As Federal agencies migrate applications to cloud environments, a major impediment to broader adoption of cloud technologies is the ability to protect information and virtual assets, and to gain enough visibility to ensure that both the agencies and cloud providers are complying with legal and business requirements.
To that end, the National Institute of Standards and Technology (NIST) is working with a consortium of technology vendors via its National Cybersecurity Center of Excellence (NCCoE) to develop a trusted cloud solution that will demonstrate how trusted compute pools leveraging commercial technologies can provide the necessary security capabilities.
“These capabilities will not only provide assurance that cloud workloads are running on trusted hardware and in a trusted geolocation or logical boundary, but also will improve the protections for the data in the workloads and data flows between workloads,” according to a NIST summary of the project.
The example solution will address a particular use case scenario: lifting and shifting a typical multi-tier application between an organization-controlled private cloud to a hybrid/public cloud over the internet. The consortium of technology vendors includes DellEMC, Gemalto, Hytrust, IBM, Intel, RSA, and VMware.
Kevin Jackson, founder and chief executive officer of GovCloud Network, which helps enterprises and agencies develop plans and strategies to leverage cloud-based services, questioned how agencies can take advantage of the scalability and elasticity of cloud computing if they adopt the “lift and shift” strategy for their applications.
To fully realize the values of the adoption of cloud computing services, Jackson noted, organizations should carry out the following actions.
- Screen the organization’s complete application portfolio and only target for migration those applications that are compatible with the cloud service provider’s highly standardized environment.
- Update the organization’s data classification governance so that it can properly address modern data privacy and data sovereignty laws and regulations.
- Target applications to their most appropriate infrastructure model (traditional datacenter, managed service provider, or cloud service provider) based on the organization’s budgetary strategy and risk management process.
- For applications destined for the cloud, expend the resources needed to modify migrating applications so that they can leverage the scalable and elastic cloud services to the benefit of the organization’s mission.
- Avoid the consumption of services that are unique to any single cloud service provider.
Bridging the Gap
“The adoption of a ‘lift and shift’ strategy for cloud migration simply ignores these well-known cloud migration best practices,” Jackson said. “While acknowledging that this is the most popular cloud migration option in the government marketplace, I cannot personally support the development of a NIST-endorsed ‘lift and shift’ recommendation,” he added.
However, Murugiah Souppaya, a NIST computer scientist, said Jackson’s steps for cloud adoption would be ideal in a perfect world or for a modern company established a few years ago. But for large organizations, such as Federal agencies with large legacy systems, the overhead to go down that path is high. “In terms of execution, it will take a lot of time, resources, and overhead, and will also be a multi-year strategy.” Ultimately, a cloud native environment is the direction where many organizations want to be, but NIST and its industry partners are trying to give organizations a roadmap – albeit incremental – where managers can embark on their cloud journey now.
Many large organizations have on-premise, virtualized cloud environments and want to move workloads into secure, commercial cloud infrastructures to take advantage of new technologies. However, to take advantage of the full cloud capabilities of a Google Cloud or Microsoft Azure, agencies must refactor or modernize applications. So, this initial step is making it easier for large enterprises to use the same type of toolsets, control, and visibility they have on-premise and extend that to the public cloud, Souppaya explained.
“We are bridging the on-premise cloud stack to the hosted cloud service provider, providing the same security controls and capabilities across the two stacks,” Souppaya said. Other use-case examples NIST will work on include the use of the public cloud for disaster recovery, and giving multinational companies the ability to extend on-premise cloud capabilities from headquarters to multiple sites around the world.
These use cases are some of the low-hanging fruit enterprises can embark on. Once organizations obtain a certain level of comfort with the cloud – how it works and its cost models – the next phase is for agencies to take better advantage of cloud native capabilities, he noted.
According to Cameron Chehreh, vice president, chief operating officer, and chief technology officer with Dell EMC Federal, the NCCoE project is among the most exciting work that NIST has done in the past five years. NIST is building something that is operationally capable, he noted. Bringing the consortium together to test security control sets in the lab and to build something that is “manufactured-secure” so an agency can feel more comfortable buying, is brilliant, he said.
Too often, government is caught in the conundrum between marketing and reality. Major cloud providers do a great job of marketing cloud capabilities, “but working with customers on being prescriptive on how to deal with cybersecurity issues and the ability to operationalize the cloud, is fundamentally different,” Chehreh said. NIST is looking to bridge that gap now and with the next-generation of the cloud as it takes on more edge and fault computing.
The comment period for the preliminary draft of the NIST Cybersecurity Practice Guide being developed for this project ends September 30, 2018. Comments may be submitted to trusted-cloud-nccoe@nist.gov with the subject “Comments on Trusted Hybrid Cloud VolA-PD1.”