Why Cloud-Ready, Centralized AppSec Must Underpin State Government Cloud Adoption

State and local governments are accelerating their use of the cloud as they focus on delivering more digital services with fewer resources and continue responding to pandemic pressures. In a recent FedRAMP survey conducted by Maximus and Genesys, 49% of state and local government respondents said most of their systems and solutions were in the cloud, with a further 9% saying all of them were. Unsurprisingly, 69% said cloud computing is essential to their agency’s operations.

The reasons for switching away from on-prem include scalability and cost control. Things changed quickly too, of course, when agency offices closed in 2020 to slow the spread of COVID-19. Citizen services switched to online delivery, and agency workforces needed remote access to vital work applications as state and local governments found themselves on the front lines of pandemic response.

Compelling Benefits of Public Sector Cloud Adoption

Agencies face budget constraints on top of a citizen base with high expectations of digital services that match their experiences with commercial software. Citizens quickly question agencies’ credibility when digital services don’t provide the seamless, personalized experience to which they are accustomed. As a result, agencies have been under pressure to develop cost-effective software infrastructure that can deliver flexible online services and scale up instantly to meet peak demand during emergencies.

The cloud simplifies rapid application deployment, allowing resources to scale on demand with flexible, consumption-based billing models. Agencies no longer have to provision and maintain costly on-premises infrastructure just in case emergencies arise; instead, they can shift costs from capital to operational budgets, knowing they will be covered in a peak demand event.

Migrating to the cloud also allows agencies to implement turnkey solutions that use consistent processes and protocols while ensuring regulatory compliance. It’s more difficult to implement or map to such standards in on-premises environments that are typically heterogeneous, having grown as needed while reflecting a team’s changing personalities, skillsets, and priorities over the years.

Despite the benefits of the cloud, any change brings new risks. Agencies have put their faith firmly in the cloud and must ensure citizens’ private data is safe within modern application development components.

Ultimately, with all its speed and complexity, cloud native modern application development needs software security designed to quickly scale so agencies can uphold their part of the shared responsibility model.

The Shared Responsibility Model for Cloud Security

Cloud services offer State and Local Government agencies protection beyond anything an individual agency could deliver in-house. This built-in cloud security eliminates a considerable operational burden as the cloud service provider (CSP) is responsible for the host operating system and virtualization layer, down to the physical security of the data centers in which services are deployed. In fact, 72% of state and local respondents to the Maximus/Genesys survey felt that mission-critical data was more secure in the cloud than on-premises.

This is only half of the equation, however. Agencies cannot hand over all security responsibilities to a CSP. While the cloud itself may be secure, the security of applications developed and released to production in the cloud remains the agency’s responsibility. Application security ultimately protects citizen data, and when development is cloud native, there are more kinds of code and application building blocks to secure.

Learn more: Make Security Intrinsic in Your AWS Cloud Deployment >>

Centralizing AppSec Strategy to Realize Cost, Efficiency, and Security Benefits

Agencies must develop a comprehensive AppSec strategy that covers all the different code components of cloud native application development. They need an optimized solution that can mature and scale with their team as their journey in the cloud continues.

A centralized, consolidated approach is critical to success. Otherwise, agencies might purchase multiple point products to scan all their code across different languages and frameworks (containers, infrastructure as code [IaC], third-party packages, APIs, etc.). This is expensive and makes life difficult for developers, who have to assimilate and respond to alerts from multiple sources that often integrate poorly, if at all. 

Alternatively, agencies that can only afford a few solutions with limited breadth and depth might not adequately scan their code to begin with. Missed vulnerabilities could put citizen data at risk.

SLED agencies need to choose vendors that take a centralized approach to AppSec tooling, with scan engines that offer a breadth of language support and cover the entire software development life cycle (SDLC), aggregating more insightful results for faster remediation at a lower total cost of ownership. This optimized strategy benefits public sector budgets as well as the developer teams responsible for delivering secure cloud native applications by resolving tensions around cost, security, efficiency, and speed.

Accelerating AppSec for Cloud Native Development Processes

Speed is central to devising an optimized AppSec strategy and choosing the right supporting tools. If an agency’s AppSec testing tools are not developer-centric, not tightly integrated into DevSecOps processes, and not connected to one another, code scans can be time-consuming. Consequently, an agency may scan less frequently—perhaps only daily, or only weekly—and inundate their teams with large numbers of discovered vulnerabilities, interrupting workflows and delivery schedules.

Cloud native development requires a faster, more iterative solution that helps agencies move toward DevSecOps, integrating and automating security scans at every stage of the SDLC. Checkmarx CxSAST, for example, scans uncompiled source code, so it doesn’t require a build. This means an agency can perform dozens of automated scans per day, giving teams immediate, prioritized feedback specific to the branch of code a given developer is coding so they can act immediately to fix the issue.

Agencies must also scan cloud native code, whether it’s developer-written IaC pushed rapidly to production, third-party code, or APIs essential to rapid application development. The open source KICS project by Checkmarx allows fast, frequent scans of IaC to identify any issues that may lead to vulnerabilities. Similarly, CxSCA scans open source code for vulnerabilities or license risks and ranks results by severity so developers know which issues to prioritize.

Using AppSec tools like these that fully integrate into the CI/CD pipeline, agencies can maintain the pace of cloud native application development without introducing additional risks.

Download: Embedding Security into Cloud DevOps on AWS >>

Evolving AppSec for Different Levels of Cloud Maturity

Public sector agencies vary in their AppSec maturity and place in their cloud journey, but wherever they are, finding a scalable AppSec approach as they build cloud  solutions will accelerate and optimize their processes. Checkmarx supports agencies at all levels of cloud adoption and DevSecOps, whether they’re just starting to explore the advantages of earlier, faster, more frequent scans, or they already have a fully automated cloud-native development pipeline that tests all code, from SAST to IaC, and opensource and third-party code.

State and local government agencies in the first category can count on Checkmarx’s cloud-ready technology to scale with them as they strive to shift into the second category.

Agencies moving away from multiple point solutions or establishing complete scan coverage for all types of code can turn to Checkmarx for consolidated, centralized AppSec to increase efficiency, reduce total cost of ownership, and improve overall application security posture to ensure citizen data is protected.

Download our SLED issues brief to find out more about how consolidating application security can address five out of ten State CIO priorities. >>

Related Resources

Download our Ultimate Guide to SCA here.

About the Author

About the Author

Never miss an update. Subscribe today!

By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the Checkmarx Privacy Policy and to
the processing of my personal data as described therein. By clicking submit below, you consent to allow Checkmarx
to store and process the personal information submitted above to provide you the content requested.
Skip to content