Joe Sangiuliano is Regional Vice President-Public Sector, Prisma Cloud, Palo Alto Networks.
For all the efforts underway at federal agencies to fortify cybersecurity protections, it’s easy to overlook the often unseen and erosive impact of application vulnerabilities coursing through federal network environments.
Part of the problem is the extent to which agencies have shifted their IT operations to multiple cloud environments and embraced cloud-native applications. While those decisions have helped speed modernization and improve security in many respects, they’ve also led to a dramatic escalation in the number of opportunities for bad actors to exploit or inject vulnerabilities into these environments.
That was made painfully clear two years ago when Log4j, an open-source logging library and one of the many building blocks used in creating modern software, was exploited by malicious actors, allowing hackers to penetrate and disrupt enterprise IT systems across the federal government and around the world.
Another factor, though, is how much the security expertise of federal agencies remains rooted in managing on-premises IT systems that typically rely on specialized security solutions. Today’s cloud-based applications are designed to deliver modular microservices packaged in efficient, virtual containers that can be discovered, scaled and managed dynamically. Legacy on-prem solutions weren’t designed to handle these new applications, nor can they protect agencies from the vast number of vulnerabilities emerging in today’s dynamic, multi-cloud environment.
Cloud-native security risks
There are many cloud-native security risks that agencies need to prepare for. However, there are five in particular that federal leaders should pay attention to — and the fact that addressing them will require a new generation of security solutions designed specifically for cloud-native applications and deployments:
- Application Vulnerabilities – Vulnerabilities that lurk within containers versus on hosts or servers.
- Infrastructure Misconfiguration – Cloud resources are dynamic and highly scalable. But there’s a shared security responsibility with cloud service providers. That can lead to gaps in security configurations for all assets and services.
- Overprovisioned Access – The number and complexity of users, roles, and permissions increase exponentially in multi-cloud environments, making it harder for Identity and Access Management (IAM) systems to regulate permissions. That can lead to over-privileged access and challenges in implementing a least-privileged access security paradigm.
- Insecure APIs (Application Programming Interface) – Microservice-based architecture drives the proliferation of APIs and API usage. These services have to be secured at the API level, reducing the benefit of classic web application firewall (WAF)-based approaches to application-level security.
- Malware – malicious software can take advantage of all the above risks, thereby giving them a greater chance of success at gaining access to your applications and data.
In light of those and other cloud security challenges, agencies must have the right tools and capabilities to identify these risks early in the DevOps process.
Addressing technical issues and potential risks earlier in the software lifecycle (SDLC) is not a new concept. It’s always easier and less costly to remediate problems early in the lifecycle than after the software has been deployed. What’s changed with cloud-native applications is the magnitude to which the costs and complexity can be reduced, especially given the speed with which cloud applications can be deployed, the scale of their deployment and the technical complexity of today’s multi-cloud systems.
How CNAPPs improve agency security
What’s also changed over the past couple of years are the capabilities of Cloud Native Application Protection Platforms (CNAPP) that can address cloud-native application security throughout the entire lifecycle of those applications.
Before CNAPP, customers had to cobble together various point solutions with minimal integration and practically no end-to-end visibility to address these and other security risks. That often meant having to adapt or modify customers’ security goals and processes to accommodate the limitations of those point solutions.
With the emergence of comprehensive CNAPP solutions like Palo Alto Network’s Prisma Cloud — which both Frost and Sullivan and GigaOm recognized as a leader in its category — federal agencies can build cloud-native security protections more easily into their processes and their DevSecOps ecosystems. Prisma Cloud also makes it easier to establish end-to-end visibility, verify security compliance and manage governance for applications operating across multi-cloud environments.
While federal agencies continue to grapple with longer-term security goals — including the need to implement zero-trust security architecture — government leaders must also come to terms with the nearer-term rise of new and rapidly-evolving vulnerabilities inherent in today’s cloud-based applications.
Learn more about how Palo Alto Networks is helping organizations address today’s multi-cloud security concerns.