud providers has become as obscure and difficult as buying brand new hardware and software with only having to learn from “what someone else said” and not from real experience in your own environment.  BTW, if it didn’t work in your on-premise environment the odds of it working in your cloud environment is almost nil.

Using native security controls to connect and micro-segment workloads and containers between local resources, availability zones, regions and across cloud providers is not only ineffective and inconsistent, but too complex to maintain at scale. The result? All too often we’ve seen teams inadvertently expose workloads to the public Internet by a simple security group error or Internet gateway change.  This inability to quickly micro-segment and peer workloads across AWS, Google and Azure zones, regions, and between their on-premise environment forcing customers to consider writing their own control plane at considerable time and cost.

Utilizing software defined segmentation technology as building blocks for connecting on-premise to cloud environment should help to mitigate many of challenges mentioned above when building a hybrid cloud.  Customers have eliminated the complexity, attack vectors, and costs associated with traditional security controls by adopting a unified identity-centric model for cloud and on-premises environments that is simpler and more secure.  By deploying zero trust networking infrastructure as code, the security and network perimeter is moved from the network edge to the host, making policy orchestration explicit and programmable. With Software-Defined Segmentation, protection is automated, and workloads are made invisible to unauthorized machines, giving DevOps the agility and peace of mind, they seek.

In upcoming blogs, I will go further explaining a few of the industry best practices and how IMPRES Cyber Operation Solution (CSOI) can be successful in building hybrid cloud.