Security and Compliance in Government Clouds
Andrew Pawloski
July 16th, 2019
Government cybersecurity is simple.
NIST 800-53 Controls Guide:
- Who can access the system (and how)
- What events are stored and audited
- How data is encrypted at rest and in transit
Conventional Deployments
- Predictable hardware lifecycle
- Consistent network footprint
- Vertical operational needs
Slow changes to infrastructure.
Rapid deployment of code.
Rapid changes throughout the stack.
Major infrastructure changes can occur within a single development ticket.
Different services are secured in different ways.
We need a security approach that maps to the speed and complexity of the cloud.
Core features of cloud cybersecurity
- Adaptive monitoring
- Well-definied verification criteria
- Easy-to-invoke change processes
Expect and support rapid changes.
Rapid Monitoring
What questions do I want to ask at a given time?
Verification Criteria
How can I certify that this system is secure?
Verification Criteria
Change Management
How do I support new features, services, and patterns?
Change Management
Work in the cloud isn't slowing down. It's accelerating.
We need to update our compliance methodologies to support it.