Many organizations are taking advantage of the cloud to use existing Software as a Service (SaaS) applications as well as build their own cloud native infrastructure. This migration can result in cost savings, greater flexibility, improved access to data and applications. While this move can accelerate the ability to meet business requirements it also requires a new way of ensuring the security of the application and the application data. There are a number of compliance requirements and technical solutions that provide frameworks that can be used to ensure cloud security.
Federal Risk and Authorization Management Program
For public sector customers, Federal Risk and Authorization Management Program (FedRAMP) is probably the most widely understood marker of secure cloud. FedRAMP is a designation which shows that a cloud solution meets a stringent set of government security requirements and controls and is accepted government-wide.
All Iron Bow cloud applications support the federal government meet FedRAMP guidance. With our understanding of FedRAMP requirements, we can choose the right solution for specific needs.
Cloud Access Security Broker
A Cloud Access Security Broker (CASB) is an on-premises or cloud-based security policy enforcement point that is provides protection for cloud-based applications. A CASB monitors user, data and application access and enforces security policies within the cloud. In short, it protects data in the cloud. Examples of CASB security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and more.
Iron Bow’s dedicated Security Solutions Architecture team can assist in choosing and implementing the right CASB technology and solution set to help agencies further secure their cloud applications.
Zero Trust Architecture
Zero Trust Architecture (ZTA) begins with the premise that all networks, internal and external, should be treated as untrusted. Users connecting to the network have to prove valid authorization before being allowed access. When applied to cloud security, it protects access to the cloud by providing granular access to cloud-based applications based not only at the user level, but also the device they are using.
Iron Bow’s approach to ZTA is to first look at the customer’s unique need and use case, taking into account which components of a ZTA may already be in place. We follow the industry standards such as Zero Trust Extended (ZTX), Secure Access Service Edge (SASE), Continuous Adaptive Risk and Trust Assessment (CARTA) and NIST 800-207 along with the guidance from the Cloud Security Alliance (CSA) when making recommendations for customers. From there, we design and implement a solution that addresses the elements of the customer use case with a technical ZTA solution that is also manageable for the end users and operationally sustainable. In many cases this involves an end user education to speed adoption and an understanding on how ZTA can increase productivity. Our solution encompasses:
- Strong User and Device Authentication – We utilize multi-factor authentication (MFA) to ensure strong user authentication, tying MFA with device security posture assessment to provide a single agent to validate the user and device prior to allowing application access.
- The Perimeter at the Endpoint – Authentication, authorization and encryption to only authorized applications begins at the endpoint. We use a cloud-based controller that has the strong user and device authentication defined above.
- The Perimeter at the Network Boundary – Next Generation Firewall (NGFW) solutions provide similar user and device validation.
- ZTA Policy Validation – On premises, this involves traffic and threat visibility using packet sniffing and Netflow analysis to alert when a policy is violated. For cloud, it involves API access to monitor and validate access to cloud-based applications.
- ZTA Policy Violation Policing – The automated enforcement based on the alerts is the final piece. The policing tools can ingest that information and quarantine a device if it is shown to violate the ZTA policy.
Security is a collaborative effort to minimize the shared Risk
There are multiple aspects when considering cloud security. In fact, cloud security is a shared responsibility between the cloud service provider, the application vendor, and the organization using cloud solutions. The provider must safeguard the cloud infrastructure to include patching and configuration. Although the cloud infrastructure will have security features built in as part of the cloud service delivery, that does not mean customer deployed applications themselves are secure. Finally, organizations using cloud are responsible for the identity and access management of users accessing the cloud.
For any questions regarding Iron Bow’s security practices and expertise contact us.