A Tool That Can Keep Federal Data Centers Safe Amid Cloud Chaos

Virgiliu Obada/Shutterstock.com

Featured eBooks
Space Tech
Read Now

CDM

Read Now

Digital Transformation

Read Now
By John Breeden II

By John Breeden II

|

To help secure clouds, agencies need to visibility into nebulous infrastructures.

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology and government. He is currently the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys

We all know that the federal government has a love/hate relationship with data centers. First embraced as an efficient way to handle advanced government networks, they eventually grew out of control, leading to wasted resources, overlapping capacities and a loss of visibility as to what government was paying for in their data centers. The Federal Data Center Consolidation Initiative was created in 2010 to try and reverse the historic growth of federal data centers, with the Data Center Optimization Initiative more recently replacing it, but with similar goals.

One of the best ways that government is reducing their reliance on data centers is by moving to cloud computing, where agencies can buy computing capacity as a service, theoretically only paying for what they need. There are still concerns, especially with security, which has caused government to lag well behind the private sector in cloud adoption. Even so, their cautious efforts have been fruitful. The Government Accountability Office estimated in 2015 that the federal government saved half a billion dollars with its limited cloud technology use over a period of about four years.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Innovative technologies like segmentation, which I described in an earlier column, are emerging to help secure those government clouds. Those new technologies will help, but often run up against the age-old computing problem of not being able to protect what you don’t know you have. Cloud computing got its name for a reason. It separates the hardware layer from computing needs, creating a nebulous area where users don’t know—and really don’t need to know—how many hardware resources are supporting their applications or hosting their data.

While most cloud computing providers do provide basic security as part of their service level agreement, it’s ultimately the user’s responsibility to protect their own data within the cloud. It’s why government has been so reluctant to embrace the cloud and why Gartner recently named cloud-based security solutions as one of the most important categories in cybersecurity for the immediate future.

One of my projects over this long, hot summer, is conducting a series of 15 in-depth cybersecurity reviews for Network World and CSO magazine, examining products that fit into those important Gartner categories. Not all of the products I have been reviewing so far have federal applicability, but a recent one stood out as being a potential game changer for feds looking to move to the cloud and to ensure security once they arrive.

The biggest problem with cybersecurity in the cloud—and this even applies to some of the newest technology like the aforementioned segmentation—is that it’s difficult to define security policies within what is essentially a nebulous infrastructure where a single app might be running across multiple servers at the same time, might be pulling resources from multiple sources, and might even be physically stored in several different locations. So, for example, in the absence of defined hardware rules and locations, something like segmentation only works if you know exactly how your apps in the cloud are performing and interacting with users.

Getting that important visibility is very difficult within the cloud. Examining the log files—the traditional method of figuring out how everything is interacting—is nearly impossible even in a medium-sized, cloud-based data center. One that I examined recently, a smaller facility with about 400 clients, generated over seven billion logfile events over a six-hour period. I can’t track billions of logfile events every few hours, and neither can most security teams, even large ones. It’s also why attackers can remain hidden for so long once a system is breached: There is too much other chaos going on to quickly unmask them.

The product that I recently reviewed is called the Lacework Cloud Workload Protection Platform, which is designed as a way to restore visibility to cloud computing, creating a baseline that other security programs can build upon. It’s configured for deployment as a service with no need for a hardware console installation, so perfect for cloud environments. It works by deploying tiny software agents each time a new virtual machine is spun up within a cloud, basically stamping that asset as owned by the organization or agency. A federal data center could deploy Lacework by simply adding the agent to the default image for all new virtual machines, and then pushing the same agent out to existing assets.

Suddenly, the cloud is not so nebulous. Assets might still be sprawled out across multiple hardware platforms, but each one is now identified as owned by the agency. The platform then creates a baseline of all activity occurring within a data center from users, assets and applications, diving into those logfile events and identifying what is normal, authorized activity, and what is an outlier or anomaly. It even turns that data into a visual map of how those assets are interacting, and plotting the changes over time. In the most general sense, it takes the cloud and allows users to define it more concretely, not based on the hardware assets, but instead on the apps, users and interactions that make an agency’s computing infrastructure work.

Lacework comes with its own threat-remediation abilities. I tested this by adding a malware process into the cloud test environment that tried to eventually spawn a new user and then elevate privileges. This is done in such a way as to be somewhat camouflaged in a normal data center or cloud environment, easily lost in the billions of other recorded events. But Lacework identified it because it was an outlier process that didn’t normally happen, shining a light on the rogue process even though it was moving slowly and taking a lot of precautions.

The true value of Lacework for feds might be helping to redefine a security perimeter, and getting real visibility into government clouds. Although its core security components are impressive, being able to map processes and interactions means that other security tools, like segmentation, automation, or even standards like SIEMs, can more easily integrate into cloud environments. That could help make government clouds more attractive, and remove some of the final deterrents to wider government adoption rates.  

NEXT STORY: 3 Ways to Enhance the Cybersecurity Executive Order

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.