presented by

The appearance of U.S. Department of Defense (DoD) visual information does not imply or constitute DoD endorsement.

The Department of Defense has been steadily transitioning its applications from on-premises operations to the cloud because of better security, availability, and scalability—not to mention the heavy lift that cloud architecture is playing in a COVID-19 telework environment.

However, moving from an on-prem data center to the cloud is not a fire-and-forget proposition. Detecting and preventing the misconfigurations and threats that lead to data breaches and compliance violations is growing ever more difficult as cloud architectures become increasingly complex. As organizations scale their cloud footprints to include hybrid and multi-cloud architectures, they need to ensure that both their cloud infrastructure and cloud native applications are secure.

Unfortunately that’s not always the case, according to a recent Palo Alto Networks Unit 42 Cloud Threat Report on the security risks posed by infrastructure as code (IaC). Unit 42 is Palo Alto Networks global threat intelligence team and a recognized authority on cyber threats. What Unit 42 discovered in its Spring 2020 report is that IaC templates are not the issue. The problem lies in their flawed building process.

For example, 42 percent of CloudFormation templates from Amazon Web Services—where users declare the AWS resources they want to create and configure—contain at least one insecure configuration. In other study results, 48 percent of Amazon Simple Storage Service (S3) buckets don’t have server-side encryption enabled, and 55 percent of user-configured S3 buckets don’t have logging enabled. (Amazon S3 is an object storage service to store and protect data for a range of use cases, such as data lakes, websites, and mobile applications.)

Getting those cloud security processes correct is vital for the Department of Defense to leverage the warfighting capabilities of the cloud for the great power competition against China and Russia, for example.

Innovating with Cloud

Kurt Greening, Public Sector Leader for Prisma Cloud, Palo Alto Networks.

“The DOD is motivated to move to the cloud because of a need to have better analytics and artificial intelligence,” said Kurt Greening, Public Sector Leader for Prisma Cloud at Palo Alto Networks. “The motivation is driven by our competitors that are growing in power and influence, mainly China and Russia, because in some ways they are innovating beyond what some of our capabilities are.”

That is because the capabilities that the DoD can gain access to on-prem are not as great as what they can get access to in the cloud, whether it’s scalability of resources or innovative new technologies that are coming out by cloud service providers like Amazon Web Services, Microsoft Azure, and Google Cloud. Those applications can be and still are being developed in on-prem environments, but in many ways they are more difficult to achieve on-prem.

DevOps or continuous integration/continuous delivery—where applications are quickly developed, tested, improved, and deployed—is an example of how cloud computing can help put applications into the hands of warfighters faster than ever before. Palo Alto Networks Prisma Cloud 2.0, for example, has security capabilities geared to meet the goal of delivering software releases faster and preventing security lapses by applying a consistent set of checks through the build-to-release process that keep DoD applications and infrastructure secure.

This gives security teams a powerful opportunity to insert cloud-friendly security tooling and requirements directly into the development pipeline, which is more commonly known as DevSecOps. It also helps to better cement the relationship between the security and development teams and places an emphasis on security right from the start rather than trying to bolt it on at the end of the software development process—potentially creating a less secure application that can be exploited by our adversaries.

Tools for Continuous Authority to Operate

The Defense Department must comply with an alphabet soup of compliance and regulatory requirements—none of which go away in a cloud environment. Some of the more important DoD-related measures include:

  • Protection of controlled unclassified information as laid out in Defense Federal Acquisition Regulation Supplement (DFARS) 800.171;
  • Security and privacy controls for information systems pulled from Federal Information Security Modernization Act (FISMA) 800-53;
  • Securing containerized cloud applications from National Institute of Standards and Technology (NIST) Special Publication 800-190; and
  • Safeguarding personal privacy data as governed by the Health Insurance Portability and Accountability Act (HIPAA).

“Compliance is probably the number one concern,” said David Kubicki, Public Sector Systems Engineering Manager for Prisma Cloud at Palo Alto Networks. “And then closely related to compliance is continuous authorization for those applications in those clouds.”

Continuous authorization is officially known as Authority to Operate (ATO), and requires cloud application owners to regularly implement, certify, and maintain appropriate security controls. Cloud native technologies like containers and microservices, as well as strategies like DevSecOps and shift-left security, enable continuous monitoring and adherence to a system’s approved security posture.

The challenge comes in a hybrid or multi-cloud environment where there are innovations and different technologies across multiple cloud service providers. In this environment, that could mean 20 different applications all with AWS or Azure accounts. Or it could be one DoD entity that needs to connect with another DoD entity with application APIs talking to each other across two different environments where the security of one could affect the security of the other.

In such scenarios it is difficult to answer the question: “Are we compliant?”

Visibility Through Prisma Cloud

Visibility into all cloud applications through a single pane of glass is key to satisfactorily answering that question in a hybrid-cloud environment. It’s also what makes it possible to maintain an ATO.

Valuable assistance in this area comes in the form of Palo Alto Networks latest Prisma Cloud evolution, version 2.0, which includes four new functionality modules that specifically tie to compliance and ATO. They are:

Cloud Security Posture Management: This leverages data from public cloud service providers to deliver continuous visibility, compliance, and threat detection, as well as shift-left capabilities to scan infrastructure-as-code templates across the application lifecycle.

Cloud Workload Protection: This secures cloud native applications across the application lifecycle, defined by the requirement to protect hosts (VMs), containers, and serverless from a single console.

Cloud Network Security: This protects cloud networks and applications, combining network visibility and micro-segmentation for full-stack network security across hybrid and multi-clouds.

Cloud Infrastructure Entitlement Management: This enables visibility and control over cloud identities to ensure least-privileged user access governing cloud resources, compute, and data.

“What I see is the DoD moving beyond compliance into a continuous process that ensures cloud applications are secure,” said Brian Wenger, systems engineer working with Palo Alto Networks federal systems integrator partners. “We’re shifting left, pushing security farther back in the process so that it isn’t just a checkbox anymore. It becomes a strategic cybersecurity advantage against attackers.”

Conclusion

It is important for DoD organizations to recognize the fundamental differences between managing and securing infrastructure in a data center compared to a hybrid-cloud environment. A common misconception is that signing up with a cloud provider gives them everything they need to be secure right out the box; there’s nothing to worry about and AWS or Amazon has got security covered.

That’s absolutely not the case. While the cloud providers play a role in security, especially physical security, it is up to the organization to ensure that both their cloud infrastructure and cloud native applications are secure. In the shared responsibility model, it is the users who need to provide the expertise and are responsible for ensuring the right tools are turned on and features enabled and deployed in the correct way. That’s purely the responsibility of the customer.

The DoD should also understand that there are vendors like Palo Alto Networks that are making it easier for them to have visibility into their security and compliance posture across diverse data environments. In conclusion, here are three ways Palo Alto Networks can provide the Defense Department with comprehensive cloud security across all the world’s cloud architectures:

  1. Continuously monitor all your cloud resources.

The first step to a strong security posture is deep, contextual visibility. Once you know what resources you have, where they exist, and how secure each one is, you can enforce pre-built or customizable governance policies and guardrails that keep your cloud compliant and secure.

  1. Detect, prevent, and remediate threats with the power of machine learning.

The key to powerful cloud threat detection and high-fidelity alerts is depth and breadth of threat intelligence and use of machine learning for data analytics. By combining rule- and behavior-based analytics with an unmatched view into your cloud environments, security operations can rise above the noise, prevent threats, and get to remediation faster.

  1. Discover and protect data at scale.

As the growth rate for data skyrockets, it’s critical to adopt a more sophisticated and nuanced approach to managing it. A secure cloud native environment requires an integrated, automated way to quickly identify sensitive data and ensure it’s protected, free from malware, and in compliance.