The Commercial Cloud is coming. If the Cloud is so obviously good, why are organizations hesitating?
Data breaches are on the upswing. Cybersecurity threats are eating away at revenue and brand reputation. And the digital marketplace is in an everlasting cycle of change. Meanwhile, you need users to access information from any device while enabling high performance connectivity as usage demands ebb and flow.
The upside to moving to the commercial cloud is knowing that the cloud is software-driven, moving at cloud speed, then the downside is you hit the RMF wall, which is more like moving at wagon speed. Could this be the reason for the hesitation?
To address the hesitation, you need to wrap your brain around being fully prepared to make a move to the commercial cloud. To remain competitive, tech leaders need to save money, create an elastic environment, have an environment capable of information sharing, to put an application into production. To be competitive you need to move at cloud speed. Being competitive means ensuring that they have the right organizational design, the best software tools, and processes in place to realize value. At the end of the day it is all about getting an ATO, the authority to operate. “If you don’t have the Ops in DevOps, you don’t have anything.”
Clean your house before you make your move.
The first thing you should focus on as you prepare to move to the cloud is to get your network ready. Scan for vulnerabilities and remediate. Find points of non-compliance. And harden your enterprise infrastructure.
Your goal of achieving authority to operate (ATO) is the same as it is on-premise. So DISA STIG/CIS benchmark compliance is key. The best way to make fast work of that is through automation and remove 90% of the effort it takes to harden your system. Can you imagine hardening an application stack a CAT 1, 2, or 3 in 60 minutes? We know in fact this is true possible because our ConfigOS automation software was instrumental in hardening one of the first DoD applications to achieve ATO in the Amazon AWS commercial cloud in 2012.
Along with moving to the cloud, White House orders mandate adopting a Zero Trust posture, where security moves from the perimeters and only gives the approved amount of access on a case-by-case basis. At AFCEA’s TechNet Cyber conference in April, 2022, Pentagon cyber chief, David McKeown identified some of the approaches he is taking to ensure a safe cloud migration and transitioning DoD’s 10,000 networks and systems to Zero Trust by 2027:
- Perimeter security stays in place until Zero Trust is established. “We are not going to rip and replace everything. While we do evolve, we are going to make sure we use our old perimeter defense and signature things until we guarantee the data is behind zero trust architecture.”
- Solutions will be assessed individually. “It is a grouping of solutions that need to integrate well together. We are not going to pick any particular product and we are not going to demand the services use a specific solution.”
- Tasks will be prioritized using NIST’s risk management framework. “We are going to prioritize the different systems and networks as we go along. If it’s a low, low, low in RMF terms, it will probably be at the bottom of the stack. We are going to focus on anything that is high, high, high.”
- Measurement is a key aspect to include. “We are looking at what metrics we need to develop but we don’t have any at this point.”
- The Software Bill of Materials (SBOM) is important. “Log4j is a prime example of why you need an SBOM because through searching and scanning the networks it is hard to know whether it is embedded in the software in the network. From our DevSecOps pipeline [we] always create an SBOM” for software built by DoD.
Avoid the obstacles to success.
What slows you down? Working organized and orderly is your best bet for a smooth transition and knowing that everything is either in development test or production. First, inventory your software, including unused and abandoned resources. Then adapt your infrastructure to actual operating requirements. Automation helps administrators monitor their environment and adjust workloads as needed. Requirements for development and test vs. production are very different. This is the common problem; it is that simple. You are not successful; you don’t have any value, and you didn’t get the authorization to go into production. Now what, start over, or work smarter?
Why do things fail?
Have you ever drifted down the beach while floating in the ocean only to realize you were far from your original sunny spot until way after the fact? Or when you took your eyes off the road while driving and made a correction in the nick of time and safely stayed on the road? I’d rather make a quick correction than drift along unaware of the surrounding ahead. We know this as compliance drift. By continually monitoring your system, you’ll be able to see places where your system has drifted away from its compliant security stance, creating a vulnerability that could cause failure and affect your ATO.
In our experience, network environments on STIG or CIS benchmark compliance and setup issues are among the most frequent issues when transitioning to the cloud environment. Therefore, whether your organization chooses to use a public/private/hybrid cloud environment, we recommend you assess the manual labor needed for STIG compliance and figure out how to automate the self-replicating things.
Switch to cloud speed.
Whether by mandate or choice, Migrating to the cloud is critical to keeping up with the evolution of computing, data, and security. Only the cloud can deliver the elasticity, and agility businesses need to continue to evolve. But migrating applications and systems from on-premise to the cloud can be cumbersome, time-consuming, and challenging to accomplish.
Automation can deliver reliable, repeatable results across multiple environments to accelerate and simplify. It reduces human error and frees up staff time to focus on cloud migration’s higher-value, more strategic aspects. Furthermore, automation helps your business empower DevOps, artificial intelligence, real-time processing, and more.
SteelCloud’s lightweight tools allow you to quickly bring new cloud infrastructures into compliance. Our STIG automation capabilities enable DoD customers to move at “cloud speed.” And ConfigOS speeds you to ATO and successful migration. So if you’re feeling the heat of cloud migration and are unsure of what to do next, call us.
