Securing cloud applications in government’s multi-cloud world

Local and state governments have increasingly embraced a multi-cloud strategy, providing them with greater resiliency than ever before and helping avoid vendor lock-in.

However, while distributing agency application infrastructure and workloads among different cloud providers has distinct benefits, it also has specific drawbacks. Today, government IT teams find themselves navigating a labyrinth of security controls, compliance requirements, and risk management practices. As a result, by embracing a multi-cloud strategy, government agencies must also be prepared to address a series of operational and security challenges.

A major challenge: Managing workload identity
Securing multi-cloud applications for state and local government entities presents a major challenge: managing workload identity. Incidents like the 2023 Cloudflare and Okta breaches offer ample evidence that failure to do so can lead to catastrophic consequences, from mishandled identities to issues with access credentials.

By exploiting stolen authentication tokens and service account credentials from a prior Okta breach, a nation-state attacker gained persistent access to Cloudflare’s internal systems, compromising its Confluence wiki, Jira bug database and Bitbucket source code management system. Cloudflare responded by cutting off access and rotating more than 5,000 production credentials, mitigating further damage. Despite the quick response, this incident provides a stark reminder of the challenges of consistently managing identities and access controls across a dispersed multi-cloud architecture.

Security, however, doesn’t stop there. While it is critical to secure infrastructure, threats can also manifest at runtime. In 2023 alone, a shocking 49% increase in runtime security incidents occurred, according to a report by Armosec. With more applications than ever before executed across multi-cloud environments, vulnerabilities and misconfigurations are likely to rise exponentially.

With that in mind, state and local governments cannot afford to ignore monitoring, detection and response capabilities that will enable them to identify and mitigate runtime threats in real-time. They must also adopt a comprehensive security approach that goes well beyond simple infrastructure hardening.

Best practices for securing applications
It is critical for state and local agencies to ensure a strong, consistent identity for applications and services when distributing workloads across different cloud platforms. Some solutions, for example, provide identity-based access controls that seamlessly integrate with a multi-cloud strategy. Doing so ensures that only authorized workloads can communicate and access sensitive data. But don’t stop there. Other best practices that state and local governments should make a part of their security arsenal include:

• Zero trust: Even with identities in place, users must operate under the assumption that no request can be trusted blindly. By implementing zero-trust principles, agencies can enforce continuous verification and prevent unauthorized access. This, in turn, enables you to fully leverage identity and access management solutions Security must be handled up front, rather than waiting until everything is up and running.

• Secure code: It is essential to write secure code to avoid vulnerabilities in a multi-cloud world. Before ever reaching the production environment, automated secrets management and code scanning must be leveraged to catch insecure code. The bottom line is that a comprehensive security policy demands applications to be protected at every level, from infrastructure to code.

• Vulnerability scanning: Vulnerability scans of cloud infrastructure and applications must be conducted regularly to identify and remediate any security weaknesses before they can be exploited. Users must employ a vulnerability scanner designed for multi-cloud environments. These scanners will enable identification of vulnerabilities across different cloud platforms and can be integrated with the existing security infrastructure.

• Security policies: While it’s not easy to implement consistent security policies across multiple cloud environments, it is essential to maintain a strong security posture. With that in mind, government agencies must establish and enforce uniform security policies and standards across all cloud platforms being used. Doing so guarantees consistent protection regardless of where applications reside and helps identify and address vulnerabilities before they slip through the cracks.

• Threat intelligence and monitoring: Threat intelligence feeds must be leveraged to provide real-time information on emerging threats, vulnerabilities, and malicious actors. You can integrate such feeds into SIEM and CSPM tools for automated threat detection and correlation. State and local agencies should also consider deploying Intrusion Detection and Prevention Systems (IDPS) solutions to help detect and prevent unauthorized access attempts, malicious traffic, and suspicious activities.

• Social engineering: Social engineering attacks, which manipulate individuals into divulging confidential information or granting unauthorized access, pose an equally significant threat to multi-cloud security. And let’s face it, no amount of technology can stand up against human error and the importance of a security-conscious culture. Agencies must implement regular security awareness training about common social engineering tactics such as phishing, pretexting, and baiting for all users. It takes both the right technology and well-informed, vigilant users to enact a holistic approach to multi-cloud security.

Building multi-layered defenses
The old saying that there is safety in numbers applies to securing multi-cloud environments. By implementing a layered approach to the security of their multi-cloud environments, state and local governments can position themselves to confidently scale their applications across multiple cloud providers and, in doing so, foster resilience and minimize the risk of breaches.

Brian McHenry is the global head of cloud security engineering at Check Point Software Technologies, leading all pre-sales and customer success functions for Check Point’s CloudGuard portfolio. Formerly the vice president of product management for WAF & API Security at F5, Brian is passionate about aligning product strategies and solutions to more secure business outcomes. Additionally, he is a co-founder of the New York chapter of Security B-Sides, an organization dedicated to making cybersecurity careers and conferences more equitable and accessible.