Artificial intelligence (AI) and machine learning (ML) capabilities are still coming to bear as Federal agencies continue to understand how these technologies can help drive cloud adoption and evolution. However, to be successful in this environment Federal agencies must understand their security obligations and those of a cloud computing provider to ensure accountability, along with the role that AI/ML plays in security automation, a senior Cybersecurity and Infrastructure Security Agency (CISA) official said.
Brian Gattoni, chief technology officer (CTO) at CISA, explained that while technology solutions change every day, what remains the same is that “you own the risk, it’s your environment, it’s your mission, it’s your enterprise.”
“An agency may be outsourcing services, such as computing and data storage support, to a third party partner but they are not outsourcing risk,” Gattoni said at FCW’s Cloud Summit event on March 6. “To be successful in cloud security, agencies must understand who is responsible – in the myriad of partnerships – for what aspects of the security lifecycle from monitoring to alerting to remediation and notification.”
Any technology comes with potential vulnerabilities, but being able to quickly spot them is key to managing risk, Gattoni explained. In a shared responsibility model, putting that responsibility on both cloud computing providers and their users helps to ensure accountability.
For example, it may be that the cloud operator has the first observable point for a potential threat vector and in this case, agencies are going to want “service level agreements or contractual obligations for notification back to your enterprise baked in along with the technology you’re bringing into your risk environment,” Gattoni said.
The CISA official explained that cybersecurity automation improves security response tremendously, and accomplishes the task more efficiently. Instead of simply sounding an alarm to signal a human security technician to act, an automated cybersecurity system could recognize a potential threat and would be able to neutralize it. AI and ML tech gives automated cybersecurity systems the ability to decide the best way to defuse the threat.
However, agencies need to be clear about “the services they operate and what your automated responses may do from a benefit or regret perspective and the tools that will help you get there,” Gattoni said.