Everything is connected.

Widespread connectivity, powered by the cloud, is one of the great benefits of modern IT. Do more from anywhere, it promises. 

Unfortunately, constant connectivity can also be one of modern IT’s biggest weaknesses.

So what are federal agencies, where security and mission are both paramount, to do? 

At the Advanced Technology Academic Research Center (ATARC) Federal Cloud Computing Summit, a group of public agencies and private companies held a panel to talk about the challenges of constant connectivity in the federal government.

Below are three key areas to focus on:
 

Accessing Cloud Outside the Continental United States (OCONUS)

If you have a customer with an OCONUS presence and you need to communicate or share information with them via the cloud, how do you do it? As the widespread adoption of cloud in the federal government is still new, this is an emerging debate. The first step, as the group discussed and agreed, is to use mobile devices, so end users can access the cloud and receive or send information. There are many software solutions such as Microsoft O365 or AWS that allow you to communicate and transfer information from a mobile device. They also suggested having a central access point such as a Virtual Private Network (VPN) that allows the user to connect remotely and access information. 

 

Device Authentication

The most in-depth and controversial topic was device authentication. Trying to maintain device integrity—that is, to keep them free of malware and other harmful bits and bytes—on thousands of mobile devices that come through the work doors each day is a new realm. With Bring Your Own Device (BYOD) initiatives at agencies and companies, even allowing mobile devices to connect to internal assets is tricky. One approach is device-to-device authentication instead of human-to-device authentication. This is both positive and negative. On the plus side, you can save time and money with device-to-device authentication. Yet there is a potential vulnerability given the possibility that a threat actor is in charge of the device during device-to-device authentication (e.g., a stolen laptop). A compromise between the two is imaginable (device-to-device authentication plus a biometric, as an example), but this is a topic which will need to be looked into further to provide a reliable solution.

 

Standards

Surprisingly, what you might expect to be one of the first topics came up at the end. When it comes to the internet and the cloud, there are no FCC regulations. The Internet Engineering Task Force (IETF) develops and promotes voluntary internet standards, in particular the standards that comprise the internet protocol suite (TCP/IP). It is an open standards organization, with no formal membership or membership requirements. 

The IETF started out as an activity supported by the United States government, but since 1993 it has operated as a standards development function under the auspices of the Internet Society, an international membership-based non-profit organization.

Because the standards are largely voluntary, it can be hard for both cloud providers and customers when it comes to information sharing, third parties, contracts, overseas communication and the like. It simply isn’t practical to implement a network not using TCP/IP. More guidelines are needed in regards to paying for what you use in the cloud and discussing changes to the workplace such as being clear about what needs to be protected and mitigating/managing the risks. With the cloud being used more and more each day, if regulations or guidelines are created, then different cloud providers could potentially work together instead of competing against each other. In this way, it would allow them to bring together the best parts of each service to create one great and all-encompassing service.

 

Takeaways

  • There are no cookie cutter solutions to security in an era of widespread access. Different sectors have conflicting ideas/issues that they need to address to accomplish their mission. Industry experience matters when selecting cloud services. Companies like NJVC, which has led the way in cloud migration in the Intelligence Community, can ensure migrations that are rapid and secure.
  • A central access point (VPN) is a good option when working with OCONUS staff.
  • With the modern BYOD initiative, device authentication needs to be done on multiple levels whether it be done device to device or human to device.
  • Moving applications to the cloud is the simple part, securing those applications is going to take more in-depth security like public/private key with a third party in the background. (To learn more about how NJVC offers industry leading secure cloud migration, click here.)
  • More standards and regulations need to be defined and implemented to maximize efficiency and interoperability in the cloud.
  • Whether public or private sector, there needs to be a polymorphic environment, well understood security posture, reduced latency and changes to the workplace.
  • As new solutions are provided, new issues will arise, which means a cloud services provider you can trust is vitally important.

Want to learn more about maximizing an integrated cloud environment and thriving in the era of hybrid IT? Contact us and we'll answer any questions.

Michelle Mungin is an intern with NJVC's solutions architects group.