BLOG

It’s Time to Get Cloud Smart about Application Security

Lyle Marsh Thumbnail
Lyle Marsh
Published September 30, 2020

In 2018 the Office of Management and Budget introduced a new strategy designed to provide organizations with a roadmap to migrate their applications to the cloud. Dubbed Cloud Smart, the guidance advanced the Federal Cloud Computing Strategy (popularly known as “Cloud First”) that was unveiled in 2017 by giving agencies “practical implementation guidance to fully actualize the promise and potential of cloud-based technologies.”

Where Cloud First essentially gave authorization to agencies to begin investigating their initial forays into the cloud, Cloud Smart seeks to reduce the barrier of entry for cloud migrations. It provides good, solid guidance around three important areas: security, procurement, and workforce.

Cloud Smart security: Three things to know

Let’s focus on Cloud Smart’s security component. There are several facets that bear mentioning.

Cloud Smart emphasizes the need for Trusted Internet Connections (TICs). However, it acknowledges that traditional TICs have become “relatively inflexible and incompatible with many agencies’ requirements.” These agencies need a more agile and flexible solution to manage the flow of Internet traffic and offer even better security.

Cloud Smart also calls for organizations to do a full inventory of the applications they have in their environments. They’re asked to assess the need for those applications, where those applications live, what services they require to function properly and securely (load balancing, Web Application Firewalls, etc.), and more.

Finally, Cloud Smart advocates for continuous data protection and awareness. Specifically, the guidance suggests that agencies should place “protections at the data layer in addition to the network and physical infrastructure layers.” To help, Cloud Smart recommends implementing the Federal Risk and Authorization Management Program (FedRAMP), which provides a standardized way of assessing security and continuously monitoring for threats.

Cloud Smart’s message is clear: the traditional definition of a network perimeter has eroded; applications are the new network edge. Indeed, we have entered into a new phase of digital transformation that is dominated by cloud services and multi-cloud applications. These applications rely on highly sensitive data that freely flows between on-premises and off-premises locations. This flow of information is attractive to hackers, who are continually seeking ways to exploit potential weaknesses in this environment. Data must be protected at all costs, whether it exists on-premises or off, and while it’s at rest and in transit.

Cloud Smart: More descriptive than prescriptive

But while Cloud Smart offers solid guidance for cloud application and data security, it’s really more descriptive than prescriptive. It doesn’t really get into specifics about how agencies should implement their security measures, or the tools they can use to protect their data. That gives organizations a lot of leeway regarding the technologies they can use to protect their data.

Many F5 customers—particularly ones that use a combination of on-premises and off-premises data centers—rely on Cloud Access Points (CAPs) and Virtual Data Center Security Stacks (VDSS). These technologies are sanctioned by the Defense Information Systems Agency (DISA), which has made them core components of its Secure Cloud Computing Architecture (SCCA). Together, they ensure that applications hosted in a cloud data center receive the same level of protection as those that are kept on-premises.

CAPs connect on-premises data centers with hosted cloud environments, essentially creating a secure conduit between the two. Users get dedicated connectivity to applications, regardless of where they’re housed.

A VDSS is a secure zone where customers host their entire security stack. It typically consists of Web Application Firewalls (WAFs) and Next Generation Firewalls to protect applications and data hosted off-site. Web traffic traverses this security zone before accessing the application itself. The zone protects the application from nefarious traffic or potential harm.

Smart solutions for Cloud Smart initiatives

Organizations need different solutions for security enforcement within CAPs and VDSS. They require solution sets that can provide bi-directional WAFs that use behavior analytics, bot defense, and data encryption to protect both hosted and on-premises applications. These solutions are ideal for securing and managing traffic to and from applications housed within colocation data centers.

In short, organizations need solutions that bolster their security postures and help them comply with Cloud Smart’s call for “confidentiality, integrity, and availability of Federal information as it traverses networks and rests within systems, regardless of whether those environments are managed locally, off-premises, by a Government entity, or by a contractor.” Click here to learn more about how F5 is helping its customers secure their applications, data, and sites.