Hybrid Multicloud Strategies Are Keeping the Public Sector at the Forefront of Threat Mitigation

Zero trust, DevSecOps, and agile methodologies are critical in bridging the power of commercial multicloud environments and the security of private data centers.

Dr. Nandish Mattikalli, Chief Engineer, BAE Systems Intelligence Solutions

January 6, 2022

4 Min Read
Person standing in front of a digital cloud image
Source: phonlamaiphoto via Adobe Stock

As with many other industries in the past year, the public sector is becoming increasingly reliant on the cloud to evolve, scale, and effectively serve its customers. Of course, adopting and embracing the cloud is never straightforward — especially given the unique set of challenges that public sector organizations must account for on their digital transformation journeys. Such organizations typically face a lot of complexity, with a mix of legacy infrastructure as well as modern private and public clouds. The attack surface only increases with complexity and the inevitable silos across IT environments and agencies.

Take, for example, the May 2021 cyberattack on the Colonial Pipeline, which transports gasoline, diesel, and jet fuel over 5,000 miles from Houston to New York. The real-world repercussions of a successful cyberattack were on clear display, which spurred a new sense of urgency for public sector organizations to increase investments in secure, modernized networks and IT systems. The Biden administration responded with its May 12 Executive Order on Improving the Nation's Cybersecurity, providing additional motivation to align to a zero-trust architecture.

The question for public sector IT professionals now is not "How do I help my customers migrate to the cloud?" but "Which cloud strategy is best for our customers now and in the future?"

The Role of Hybrid Multicloud in Improving Government's Security Posture
Much like private businesses, the public sector is realizing the agility and scale that cloud-based development environments can bring. Public sector agencies must address critical security, cost containment, and rapid innovation challenges as the world shifts toward flexible operating models that support significant technology disruptions.

Hybrid multicloud environments, combined with agile and DevSecOps methodologies, can bring public sector agencies the rapid development cycles and constant system updates that our modern threat landscape now requires.

As a long-time defense contractor, BAE Systems manufactures combat vehicles and weapons systems, but it also helps governments strengthen their defense posture against cyberattacks. We often combine in-house software with commercial products to optimize systems integration and digital transformation. This is where vendors like Nutanix, Splunk, and RedHat become critical, as their hybrid multicloud and security technologies enable seamless and secure migration between private and commercial cloud environments.

For example, hyperconverged infrastructure (HCI), which uses software to mimic the conventional compute, storage, and networking tiers of a data center, provides a unified environment across multiple clouds. This is a key piece of the puzzle for public sector agencies looking to leverage the flexibility of multiple clouds and move applications and workloads where it makes sense from an operational and fiscal perspective.

By embracing modern cloud technologies, organizations can streamline the process of spinning up development, test, and production environments; scale up computing resources; and eliminate engineering cycles. This promises public sector organizations incredible advantages in speed and flexibility. However, lingering questions about security in multicloud strategies must be addressed.

How Hybrid Multicloud Enables Continually Improved Security
Historically, the cloud has presented security pitfalls due to the shared-security model that both cloud service providers and cloud solution implementers need to adhere to. This means that while cloud providers are responsible for the security of some aspects of their cloud, the cloud implementer is responsible for the security of their operating environment, applications, and data in the cloud. Inherited security controls and implementation details differ between leading commercial cloud service providers. This increases the complexity of security implementation and creates greater risks in the handoff of responsibilities from multicloud providers to customers.

To effectively adopt a defensive secure posture in a hybrid multicloud environment, development teams must ensure that security controls and features are built in at all levels of the environment, including at the data and application levels. As public sector organizations seek to reap the benefits of modern methodologies like DevSecOps and agile development, they must extend their security posture into these methodologies.

Many public sector customers are moving toward a zero-trust security philosophy wherein government IT aligns to a "trust nothing and no one, and validate everything" approach. For example, each network user gets access only to the applications or data that access control policies require and user attributes such as role, geographical location, and time scale allow. The default setting on the network is to not grant users access to IT assets, applications, and data without the appropriate permissions from policy enforcement points.

Ultimately, public sector agencies need to employ DevSecOps and agile development methodologies to ensure that they can quickly deploy and manage constant updates and security patches. A hybrid multicloud environment helps systems integrators that are installing and maintaining extremely complex IT environments by cutting down on tasks internally to deploy capabilities faster.

Public sector agencies are being driven by competing requirements: mandates to adopt resources in the commercial cloud, but the need to keep certain applications and workloads in private data centers. To achieve both goals, it's critical to maintain a uniform structure of zero trust to bridge those two environments with a unified hybrid multicloud environment. By combining HCI software with a zero-trust strategy through every stage of software development, public organizations can securely take advantage of the agility and scale of multicloud environments.

About the Author

Dr. Nandish Mattikalli

Chief Engineer, BAE Systems Intelligence Solutions

Dr. Nandish Mattikalli is a Senior Director and the Chief Engineer for the BAE Systems Intelligence Solutions business. He has seen the cyber threat landscape expand over the course of a career that took him from the Indian Institute of Technology (IIT) in Mumbai to Trinity College at Cambridge University in the UK, where he earned his doctorate. Dr. Mattikalli was a National Academy of Sciences (NAS)/National Research Council (NRC) Fellow at NASA Goddard Space Flight Center in Greenbelt, Maryland. Today, he is based in McLean, Virginia. While BAE Systems manufactures a broad portfolio of war-fighting platforms, it also works as a leading system integrator and service provider that helps its customers implement software and harden their defenses against pervasive cyberattacks.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights