Digital transformation was only a trend a few years ago; however, it has quickly become a reality for many organizations, including government agencies. The COVID-19 pandemic has pushed all kinds of government agencies to reconsider their timelines and potential impact of digital initiatives, whether this means moving core technology infrastructure to the cloud, rolling out more modern productivity tools for employees, or using artificial intelligence to better deliver public services.
By Jeanette Manfra, Global Director – Security and Compliance, Google Cloud
This accelerated demand for cloud services has thrust the issues of compliance and security squarely into the spotlight. The public sector is one of the most heavily regulated industries, and moving to the cloud requires protecting sensitive workloads while achieving and maintaining compliance with complex regulatory requirements, frameworks, and guidelines. In January, the Department of Defense (DoD) published the Cybersecurity Maturity Model Certification (CMMC), a new standard designed to ensure cyber hygiene throughout the DoD supply chain. It mandates that vendors meet a basic level of cybersecurity standards when responding to requests for proposals. This framework and countless others, such as NIST Special Publication 800-172 and the Federal Risk and Authorization Management Program (FedRAMP), have been introduced to encourage cybersecurity best practices as agencies adopt emerging technologies, including the cloud.
At Google Cloud, we understand first-hand the security challenges and opportunities the cloud can offer. That’s why security and data protection are among our primary design criteria for our cloud services. Security drives our organizational structure, training priorities, and hiring processes. It shapes our data centers and the technology they house. It’s prioritized in the way we handle customer data, and it’s the cornerstone of our account controls.
Compliance without compromise
Security and compliance topics dominate my conversations with government agencies. And rightly so. They are committed to protecting the information they’ve been entrusted to safeguard their constituents and employees. This commitment requires an understanding of how to navigate the complexities of compliance and privacy in the cloud. As government agencies and the enterprises that serve them adopt cloud technologies, security and compliance requirements such as data residency and administrative access, are key considerations. To meet these requirements, many cloud providers have built separate environments, with standalone data centers, to run government workloads. Because these “government clouds” are run through specialized, standalone data centers, they often have a lag-time in receiving new features.
In addition, these “gov clouds” don’t come with all the technology and benefits that a modern commercial cloud provides, and can impact the government’s access to new, innovative technologies — whether it’s data analytics, artificial intelligence, and machine learning, and even new security protections.
We believe that compliance shouldn’t require compromising functionality or service availability. For this reason, we recently introduced Assured Workloads for Government (currently in private beta), which gives agencies all the benefits of a public cloud, without the compromises of traditional “gov clouds.” It allows regulated customers to accelerate their path to running compliant workloads on commercial cloud environments by enforcing required security and compliance controls. It simplifies the compliance configuration process and provides seamless platform compatibility between government and commercial cloud services.
With Assured Workloads for Government, users can quickly and easily create controlled environments where U.S. data location and personnel access controls are enforced in any of Google Cloud’s U.S. cloud regions. Users can also limit personnel access based on predefined attributes such as a particular geographical location, citizenship, and background checks.
Assured Workloads for Government help government customers, suppliers, and contractors meet the high security and compliance standards set forth by the DoD (i.e., IL4), the FBI’s Criminal Justice Information Services Division (CJIS), and FedRAMP, while still having access to all the latest features. With just a few clicks, users can configure sensitive workloads to align with their security and compliance requirements. It is a prime example of how automation enabled by cloud services can improve government IT risk management.
Since we launched Assured Workloads for Government, we worked with a variety of local, state, and federal agencies to help configure their workloads to support compliance requirements. Early adopters were excited to take advantage of Assured Workloads for Government’s commercial cloud capabilities while maintaining regulatory compliance without the need for a legacy gov cloud.
Additionally, in the coming months, we plan to roll out new features and expand the general availability of Assured Workloads to include new capabilities, like new security and compliance monitoring tools, the ability to restrict products and services by compliance regime, support for additional regulated industries beyond the public sector, and compliance blueprints targeting specific customer use cases.
Putting your trust in Zero Trust
While the original motivation behind creating “gov clouds” was to meet rigorous FedRAMP standards, the result prolonged the embrace of antiquated, perimeter-based security models that were in vogue nearly a decade ago. These “gov clouds” are built under the assumption that all employees work exclusively on devices owned by an organization, and these employees are always operating within the company’s private network. In today’s modern work environment, we know this is no longer true. It is especially so during the current pandemic, in which remote work is at the forefront.
Nearly ten years ago, Google decided that every employee should be able to work from any network without the use of a VPN. This decision has drastically shifted the way Google — and today technology industry overall — thinks about ensuring security for remote workforces. Called “zero trust,” this model does not assume that being on or off the corporate network would make an employee more or less trustworthy. Instead, decisions are made based on a variety of factors such as a user’s IP address, behavior, or files accessed before granting access. Zero trust removes the requirement of building a perimeter that gives the illusion of a “digital fortress,” because users aren’t even trusted when they’re inside the perimeter.
A recent study found that federal government IT executives are now embracing this shift toward a perimeter-less environment, reporting that it greatly improves risk management and their security posture, while also providing better overall user experience. For example, we’re working with the Defense Innovation Unit (DIU) to build a secure cloud management solution to detect, protect against, and respond to cyberthreats worldwide.
As government agencies look to transform digitally, it’s imperative that they make security modernization a part of their journey. More than ever before, employees and users are on the move, agencies have an influx of remote devices and endpoints to secure, with data moving to the cloud from on-prem environments. A security model, built on the foundation of zero-trust networks, ensures government agencies can benefit from feature-rich cloud environments that have achieved industry certifications and standards. We continue to build and maintain the highest levels of security and trust in our technical infrastructure and services to empower government agencies to stay compliant in this ever-changing environment. In doing so, we’ve provided a framework for them to securely take advantage of the cloud so they can improve citizen services, increase their operational effectiveness, and deliver proven innovation.
This story first appeared in the November 2020 issue of CISO MAG.
About the Author
Jeanette Manfra is the Director for Government Security and Compliance within the Google Cloud Office of the CISO. Jeanette is focusing on helping customers, particularly those in regulated industries, build and maintain the highest levels of security and trust in their technical infrastructure and services.
Prior to joining Google, Manfra was the Assistant Director for Cybersecurity for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within the U.S. Federal Government. In that role, she was responsible for driving security modernization across Federal civilian agencies as well as enabling the security of critical infrastructure across the US. Manfra spent more than a decade serving in various roles at the Department of Homeland Security and the White House focused on establishing the nation’s first civilian cyber defense agency.
Manfra is a proud veteran of the U.S. Army and alumna of the University of Wisconsin and the Johns Hopkins University.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG did not test the products and services mentioned in this article.