What’s Your First Rule?
For many agencies, security is still the number one concern when transitioning to the cloud. Changing threat landscapes means that data is harder to govern and secure. Agencies need a cyber defense strategy that includes a comprehensive view of their distributed data landscape that continually evolves to defend against new threats.
If that wasn’t enough to worry about, networks are increasingly complex. A cloud environment might include on-premise and private clouds, mobile endpoints, and expanding Internet of Things (IoT) data. The more complex the existing landscape is, the harder it is to ensure your cloud is configured correctly and that it meets security mandates and regulations.
To create and manage a secure intelligent enterprise, you need to consider everything – from cloud to secure custom applications, to services and support, and almost everything in between.
It’s a lot to take in. If you’re looking to transfer data and applications securely to the cloud, where do you start? There are three critical security factor areas you’ll need to consider: vendor security approach, services and support, and breadth and depth. Thinking through these before you transition critical applications to the cloud can help your agency protect and secure sensitive data.
Moving mission-critical applications to the cloud involves more than just the applications. Make sure your provider has experience with re-architecting complex mainframes and midrange systems for the cloud.
Factor #1: Vendor Security Approach
You know security isn’t something to take lightly, which is why it’s critical to have a thorough understanding of exactly how your Content Security Policy (CSP) works. Understand how comprehensive its approach is and where their responsibilities end.
When evaluating FedRAMP® ATOs and whether your CSP offers FedRAMP moderate or high, or DoD SRG level 2, 4, or 5, remember that certifications should span infrastructure, data, and applications. Examine data and app-level guarantees and compliance levels to vet the CSP thoroughly across your stack. What about ITAR, or NIST? Determine how quickly they can set up an on-premise equivalent or better ATO.
Review accountability with your CSP. Make sure you’re clear on who owns the overall security and is responsible for protecting data. Business-level SLAs should spell out if your CSP guarantees both data and application uptime, but it’s also important to clarify if this is across both production and development environments. When evaluating managed services, also consider if the deployment model natively offers intelligent enterprise-level security controls or if it’s an add-on.
National security agencies also need to consider how your data is physically secured. Review your CSP to confirm where the physical data centers are located. Clarify what level security clearance is needed and if employees have the right credentials and authorizations.
Factor #2: Services and Support
Before you have an issue, take the time to review how your CSP handles threat detection, mitigation, and outages.
Know what support you can expect and what their services cover if you experience a service interruption or discover a vulnerability. Don’t wait until you’re in the middle of an outage or natural disaster to review their business continuity guarantees, remediation practices, and timelines.
Moving mission-critical applications to the cloud involves more than just the applications. Dealing with databases, networks, and legacy systems is complicated, and it can be risky. Make sure your provider has experience with re-architecting complex mainframes and midrange systems for the cloud. Taking large-scale, customized systems on end-of-life hardware to the cloud requires a specialized skill set beyond regular CSPs.
Factor #3: Breadth and Depth
Not all managed services are created equal. Look at a CSP’s past experiences to see if they have the specialized capabilities to manage very secure, multi-tenant environments. Review how your entire landscape is governed – not just their apps and solutions.
Finally, thoroughly review your budget and expectations with your provider. They should focus on optimizing the entire cloud environment for maximum value. This can help your agency avoid costly add-ons in the future while still ensuring your data is secured.
Security First – Always
Taking mission-critical applications to the cloud is complicated and challenging. It’s a big undertaking, and finding the right partner starts with asking the right questions. It can help solidify your specific requirements and uncover vulnerabilities before a migration. Take the time to understand how your partner’s approach will impact the security of your enterprise systems and applications. If done correctly, you can expect ATOs with increased protection and data preservation. It can also save your agency a lot of time, trouble, and money.
NS2 has seven cloud solutions, and proven experience in moving very secure, multi-tenant environments to the cloud. NS2 solutions automate security to keep up with threats, give agencies the ability to share knowledge, and automatically fix security issues across multiple solutions.
Most importantly, NS2 augments – it doesn’t replace – your team. Our experts help guide architectural decisions and natively incorporate controls and configurations tailored to your mission and environment requirements. It’s what differentiates NS2.
