By Gerry Gebel, VP of Business Development at Axiomatics
As businesses continue their mass migration of data, applications, workflows and other business assets to the cloud, federal agencies are following suit, and for a good reason. By utilizing the cloud, federal agencies minimize their overall IT costs, while increasing scalability, modernizing their IT infrastructure and enabling collaboration among development teams to help solve complex challenges.
In addition, cloud platforms like AWS and Microsoft Azure offer easier, more affordable and flexible data storage systems compared to traditional storage solutions like on-premise relational databases.
There are many advantages of cloud deployments. However, they do not come without risk. A common challenge is cloud security.
Cloud platforms often include built-in security features like Identity and Access Management (IAM) to help control access to Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) services.
This is where we begin to see limitations in the built-in security features when dealing with, the security of transactions and data in these platforms. Not to mention, cloud platforms introduce new technology capabilities (such as orchestration) that require IT employees to examine new processes, including security methods.
It is critical to enhance the basic security capabilities of the cloud platform and cloud data service providers to ensure the high levels of access control federal agencies have in their on-premise systems translate to the same fine-grained levels they require in the cloud.
Augmenting Built-In Security Features
Out of the “box”, cloud platforms don’t offer much sophistication for a policy-based approach to both securing and sharing data. We see new security products are emerging to protect the cloud, but in some cases, these only focus on a single aspect, such as the security of the infrastructure and containers instead of protecting the data itself.
One example is AWS. AWS has an “IAM” strategy focused on authorizing administrators to spin up/down servers, databases, containers, etc. Still, the AWS “IAM” strategy is limited because it focuses on the infrastructure instead of the data. AWS uses the same legacy identity/role/group-based approach to authorization, which is not fine-grained enough to secure critical information federal agencies hold like national security information or personally identifiable information (PII) on American citizens.
Federal agencies require more advanced security measures than what cloud providers offer. Security controls must address the legal requirements for the proper handling and sharing of sensitive digital information. The security protocols must also implement access policies consistently across cloud platforms, instead of acquiring the additional risk and cost of cloud platform-specific security tools. Security tools must also be built and deployed in the cloud, so they can be managed the same way any application workloads are managed.
Implementing Dynamic Authorization to Protect Cloud-Hosted Data
Federal agencies can extend access control capabilities beyond what cloud providers offer with externalized dynamic authorization delivered with Attribute Based Access Control (ABAC). Dynamic authorization for cloud-hosted data works by leveraging access control and organizational policies to decide what resources can and cannot be accessed.
Federal agencies can access additional context like risk score, device information, location, etc. when deciding on access decisions. Policies are an exact reflection of federal requirements and are easy to decipher. With dynamic authorization, federal agencies can define their data access policies once and apply them consistently on-premise and in cloud deployments.
Federal agencies ensure secure access to applications and data in the cloud while also realizing a wide range of other benefits, including:
- Running an access control service in cloud platforms directly with protected applications and data provides best-in-class system performance.
- In addition, this approach permits federal agencies to operate the security infrastructure in the same way that applications are managed.
- Dynamic authorization for cloud platforms saves developers a significant amount of time because application development accommodates the microservice approach of bounded context and calls external services for security functions.
- Developers are no longer bothered with adding security code to their APIs/microservices. Instead, they can call another microservice to process access decisions.
- Application maintenance costs are significantly reduced by separating security logic from the application.
- By moving security logic to a dedicated service, access policy changes are implemented independent of the business logic code, resulting in a much easier/quicker access policy change process.
- A dedicated dynamic authorization service can respond faster to policy change requests because code changes are eliminated.
- Instead, policy changes are made in the authorization service through configuration and delivered to the runtime services.
As more federal agencies continue to tap the power of the cloud and migrate their infrastructure to cloud platforms, the need to address complex access control use cases for cloud-based resources is only going to grow.
The federal government houses massive amounts of sensitive data that can threaten the security of millions of citizens. By leveraging dynamic authorization delivered with ABAC, federal agencies enable secure access to sensitive information assets such as applications and data that are now stored within cloud platforms, as well as the administration of cloud deployments.