Building a resilient multicloud strategy in government

NTT recently held a series of roundtables in Australia to discuss cybersecurity challenges facing the public sector. Security teams’ lack of visibility and control was a prevailing concern, particularly as state and federal agencies execute cloud-first strategies and embrace greater levels of automation.

As Australian public-sector organizations continue with their digital transformation and move closer to Gartner’s concept of a post-digital government, gaps are emerging in their security capability and management. This is at a time when cyberthreats are rapidly escalating and evolving, and citizens’ trust in government institutions and services has never been more important.

In this article, I’ll explain some of the key issues from those roundtable discussions and our ongoing engagements with our public-sector clients.

• ALSO READ → Navigate through cloud complexity to achieve cloud clarity

The need for visibility and security

First, security models are being tested in the migration to cloud. Most Australian government organizations have adopted a cloud-first policy, but simply “lifting and shifting” existing security measures doesn’t mean they will have adequate protection for cloud-based workloads or assets.

The primary issue is a lack of visibility. These organizations typically don’t have the security controls or visibility they need to protect containerized environments.

Also, while cloud service providers maintain security up to the infrastructure layer, public-sector organizations don’t have the same level of visibility or control over software updates in public clouds as they did over their on-premises environments. They require a new set of capabilities for cloud observability.

This lack of visibility also increases the potential financial risk associated with the move to cloud, because without it, organizations can’t optimize their cloud costs. The complexity of cloud environments and a lack of centralized oversight may cause cost overruns that industry analysts estimate could equate to wastage of more than 30% in total cloud spending.

Increasingly, public-sector organizations will need to consolidate their existing security tools to close any gaps that may develop in their security capability when they deploy cloud-based solutions. They may also have to invest in cloud security platforms if those capabilities aren’t part of their current security solutions.

• ALSO READ → Cybersecurity: zero trust is your castle’s new moat

The rise of AI and automation tools

Second, while AI and automation tools can increase efficiency in government, they may also amplify risks that could lead to community harm. Public-sector organizations need to consider how these automated processes are executed across their multicloud infrastructure.

Adversaries are also using automation and AI tools to intensify their attacks.

When we work with public-sector clients, we look at what sort of security oversight and controls they have in place to deflect such attacks. We also analyze the thresholds or triggers for their security teams to step in and assess possibly malicious activities.

Communities have high expectations that public-sector organizations will ensure the security and confidentiality of their personal information. When multicloud infrastructure and automation tools are used to share data across departments and agencies, it’s critical that data strategy and governance models adapt to protect this information as it’s being used in new ways.

Finding and developing the right skill sets

Finally, public-sector organizations need to find or develop the skill sets needed to address and manage application security. They are increasingly adopting modular and low-code practices – such as open-source libraries, cloud-based apps and micro-apps – in building new applications and processes. This decentralized development process exposes them to greater risk.

So, how do cybersecurity teams control the development, testing and deployment of applications without stifling innovation? How do they build the necessary internal DevSecOps capabilities? Their efforts can be augmented with a cloud-native application protection platform (CNAPP), an all-in-one software platform that simplifies detecting and acting on potential cloud security threats and vulnerabilities.

By giving their development teams access to the application building blocks within a CNAPP environment, public-sector organizations can create end-to-end cloud and application security – from development to production.

A new perspective on governance, risk and compliance

In adopting a resilient multicloud approach, public-sector organizations are still thinking about the same basic concepts of governance, risk and compliance – but it’s important to reassess everything through a new lens.