By Bob Gilbert, VP, GTM Strategy and Chief Evangelist, Netskope
Innovation has always stood at the intersection of seeking to become “smarter, faster, better,” while pursuing answers to the question, “Why not?”
A recent keynote address from Lt. Gen. Robert Skinner, director of the Defense Information Systems Agency (DISA), stands out as a perfect example of this digital transformation-inspired dynamic. Skinner spoke at AFCEA International’s TechNet Cyber event and presented a “wish list” of advancements that would help DISA significantly improve operations and solve its problems. “Every great innovation started when somebody said, ‘Wouldn’t it be cool if…’” Skinner told his audience of private sector IT firms.
“Cool” is terrific. But it only works if we bring security into conceptualization, development and deployment processes from the very start, instead of treating it as an afterthought. With this kind of “cybersecurity first” thinking in mind, here are three “wishes” from Skinner’s list – a list that should apply to all Federal agencies – and how we can achieve them while more effectively protecting our networks, data and systems:
Accomplishing cloud deployments within hours that enable real-time, ongoing missions…
Skinner recalled last year’s cloud-supported evacuation of Americans and Afghani citizens from Kabul, calling it a “huge win,” with command and control (C2) in place within 72 hours, versus what might otherwise take weeks or months to put in place.
This speaks to a very human-focused component of innovation – reaching out across the world to individuals and families in uncertain times and situations, and even saving lives. A “need for speed” sense of urgency emerges in these moments, as well as for government cloud initiatives which are not so dramatic in nature.
Yet, without the incorporation of “cybersecurity first” into these efforts, swiftly assembled cloud environments will remain highly vulnerable. That’s why many agencies are discovering what is called security service edge (SSE). As defined by Gartner, SSE unifies a number of cloud-native security services into single control point that protects people and data everywhere they go. Core security services include a cloud access security broker for governing access to cloud applications, a cloud-enabled security web gateway for protecting employees as they access the wild west of the internet and websites, and zero trust network access, which provides fast and secure access to private app resources located in an agency’s data center or in the public cloud.
What’s more, agencies can implement SSE as rapidly as DISA’s cloud deployment wish. Within five minutes, they can acquire SSE protection from malware and risky websites, along with dozens of machine learning (ML) models to look for sensitive data to ensure it isn’t subject to possible exposure. Within ten minutes, these agencies can add on remote browser isolation (RBI), data loss prevention (DLP), user behavior analytics (UBA) and additional tools considered essential today.
Bringing DevSecOps to the legacy environment…
Skinner said DISA has thousands of applications that are not modern, and this creates challenges which private industry-based DevSecOps could help address.
That kind of modernization represents a cornerstone of a fully realized digital transformation. But we also strongly recommend that DISA and other agencies fortify systems and applications during and after the transition with zero trust network access (ZTNA). The White House Executive Order on Improving the Nation’s Cybersecurity and a follow-up Office of Management and Budget (OMB) memorandum directed the government to advance toward a zero trust (ZT) architecture, to eliminate “implicit trust in any one element, node or service,” and continuously verify operations via real-time information from multiple sources.
Fortunately, government leaders are taking heed and buying into ZT: Seventy-eight percent of Federal cybersecurity decision-makers feel a “strong” sense of urgency in implementing ZT and 73 percent say they are “aggressively” adopting it. In doing so, they should extend these efforts to bringing DevSecOps into legacy systems.
Harmonizing cybersecurity and the user experience…
This is when security teams must think in terms of milliseconds: Optimal network performance and productivity-boosting low latency drives positive user experiences. If latency increases due to security controls – again, even by milliseconds – user experiences decline.
Today’s younger generation of workers do not accept trade-offs in the interest of protection. By investing in secure access service edge (SASE) solutions, agencies deploy defense at the edge where and when they’re needed, with high-powered, real-time, inline processing that supports hundreds of millions of users with the lowest possible latency.
Skinner also spoke of getting industry ideas “in the right place” and ensuring innovation is not hindered by “institutional silliness.” He asked for examples of policies which are inhibiting progress, to hopefully fix them.
We’d hope that this input would be universally welcome. Private industry and government leaders need to spend more time collaborating and less on navigating onerous, complex and unyielding policies which have outlived their purpose. If we can do this in the interest of on-demand cloud deployments, legacy modernizations and user experiences that, indeed, make agencies “smarter, faster, better” – and safer – we will truly place ourselves at the forefront of a profound and lasting digital transformation.