Innovation in Government: The Future of Technology with Dell

Posted on by Erica Raymond

Advances in communications, data analytics and cloud ecosystems are supercharging efforts to modernize government. Leaders recognize that partnerships with industry are essential to their success with emerging technologies, including groundbreaking tools and techniques that help agencies tackle a wide array of challenges. The government is facing monumental challenges, such as the economy, climate change, public health and military preparedness. These large-scale, broad impact problems require new and innovative ideas to solve. Organizations such as the Computing Technology Industry Association (CompTIA) and the National Institute of Standards and Technology (NIST) have released guidance and strategies for agencies hoping to move past existing restrictions by updated legacy systems. Carahsoft’s most recent Innovation in Government Report includes insights from industry experts at Dell Technologies on how emergent technologies can help government push past those boundaries, with deep dives on 5G, artificial intelligence, digital twins, edge computing and cloud ecosystems.

A Secure Way to Use AI-Assisted Data Analytics

“Federated learning is becoming increasingly relevant given the emergence of ChatGPT and other AI-based technologies. Industry and government leaders recognize that it is essential to develop AI in an ethical, unbiased way that ensures information privacy and security. The only way to do that is to take a critical look at the technologies that are evolving and shape them in an intentional way. Right now, AI is not as secure as it could be. It is susceptible to the same vulnerabilities that affect other technologies. Therefore, agencies and their industry partners should focus on protecting data where it resides, instituting a zero trust architecture and securing AI algorithms.”

Read more insights from Ed Hicks, business development manager for federal and AI at Dell Technologies.

What the Evolution of 5G Means for Government

“5G is the first generation of cellular technology that’s cloud native, which means it has the flexibility to be fully virtualized and deployed in several different architectural designs, hosted on commercial servers. Agencies now have the ability to dynamically scale up or down depending on the network load at the moment. In addition, many large hyper-scaler cloud vendors are exploring ways to provide 5G as a service and combine the virtualized network function with cloud-hosted workloads, integrating the telco workload into the traditional IT stack.”

Read more insights from Greg Burrill, 5G/Networking Alliance Manager at Dell Technologies.

Taking Modernization to the Next Level with Digital Twins

“Digital engineering is digital transformation applied to the realm of systems engineering. It is another path to IT modernization. Digital twins require the foundations of a digitally transformed environment and its elements of data management, agile development, DevSecOps and container-based orchestration. Digital twins focus on bringing data from the physical world into the digital arena, gleaning insights through artificial intelligence and then displaying those insights visually for users. Digital twins can deploy those conclusions in the physical world, measure the results of the changes and start the loop over again by feeding that data back into the digital arena.”

Read more insights from Ken Rollins, Technology Architect for Digital Engineering/Edge at Dell Technologies.

How Repatriation Fits into a Broader Cloud Strategy

“When agencies simply lifted and shifted workloads into the cloud, they often experienced inefficiencies and cost overruns. Now that agencies are gaining a better understanding of cloud models and how to adapt their workloads to run efficiently in the cloud, they have begun to more carefully consider when it makes the most sense to put a workload into a public cloud and when it is better to pull it back to run on premises, known as cloud repatriation. Those decisions should be part of a larger strategy for appropriate workload placement.”

Read more insights from Manny Yusuf, Chief Cloud/Edge Architect at Dell Technologies.

Future-Ready Data Centers for Government Agencies

“A software-defined data center (SDDC) virtualizes all the infrastructure elements that government agencies are using and delivers them in an as-a-service model. Specifically, compute, networking, storage, security and services are abstracted and delivered as automated, policy-driven software. That virtualized, programmatic approach enables SDDCs to break down IT silos and simplify complexities. The benefits include gains in performance and availability and reductions in costs and security risks. An SDDC enables applications to be deployed more quickly and IT resources used more effectively through the use of cloud-based services.”

Read more insights from Manny Yusuf, Chief Cloud/Edge Architect at Dell Technologies.

A Flexible Cost Model for Cloud and Infrastructure

“Maintaining visibility into IT operations is crucial for understanding and mitigating security risks as well as for better managing costs. Agencies might need to achieve a specific return on investment, meet certain efficiencies or comply with unique mission requirements. Regardless of the goal, a simplified cost model provides a comprehensive understanding of what it costs the agency to run workloads on premises, at the edge or in any cloud location. Dell APEX also allows agencies to maintain oversight of their IT environment and expenses when they are running a software factory and pushing out new capabilities on a continuous basis. Anytime something new is put in the cloud, it’s important to have visibility into its long-term costs so that agencies can avoid inefficiencies.”

Read more insights from Manny Yusuf, Chief Cloud/Edge Architect at Dell Technologies.

Download the full Innovation in Government® report for more insights from emerging technology thought leaders and additional industry research from FCW.

Securing the Digital Workplace: Microsoft 365 Identity Management for Public Sector Leaders

Posted on by Antoine Snow

Zero Trust is a critical focus for public sector organizations as they navigate today’s evolving digital workplace and cybersecurity landscape. But one issue is emerging as increasingly troublesome: insider threats.

The 2022 Cost of Inside Threats: Global Report found incidents involving insider threats surged 44% over the past two years. While some of these threats may be malicious insiders, seeking to misuse their authorized access for personal gain or harm, many are the result of cybercriminals exploiting vulnerabilities in identities to enter your environment. These criminals use tactics like compromised credentials – the leading cause of data breaches – as well as phishing scams and social engineering to impersonate identities and gain unauthorized access.

To effectively counter these increasingly sophisticated threats, organizations must strengthen identity management. When executed properly, identity management not only enhances the security of your digital workplace but enables a Zero Trust strategy.

Let’s discuss what identity management is, how to build a comprehensive strategy in Microsoft 365, and how it can fortify your Zero Trust deployment.

What is Identity Management?

AvePoint Identity Management Blog Embedded Image 2023

Identity management establishes and manages the digital identities of anyone entering your environment – from employees and contractors to guest users. Identities could refer to people, but they could also be services or devices entering your environment.

Identity management enables organizations to implement robust access controls, granting privileges based on roles – which is why identity management is an integral piece of Zero Trust. Without it, you will have no way to verify users and devices are who they say they are, let alone establish proper privileges and access, which are key Zero Trust principles.

When done effectively, identity management provides the right access to the right individuals at the right time for the right reason. This process not only improves your security posture, but can streamline user access, reduce administrative overhead, and help you better meet your compliance obligations.

Building Identity Management in Microsoft 365

When building your identity management strategy in Microsoft 365, remember these three basic elements: identify, authenticate, and authorize.

Here’s how to get started:

Identify: The backbone of identity management in Microsoft 365 is Azure Activity Directory (Azure AD). Azure AD provides a cloud identity for users, groups, and resources. It is where you build out your users’ identities and control access to internal and external resources – like your intranet or even Microsoft Teams. The solution will recognize users (based on Microsoft’s powerful machine learning and AI’s understanding of typical user and tenant behavior) and flag risks that fall outside of normal behavior, triggering the next steps of the process.
Authenticate: Multi-factor authentication (MFA) is today’s gold standard for authenticating identities. There are a variety of ways to do this, from smart cards to one-time passwords, that add layers of protection to your security. Microsoft’s Authenticator App helps implement MFA across your applications in a convenient and easy way for users, allowing them to verify their and their devices’ identities from their phones.
Authorize: It’s critical to grant access privileges based on the conditions specific to your organization. Conditional Access policies take a two-phased approach: first, it collects information about the person (their device, IP address, etc.) and then enforces any policies you have in place. This could mean if it detects a new device, it may enforce multi-factor authentication (MFA) or request the user sign in again. It could also prohibit access under certain conditions, like if a user is attempting access from a mobile device. These policies provide granular control over access while reducing the risk of authorized access.

By following this framework, you can easily begin using the powerful tools Microsoft offers to build your identity management strategy, ensuring only authorized individuals have access to critical systems.

Three Ways to Take a More Proactive Approach to Identity Management

Once you’ve taken the initial steps to start building your identity management approach, take it to the next level to enhance your security:

Right-size your policies: Strict, one-size-fits-all rules can hinder productivity; if security is in the way of getting the job done, users will find a way around it. Customizing your policies to specific users, workspaces, or even content creates a more tailored approach to access control, striking a balance between security and productivity.
Implement lifecycles: Identities should not permanently exist in your environment. People switch jobs or upgrade their devices. Establish a process to evaluate and recertificate identities – whether users (both external and internal) or devices – to ensure they still require access to your content and workspaces.
Monitor your environment: Even with the best-laid security plans, things can still fall through the cracks. That’s why it’s critical to monitor your environment – including users, devices, locations, and behavior – to identify any anomalies or suspicious activities that should be addressed.

These strategies can help you build a more proactive identity management approach that actively reduces risks and attack surfaces, allowing you to go beyond verifying identity to create a secure and efficient digital workplace.

Build a Secure Digital Workplace with Zero Trust

While identity management is an important aspect of building your secure digital workplace, ensuring only authorized individuals have access to your systems, it is not enough to protect your data or the workspaces where it lives in today’s ever-evolving cyber threat landscape.

Public sector organizations must embrace a comprehensive Zero Trust security framework to effectively build a secure digital workplace. To do so, you must combine identity management best practices with other robust security measures, like role-based access controls, workspace governance policies, lifecycle management processes, and risk assessments. Together, these strategies can enhance the protection of your digital environment and minimize your risk of data breach or unauthorized access.

Download the free AvePoint guide, “How to Achieve Zero Trust Standards Without Limiting Collaboration in Microsoft 365,” for more information about protecting your digital collaboration workspaces with a Zero Trust framework.

FedRAMP Rev. 5 Baselines are Here, Now What?

Posted on by Anil Karmel

The FedRAMP Joint Authorization Board (JAB) has given the green light to update to FedRAMP Rev. 5. With this revision, FedRAMP baselines are now updated in line with the National Institute of Standards and Technology’s (NIST) SP 800-53 Rev. 5 Catalog of Security and Privacy Controls for Information Systems and Organizations and SP 800-53B Control Baselines for Information Systems and Organizations. This transformation brings opportunities and challenges for all stakeholders involved, including Cloud Service Providers (CSP), Third Party Assessment Organizations (3PAOs), and Federal Agencies. But worry not – with RegScale, we have your back! Let’s dive in and understand the impact and how to prepare for the coming changes.

Decoding the Transition

The transition has been in the works for a very long time, and FedRAMP has updated many of their controls to accurately reflect updates in technology since Rev. 4 was published in 2015. FedRAMP Rev. 5 brings with it significant updates to the security controls to meet emerging threats, including new families such as supply chain risk management, and places a greater emphasis on privacy controls. FedRAMP continues to strongly encourage package submission in NIST Open Security Controls Assessment Language (OSCAL) format to accelerate review and approval processes. To aid with a clear comprehension of the updates, FedRAMP has also released a Rev. 4 to Rev. 5 Baseline Comparison Summary. There are more than 250 controls with significant changes, including several whole new families of controls.

In the coming weeks, FedRAMP plans to release a series of updated OSCAL baseline profiles, resolved profile catalogs, System Security Plan (SSP), Security Assessment Plan (SAP), Security Assessment Report (SAR), and Plans of Action and Milestones (POA&;ampM) templates as well as supporting guides for each of these.

What is OSCAL, You Ask?

RegScale FedRAMP Rev. 5 Baselines Blog Embedded Image 2023

OSCAL is a set of standards for digitizing the authorization package through common machine-readable formats developed by NIST in conjunction with the FedRAMP PMO and industry. NIST defines it as a “set of hierarchical, formatted, XML- JSON- and YAML-based formats that provide a standardized representation for different categories of security information pertaining to the publication, implementation, and assessment of security controls.” OSCAL makes it easier to validate the quality of your FedRAMP packages and expedites the review of those packages.

The Impact on CSPs

FedRAMP has published the CSP Transition Plan, providing a comprehensive roadmap and tool for CSPs to identify the scope of the Rev. 5 controls that require testing and offering support for everyone based on their stage in the FedRAMP authorization process. Timelines for the full transition range from immediate to 12-18 months. You should find a technology partner to assist you regardless of your FedRAMP stage so that you can quickly and completely adapt from Rev. 4 to Rev. 5 baselines as well as update, review, and submit your packages in both human-readable (Word, Excel) and machine-readable (OSCAL) formats.

If you are a CSP just getting started with your FedRAMP journey…

As of May 30, 2023, CSPs in the “planning” stage of FedRAMP authorization must adopt the new Rev. 5 baseline in their controls documentation and testing and submit their packages in the updated FedRAMP templates as they become available. You are in the planning phase if you are:

Applying for FedRAMP or are in the readiness review process
Have not partnered with a federal agency prior to May 30, 2023
Have not contracted with a 3PAO for a Rev. 4 assessment prior to May 30, 2023
Have a JAB prioritization but have not begun an assessment after the release of the Rev. 5 baselines and templates

If you are a CSP in the “Initiation” phase

CSPs in the initiation phase will complete an Authority to Operate (ATO) using the Rev. 4 baseline and templates. By the latest of the issuance of your ATO or September 1, 2023, you will identify the delta between your Rev. 4 implementation and the Rev. 5 requirements, develop plans to address the differences, and document those plans in the SSP and POA&;ampM. You are in the initiation phase if any of the following apply prior to May 30, 2023:

Prioritized for the JAB and are under contract with a 3PAO or in 3PAO assessment
Have been assessed and are working toward P-ATO package submission
Kicked off the JAB P-ATO review process
Partnered with a federal agency and are:
- Currently under contract with a 3PAO
- Undergoing a 3PAO assessment
- Have been assessed and have submitted the package for Agency ATO review

If you are a Fully Authorized CSP

You are in the “continuous monitoring” phase if you are a CSP with a current FedRAMP authorization. By September 1, 2023, you need to identify the delta between your current Rev. 4 implementation and the Rev. 5 requirement, develop plans to address the differences and document those plans in the SSP and POA&;ampM. By October 2, 2023; you should update plans based on any shared controls.

If your latest assessment was completed between January 2 and July 3, 2023, you have a maximum of one year from the date of the last assessment to complete all implementation and testing activities for Rev. 5. If your annual assessment is scheduled between July 3 and December 15, 2023, you will need to complete all implementation and testing activities no later than your next, scheduled annual assessment in 2023/2024.

A Complete Technology and Transition Partner

The transition to FedRAMP Rev. 5 is not just about meeting the new requirements but doing so in the most efficient and seamless manner. You should focus on your core business while technology like RegScale handles the intricacies of the compliance transition.

Beyond compliance documentation, RegScale serves as a comprehensive FedRAMP compliance technology and transition partner. Our platform assists with mapping your security controls against FedRAMP and NIST SP 800-53 baselines for Rev. 4 and Rev. 5, supports gap analysis, provides remediation support, and enables continuous monitoring and improvement. The platform currently includes FedRAMP support and tools to develop human-readable and OSCAL-formatted content for Catalogs, Profiles, SSPs, Components, SAPs, SARs, POAMs and Asset Inventory. To help eliminate the friction and confusion of where to begin with OSCAL, RegScale provides an intuitive Graphical User Interface (GUI) to build artifacts using our wizards and then easily export them as valid OSCAL. By automating the creation of audit-ready documentation and allowing direct submission to the FedRAMP Project Management Office (PMO) through OSCAL and/or Word/Excel templates, RegScale provides a seamless transition experience to Rev. 5, reducing complexities and saving you valuable time and resources.

In closing, it is crucial for all CSPs and stakeholders to review the new mandates and the CSP Transition Plan and begin planning to address the updated templates. Let RegScale help make the shift to FedRAMP Rev. 5 a streamlined, efficient, and effective process with minimum costs and business disruptions.

This post originally appeared on Regscale.com and is re-published with permission.

View our webinar to learn more about the low-cost approaches for handling the transition to Rev 5.

Security Protections to Maximize the Utility of Generative AI

Posted on by Tim Balog

Since the introduction of ChatGPT, artificial intelligence (AI) has exponentially expanded. While machine learning has introduced many merits, it also leads to security concerns that can be alleviated through several key strategies.

The Benefits and Risks of Generative AI

The primary focus of AI is to use data and computations to aid in decision-making. Generative AI can create text responses, videos, images, code, 3D products and more. AI as a Service, cloud-based offerings of AI, helps experts get work done more efficiently by advancing infrastructure at a quicker pace. In contrast, AI is also commonly used by the general public as a toy, since its responses can sometimes be entertaining. The comfort users have with AI and wide range of inputs introduces risk, and these risks can proliferate exponentially.

There are several key concerns for Government agencies when utilizing generative AI:

Copyright Complications – AI content comes from many different sources, and that content may be copyrighted. It is difficult to know who owns the words, images or source code that is generated, as the AI’s algorithm is based on derivative information. The data could be open sourced or proprietary information. To combat this, users should modify rather than copy any information gained from AI.
Abuse by Attackers – Bad actors can utilize AI to execute more effective and efficient attacks. While AI is not yet self-sufficient, inexperienced attackers can use AI to make phishing attacks more convincing, personal and effective.
Sensitive Data Loss – Users have, either intentionally or unintentionally, input sensitive data or confidential information into Generative AI systems. It is easier to disclose sensitive information into AI prompts, as users may dissociate the risk from the non-human machine.

The many capabilities of AI entice employees to utilize it to support their daily tasks. However, when this includes introducing sensitive information, such as meeting audios for transcripts or unique program codes, security concerns ensue. Once data is in the AI’s system, it is nearly impossible to have it removed.

To protect themselves from security and copyright issues with AI, several large communications companies and school districts have blocked ChatGPT. However, this still carries risk. Employees or students will find ways around security walls to use AI. Instead of blocking apps, organizations should create a specific policy around generative AI that is communicated to everyone in the company.

Combatting AI Risks

One such policy method includes utilizing a Data Loss Prevention (DLP) solution. The DLP’s purpose is to detect and prevent unauthorized data transmission, and its capabilities can be applied to AI tools to mitigate these concerns. Its security parameters work through three main steps:

Discover – DLPs can detect where data is stored and report on its location to ensure proper storage and accessibility based on its classification.
Monitor – Agencies can oversee data usage to verify that it is being used appropriately.
Protect – By educating employees and enforcing data-loss policies, DLPs can deter hackers from leaking or stealing data.

DLP endpoints can reside on laptops or desktops and provide full security coverage by monitoring data uploads, blocking data copied to removable media, blocking print and fax options and covering cloud-sync applications. For maximum security, agencies should utilize DLPs that cover all types of data storage—data at rest, data in use and data in motion. A unified policy based on detection and response to data leaks will prevent users from misapplying AI and provide balance for secure operation.

While agencies want to stay competitive and benefit from AI, they must also recognize and take steps to reduce the risks involved. Through educating users about the pros and cons of AI and implementing a DLP to prevent accidental data leakages, agencies can achieve their intended results.

Broadcom is a global infrastructure technology leader that aims to enhance excellence in data innovation and collaboration. To learn more about data protection considerations for generative AI, view Broadcom’s webinar on security and AI.

People Plus Technology: Building a Resilient Federal Cyber Workforce

Posted on by Alex Whitworth

Filling cyber jobs in Federal agencies is complicated – it requires competing with industry salaries, retaining existing talent and navigating the Federal hiring process. It’s a far-reaching challenge that affects every agency – the administration knows that, the Office of Personnel Management knows that, and agency technology and human resources leaders know that. And federal C suite leaders realize how the government recruits, hires and retains people for cyber jobs has to change. In partnership with FNN, our Federal Cyber Workforce guide takes a look at what the government is doing to tackle this problem on a sweeping federal level and also on a more agency-specific level. We also get industry perspective on the technologies that affect cyber workforce resiliency. We hope it provides some guidance and help as your agency works to beef up its cybersecurity, both through investments in people and technology.

3 Key Rallying Points for a Resilient Cybersecurity Team

“Agencies are currently operating in a high-threat environment, but that doesn’t mean they can’t implement a reasonable amount of information assurance. It may not be perfect, but it doesn’t have to be. The idea is to make it so that adversaries have to work extremely hard to penetrate the infrastructure. The adversaries are good, but agencies can be better with a resilient cybersecurity team, said Mark Bowling, chief risk, security and information security officer for ExtraHop. The key to achieving this is to have a risk reduction perspective.”

Read more insights from Mark Bowling, Chief Risk, Security and Information Security Officer at ExtraHop.

Do not Wait for a Breach: Why to Adopt Proactive Approach to Cyber Resilience

“When most people talk about cyber resilience, they’re referring to post-breach recovery — the means, methods and speed with which an organization can get its systems and services back online after a cyber incident. But Felipe Fernandez, federal chief technology officer at Fortinet, views resiliency more holistically. His advice? Agencies need to take a proactive stance on cyber resilience and include not only recovery from breaches but also when their planning for non-malicious threats and other operational disruptions, including those associated with cloud-based services.”

Read more insights from Felipe Fernandez, Federal Chief Technology Officer at Fortinet.

Proactively Improve Digital Employee Experience Though Automation

“Digital modernization and the adoption of collaboration tools is supposed to make work easier, especially in a hybrid environment. Employees want the flexibility to be productive in whatever manner best suits them. Unresolved technology issues can impede productivity. In its latest survey of industry employees and IT professionals, Ivanti found that 49% of employees are frustrated with the tools they use and 26% are considering leaving their jobs because of that. Employee experience is a top priority in government right now, and employees are internal customers of an agency’s IT services. By improving their experience your agency can realize gains in productivity and retention.”

Read more insights from Mareike Fondufe, Product Marketing Director at Ivanti.

Download the full Expert Edition for more insights from these cyber workforce leaders and additional government interviews, historical perspectives and industry research.

Building a DevSecOps Culture

Posted on by Rich Savage

As software becomes more sophisticated, it plays an increasingly important role in all aspects of government operations. However, given the complexity and intertwined nature of modern software, any vulnerability could have wide-ranging consequences, which makes security of vital importance. The federal government has taken notice. A number of recent policy directives address issues related to the software supply chain, and key agencies are leading a governmentwide effort to promote secure software development, including the Executive Order on Transforming Federal Customer Experience and Service Delivery to Rebuild Trust and the Executive Order on Improving the Nation’s Cybersecurity. Learn how you can implement DevSecOps to support your journey to secure, innovative software in Carahsoft’s Innovation in Government® report.

The Mindset Shift that Enables DevSecOps

“In an ideal world, technology and processes support team members’ ability to deliver on their particular talents. Before agencies implement DevSecOps methodologies, they should identify where their processes are getting bottlenecked and forcing people to either work around them or fundamentally change their behavior. Instead, we want to make it easy for employees to do the right thing. The goal is to enable people to focus on what they do best — regardless of where they operate in the stack or the tools they are using — so that agencies can build and deploy secure, modern apps.”

Read more insights from Alex Barbato, Public Sector Solutions Engineer at VMware.

How Generative AI Improves Software Security

“Generative AI tools are becoming increasingly prevalent, providing interactive experiences that captivate the public’s imagination. These tools are accessible to anyone, offering a unique opportunity to engage and explore the creative possibilities enabled by AI technology. The technology doesn’t just train a model to recognize patterns. It can create things that are easy to understand: images, text, even videos. Sometimes the results are hilariously wrong, but other times the results are quite impressive, such as clear, concise answers to complex questions. Generative pre-trained transformer (GPT) technology, such as ChatGPT, has opened the doors for everyone to be an evaluator because the output is accessible and easy to critique.”

Read more insights from Robert Larkin, Senior Solutions Architect at Veracode.

Open Source is at the Heart of Software Innovation

“Embedding security into applications from the start is essential for streamlining and strengthening the entire development life cycle. Securing the software supply chain is a related effort that is of vast importance to government operations. Beyond securing individual applications, the ultimate goal is to build security into the pipeline itself. At each step and every handoff, we must be able to verify who has touched the software and who did what to ensure that the end result is what we intended to build and that nothing malicious has been injected along the way.”

Read more insights from Chris Mays, Staff Specialist Solutions Architect at Red Hat.

DevSecOps Needs Tool Diversity and Collaboration

“As DevSecOps methodologies and software factories grow in prevalence, agencies are recognizing that software development is a team sport — inside the agency, across departments and with external stakeholders. It touches many different teams, but getting everyone on the same page with tooling can be difficult. Different teams prefer different tools, and that makes collaboration hard. Modern software development brings security practices forward in the timeline while reducing duplication of efforts and improving real-time accountability. Success hinges on removing blockers, creating visibility and making sure collaboration is happening at every stage. In addition, encouraging input from different areas of the organization from the beginning and throughout development is vital for innovation.”

Read more insights from Ben Straub, Head of Public Sector at Atlassian.

Observability Speeds Zero Trust and Application Security

“In response to increasing cyberthreats, the government is speeding up the move to zero trust. This security model assumes that every user, request, application and non-human entity is not to be trusted until its identity can be verified. Zero trust principles require a layered defense that is more effective when rooted in observability. To develop an architecture that validates and revalidates every entity on the network, it is necessary to know what those entities are, how they’re communicating and how they typically behave so we can recognize deviations. Zero trust and observability technologies work together to create a more secure and resilient network environment by assuming that all requests for access are untrusted and continuously monitoring the network to detect and respond to potential threats.”

Read more insights from Willie Hicks, Public Sector Chief Technologist at Dynatrace.

The Role of a Service Mesh in Zero Trust Success

“For large companies and government agencies, it’s safe to assume that a committed attacker is already inside their networks. Executive Order 14028 mandates that every federal agency develop a Zero Trust architecture because it is the most effective approach to mitigating what attackers can do once they’ve made their way inside. What does Zero Trust look like at runtime? One of the key considerations is identity-based segmentation, which involves conducting five policy checks for every request in the system: encrypted connection between service endpoints, service authentication, service-to-service authorization, end user authentication, and end user-to-resource authorization.”

Read more insights from Zack Butcher, Founding Engineer at Tetrate and co-author of the NIST SP 800-200 series and SP 800-207A.

AI and the Journey to Secure Software Development

“By automating and optimizing DevSecOps workflows, we can still shift security left while relieving developers from the burden of some complex remediation. It begins with a workflow that leverages fully automated security scanning to rapidly identify vulnerabilities as well as providing suggested remediation for vulnerabilities and on-demand remediation training to educate developers on what they are getting into. The rapid evolution of artificial intelligence is making new advances possible. The opportunities go well beyond AI-assisted code creation. AI features are being expanded across the entire software development life cycle. When it comes to security, having AI assist by making code functionality clear or explaining a vulnerability in detail reduces the time required to remediate risk.”

Read more insights from Joel Krooswyk, Federal CTO at GitLab.

Scaling App Development While Meeting Security Standards

“The dream for any software development team is constant, stable releases. The faster teams get the work they’ve created into production, the faster the agency can derive value from that work. When app development is stymied by cumbersome security reviews and stability testing and by the need to wait for a deployment window, innovation is stifled and the return on investment is delayed. If agencies want to have efficient, value-driving software development teams, those teams must be able to move with agility. A trustworthy, scalable DevOps pipeline that brings together testing and security in a seamless way allows teams to push out new apps and improvements quickly so government employees and citizens can have a seamless digital experience and the most up-to-date tools and information.”

Read more insights from Kyle Tobener, Head of Security and IT at Copado.

Join us in-person for our must-attend DevSecOps Conference—an exciting day of exhibits, speaking sessions, and networking events. We look forward to showcasing new DevSecOps updates from our supporting panels featuring government, systems integrators, and industry thought leaders.

Download the full Innovation in Government® report for more insights from DevSecOps thought leaders and additional industry research from FCW.

A Unified Identity: Login and Customer Experience

Posted on by Tiffany Goddard

While in-person services used to be the primary channel of access to Government services, this is no longer the case as more customers turn to digital services. To provide excellent Customer Experience (CX), the Government must prioritize creating digital channels for customers to sign up, apply for and purchase Government services. During Carahsoft’s 2023 Customer Experience and Engagement Summit, panelists discussed how agencies can create an easy-access experience for customers that is unified across all Government agencies.

Simple, United Services

Customers want easy access to services, and this requires a secure, trusted, personal Government-issued digital identity. Having an individualized login allows customers to establish their identity online before completing important tasks, such as making child support payments or searching for unemployment insurance. To be as secure and validated as possible, these logins should be operated by an organization that does not have a motive to leverage private information to sell customer data for profit.

To maintain the core principles of effective customer service, logins should have a common set of controls that validate digital identities. To create a reliable login account, there are three core principles to follow.

Logins must be usable by everyone including constituents without a bank account or a home. Employees cannot have implicit biases and must be ready and willing to serve everyone.
The data that people provide must always remain private. With a Government-issued digital identity, customers will be providing sensitive information to prove their identity. This must be protected to preserve trust in the Government.
Programs should be based on private sector technologies. Government agencies do not need to reinvent or reimagine technology. Rather, they should leverage products that are already built well and bring them together in a way that employs the best innovation in the private sector.

The Benefits of Accessibility

Having a digital identity could allow customers to have a single account that is accessible across Federal, State and Local Government. When customers need to transfer to a different department, an identity-tied login creates an easy way to share their history with new agencies. Centralized login accounts can connect the customer through various platforms, such as email, phone call, in-person and online. IT (information technology) is one of the few categories that has a spending increase into the double digits, which reinforces technology as the primary trend in Government innovation.

As with any digital ability, security concerns must be addressed. Since control of login credentials allows control of identity and data, agencies need to know that the person who is logging in is not an impersonator. By privatizing accounts and their login information, this avoids the information being manipulated or sold.

Government agencies are in the best position possible to combat this. The White House allocated agencies a budget to address CX initiatives. Panelists expressed that many excellent partners in the industry are ready to deliver on these cybersecurity initiatives. For the first time, CX is part of the President’s Management Agenda. The entire administration unified around the agreement that CX is vital to the Government, and the digital sphere must be the first step in reconstructing CX. With this support, agencies can spearhead the movement in providing simple, effective and secure service to elevate CX.

Check out the rest of the 2023 Government Customer Experience series to learn more about Carahsoft’s insights from CX industry thought-leaders at the summit.

To learn more about the latest in the CX landscape and how Carahsoft’s industry-leading partners can support your Customer Experience initiatives, please visit our resource hub to access all on demand recordings and information from the 2023 Government Customer Experience and Engagement Summit.

Four Lessons I Learned from My Company’s Response to the SUNBURST Attack

Posted on by Tim Brown

Saturday, December 12, 2020, is a day I’ll never forget. That was the day I learned nation-state threat actors had exploited our software in what would later be known as SUNBURST. Because it’s been written about thousands of times before, I won’t rehash the particulars of the event itself here. Instead, I’d like to share four lessons I learned about how to respond to a large-scale cyberattack.

1. The first days: Preparation helps control the chaos

I often refer to the days immediately following December 12, 2020, as “controlled chaos.” The chaos portion is self-explanatory, but what about the “controlled” part?

Simply put, we were in control the entire time, no matter how chaotic things seemed, because we’d prepared for such an incident. We ran tabletop exercises, planned for different scenarios, mapped out hypothetical intrusions, tested our response methods, and looked for and plugged potential security holes. We also built an incident response team comprised of representatives from across the company. It included members from our security, legal, marketing, IT, and engineering teams, and our board of directors.

As you plan your threat response, consider the following:

Do you have a cybersecurity incident response playbook?
Have you performed tabletop exercises and run various attack scenarios?
Do you have the right people on the incident response team—a good mix of strategic and tactical expertise?
Do you have ways to contact people, even on the weekend (or during a pandemic)?
Do you have a list of backup contacts in case someone isn’t available?
Do you have alternative communication methods established in case you cannot trust your existing ones?

2. The initial weeks: Separating teams creates an agile and efficient response

SolarWinds Attack Response Blog Embedded Image 2023

We quickly learned we needed to split our team into different groups for an agile and efficient response. Thus, one big team became multiple smaller teams, each overseen by leaders within their respective organizations (i.e., the legal team was led by our general counsel, the engineering team by our head of engineering, and so forth). These teams would work independently, then reconvene each evening to share what they learned, discuss solutions and ideas, and so on.

Having different teams allowed individuals to focus on each facet of the response. For example, engineering could focus on how the attack affected our build while IT investigated how the attackers got in. The communications team created responses for customers, partners, and the press, and what ultimately became the government affairs team devised a plan to contact various government agencies.

We also learned organizing these teams was impossible without a third-party “quarterback.” So, we brought in an external organization to coordinate our teams’ work. They set up meetings and ensured everyone was on the same page and information was being shared.

As you coordinate your teams, ask:

Do we have a plan in place to get teams together?
Do we have a third-party “security helper” on call or retainer? (This is often a good insurance policy)
Do we have enough teams to cover every aspect of our business?

3. The following weeks and months: Unbiased partners help amplify the truth

At the time, there was a lot of misinformation floating around. We were being outnumbered, out-marketed, and out-communicated. And unfortunately, social media made misinformation spread like wildfire—and has helped it be equally hard to extinguish.

To help, we partnered with reputable and experienced organizations like the Cybersecurity and Infrastructure Agency (CISA), Krebs Stamos Group, and others. The organizations performed forensics while amplifying the truth about the attack, helping people understand this was not just an isolated incident.

Amplifying the truth was the only agenda our partners had. Sadly, that’s not the norm. I discovered many organizations out there want to promote their brand or have ulterior motives. Fortunately, the organizations we worked with had no such baggage.

Indeed, they allowed us to focus on ensuring our customers were in the right state. We wanted to be there to answer their questions, assure them, and, most of all, make sure they were secure and protected. Our partners helped us block out the noise so we could focus on helping our customers.

To summarize:

Bring in the correct partners and add new partners as necessary
Watch out for hidden agendas
Prioritize what’s most important to you (For us, our customers were our top priority)
Don’t spend time responding to every inaccuracy; it will only distract you from your priorities
Stay focused

4. The final months: Going above and beyond leads to an exemplary outcome

As the months wore on, I remember a colleague telling me, “If you’re going to come out of this, you have to be special. It won’t be enough just to fix the issue. You need to really go above and beyond.”

As it turns out, we fixed the issue—but did much more than that. We found the source for SUNBURST and made it publicly available. We testified before the U.S. House and Senate. We implemented assistance programs to help our customers. We held briefings with the FBI and other global law enforcement agencies.

We ensured the world knew what we were doing and why we were doing it. In being transparent, we were helping others understand what we went through so they could better protect themselves. It’s not enough to be transparent, of course. To get through it and come out stronger, we needed to have products and services people love and enjoy using, which leads me to three final recommendations:

Be open and honest throughout the entire process
Communicate early and often—not just to your customers, partners, and employees but to the world
Make the type of products you would want them to use, and make them Secure by Design

The months have turned into years. The tenets of transparency and humility have served us well. The SUNBURST incident has turned into a catalyst for good. Supply chain security is now front of mind for many. Executive orders and cyber security strategies are leading us towards attestation for software security. Executive and boardroom conversations have security as a necessary topic, and the security defenders of the world are being looked upon for guidance in managing cyber risk.

The investigation into SUNBURST formally concluded in May 2021—six months after the attack was first uncovered. But I like to think our response to the attack will live on for much longer. Because what started as a dark day in December 2020 made us a stronger, more resilient, and better company. I hope the lessons I learned can help you do the same.

Contact our team today to learn more about how SolarWinds can support your organization’s software and cybersecurity mission.

Utilizing Data to Improve in Customer Experience

Posted on by Tiffany Goddard

The main goal in customer service is to provide for customer needs and preferences. Through data and feedback, agencies can revitalize and refocus services to best support customers. At Carahsoft’s 2023 Government Customer Experience and Engagement Summit, panelists reviewed the usage of data in improving the customer experience (CX).

Maintaining Pace with Customer Needs

Expectations from customers have changed rapidly. The pandemic forced customers to increasingly operate via the internet, from important telehealth visits with doctors to completing the mundane task of buying groceries. To match audience needs, Government services must follow suite and digitize.

While digitization is vital, agencies must begin by investing energy and resources into the foundation of CX. To create successful digitization, agencies must focus on swiftly delivering value. Components such as success, personalization and digital equity will follow naturally. Implementing iterative feedback strategies and routines to talk one-on-one with the people directly involved refines usability in agency services.

Providing Equitable Service Through Data

Creating swift and efficient Government services can be difficult and gathering data on customer feedback is the key to improving them. By collecting data through live user testing, agencies can demonstrate how well services are working. This insight can be utilized to encourage the Federal Government to continue or increase funding for State and Local initiatives.

Agencies should encourage reviews as much as possible. By gathering feedback, agencies can use the information gained from data to implement measures alleviating processes that customers carry out. Feedback on digital services can be used by agencies to revitalize their websites around customer needs. Digital services should be simple, accurate, equitable and accessible. Sometimes, this means agencies will need to continue redesigning initiatives, even if they performed adequately in test cases. While this can be cumbersome, being equitable for all users is a vital part of customer service. Pilot programs and generative artificial intelligence can alleviate this process and aid in experimenting with new technologies or designs.

With the overwhelming switch to digitization and the automation process, agencies must not lose sight of maintaining security standards to protect the sensitive information they hold. Implementing data protection and resiliency ensures that in case of data loss, agencies can get services back up and running again.

Equitable service means considering the audience. Whether the audience even has access to technology or in-person services, is a large factor in how CX is provided. For services geared for older customers, such as Medicaid, physical copies may be necessary to reach a large part of the audience. Some customers may need help accessing information. Government agencies can make a difference in these communities by offering additional assistance, including teaching seniors how to use technology or signing them up for medication deliveries. Without considering the audience, and without providing an extra helping hand, Government agencies cannot ensure equitable and proper service to their customer base.

Ultimately, agencies need to stay relevant, accurate and up to date with customer needs while also recognizing that it takes time and effort to perfect services. However, by interpreting data to consider different perspectives and needs, and by applying that data to expand support services and platforms, agencies can provide excellent customer service and experiences.

Read the previous blog and check back soon to read the rest of Carahsoft’s insights from CX industry thought leaders at the summit.

Ransomware Protection for Kubernetes Data in the Public Sector

Posted on by Gaurav Rishi

Kubernetes is a powerful platform for deploying and managing containerized applications in the cloud. It offers many benefits such as scalability, portability, resilience and automation. However, Kubernetes also poses some challenges when it comes to data protection and security, especially in the public sector where sensitive data and compliance regulations are involved. That’s why we are excited to continue our strategic partnership with Carahsoft Technology Corp., the leading government IT solutions provider, to deliver Kasten K10 by Veeam, the market-leading Kubernetes data protection solution, to public sector customers across the U.S.

In this blog post, we will explore some of the common issues that public sector organizations face when using Kubernetes, and how Kasten K10 by Veeam can help them overcome these challenges with a simple, secure and scalable solution for Kubernetes data protection.

The challenges of Kubernetes Data Protection in the Public Sector

One of the main challenges of Kubernetes data protection in the public sector is the complexity and diversity of the Kubernetes environment. Kubernetes clusters can span multiple clouds, regions and zones, and contain hundreds or thousands of applications and microservices. Each application may have its own data sources, dependencies and configurations, which need to be backed up and restored consistently and reliably.

Veeam Ransomware Protection Blog Embedded Image 2023

Another challenge is the security and compliance of the Kubernetes data. Public sector organizations often deal with sensitive data such as personal information, health records, financial transactions or national security secrets. These data need to be protected from unauthorized access, modification or deletion, as well as from external threats such as ransomware attacks. Moreover, public sector organizations need to comply with various regulations and operate in secure environments, which requires cluster deployments in compliant hybrid environments spanning examples like AWS GovCloud and Red Hat OpenShift.

A third challenge is the scalability and performance of the Kubernetes data protection solution. As Kubernetes clusters grow in size and complexity, so does the amount of data that needs to be backed up and restored. Public sector organizations need a solution that can handle large volumes of data without compromising the availability or performance of the Kubernetes applications. They also need a solution that can scale up or down as needed, without requiring manual intervention or complex configuration changes.

The Solution: Kasten K10 by Veeam

Kasten K10 by Veeam is a purpose-built solution for Kubernetes data protection that addresses all these challenges and more. Kasten K10 is designed to simplify and automate the backup and recovery of Kubernetes applications and their data across any environment. It offers the following features and benefits for public sector organizations:

Application-centric approach: Kasten K10 treats each Kubernetes application as a unit of backup and recovery, rather than individual containers or volumes. This ensures that the application state and dependencies are preserved across backups and restores, regardless of where they are running or how they are configured.
Policy-driven automation: Kasten K10 allows public sector organizations to define backup policies based on application metadata such as labels, annotations, namespaces or clusters. These policies can specify the frequency, retention, location, encryption and compression of the backups, as well as any custom actions or hooks that need to be executed before or after the backup. Kasten K10 then automatically applies these policies to the matching applications, eliminating the need for manual backups or scripts.
Secure and compliant data protection: Kasten K10 encrypts all backup data at rest and in transit using AES-256 encryption keys that are stored in a secure key management system. Kasten K10 also supports role-based access control (RBAC) and audit logging to ensure that only authorized users can access or modify the backup data. Additionally, Kasten K10 provides ransomware protection by creating immutable backups that cannot be overwritten or deleted by malicious actors.
Scalable and performant architecture: Kasten K10 leverages a distributed architecture that scales with the Kubernetes cluster. It uses parallelism and deduplication to optimize the backup, restore performance and reduce the storage footprint. It also supports incremental backups and restores to minimize the network bandwidth and application downtime.
Application portability: Kasten K10 enables public sector organizations to ensure application portability across diverse Kubernetes environments by using Transform Sets. Transform Sets are a set of rules that can modify the application configuration during backup or restore, such as changing namespaces, labels, annotations, storage classes, or secrets. This allows public sector organizations to migrate their applications from one cluster to another, or from one cloud to another, without breaking their functionality or security.

Next Steps

We hope this blog post provided valuable insights into how Kasten K10 by Veeam can help you protect your Kubernetes data in the public sector. If you want to learn more, here are some next steps you can take:

Watch this video to see Kasten K10 in action and learn how it can simplify and automate your Kubernetes data protection workflows: https://youtu.be/gu3J6ZeWwK8

Try the full-featured and FREE edition of Kasten K10 today with this super-quick installation in less than 10 minutes: https://www.kasten.io/free-kubernetes

Don’t miss this opportunity to take your Kubernetes data protection to the next level with Kasten K10 by Veeam and Carahsoft. We look forward to hearing from you soon! Download our full Gorilla Guide to Securing Cloud Native Applications on Kubernetes.