Raj Parameswaran, President for Information Technology at Maximus Federal, and Shane M. Barney, Chief Information Security Officer, Office of Information Technology, USCIS, DHS, joined the FCW FedRAMP Summit for an insightful panel on the importance of automation as a component of FedRAMP and the larger role it plays in the overall security strategy for a cloud environment. The panel was hosted by Troy Schneider of FCW and GCN on August 18, 2021.
“Automation and cloud go hand-in-hand”
When asked about how USCIS is addressing security within the cloud, Barney responded definitively: “Automation and cloud go hand-in-hand.” He explained that when operating in a cloud environment, the human element should be removed from the data-digging role through automation, thereby placing the human in the decision-making role. Barney said his teams quickly realized that the amount of data from their cloud systems was too much for staff to handle and recognized the importance of deploying security automation early on. He summarized by noting that “Automation really serves as that linchpin between us understanding and doing the trust-and-verify aspects [of security], but also doing it in a form that best utilizes our resources.”
Parameswaran noted that the FedRAMP framework lends itself to a standardized way of ensuring security within a cloud environment. Since it’s not feasible to have your people staring at a monitor trying to identify security threats, there’s a fundamental business need to embed automation into the security strategy around your cloud environment. “Automation is not just a post-function…it is a lifecycle process,” said Parameswaran. He stated that it needs to be a part of the entire lifecycle, from design to the implementation and then operation.
Threat intelligence must be automated
Barney noted that as fast as they are moving with technology, threat actors are moving just as fast. He highlighted that automation tools can quickly identify if something has been made public, that shouldn’t be, shut it off to public access, send out an alert to an analyst, and pull all logs of the incident so that the analyst can quickly make a decision on how to act. The benefit? “An incident that would have normally taken us hours and hours to investigate is literally over and done within fifteen minutes, ” he explained.
Start with the right processes in place
Parameswaran explained that you want to streamline the automation of your cloud security posture but that it's extremely important to ensure that the processes you automate are fully optimized. A mature and standardized process will help ensure the maximum benefit from the automating of it. In other words, “don’t automate a bad process,” said Parameswaran.
The future of security is cloud-based
With agencies moving more and more systems to the cloud and threat vectors increasing, security has become truly paramount. Barney noted that because the move to the cloud has greatly increased the number of near-misses from threats, security automation needs to be built in from the beginning. “I believe security comes first, and then you build on top of it,” he said. Barney also stressed that the integration of security programs is an integral factor in better identifying threats and eliminating the manual processes around them, adding that automation is the end state.
As cloud migration continues and the requisite focus on security grows, a change in staffing needs is being created as well. Parameswaran noted that he sees two different profiles for cybersecurity experts: data engineers who know how to create models that can be automated and security development engineers that can develop true automation based on what the data tells them about behaviors.
You can watch the entire panel here.