Complex cybersecurity is a compelling reason why many state and local governments move to the cloud. Cloud service providers have the resources to employ dedicated cybersecurity personnel that most individual government IT operations find difficult to match. However, this doesn’t absolve government technology leaders from the responsibility of securing the enterprise and protecting sensitive constituent data.
Managing security in cloud environments involves making the “best of a fragmented security architecture,” says Center for Digital Government (CDG) Senior Fellow Deb Snyder. “It becomes about data — how it’s stored, how it’s accessed and how that becomes the top priority.”
Governments face multiple challenges, particularly as they manage hybrid IT environments in which on-premises systems connect to data and applications stored in the cloud — or in multiple clouds. Insecure application programming interfaces (APIs) can be common attack vectors. Even so-called shadow IT — the use of unsanctioned and potentially vulnerable applications or devices on a government’s network — may be more difficult to detect in cloud settings.
At a time when state and local governments have become an enticing target for cyberattacks, research suggests that nearly all security breaches involving the cloud can be traced back to cloud customers, not service providers. Issues such as resource misconfigurations and incorrectly applied policy settings and security controls will continue to contribute to as many as 95 percent of cloud security breaches through 2022, according to research by Gartner.
“As you merge with the public cloud, you have to take more ownership,” says Snyder, who previously served as chief information security officer (CISO) for New York State. “It’s important to think about a model where the responsibility is shared between the provider and the owner of the resources.”
To do this, state and local governments should consider the following best practices.
Develop a comprehensive cloud strategy
Effective cloud security stems from a comprehensive technology migration plan, which Snyder calls a “cloud operating framework.”
“Just as a unified strategy is needed to manage enterprise architecture, you need a cohesive strategy to manage cloud resources,” Snyder says.
Change management strategies included in that enterprise framework can help ensure migration and ongoing operating procedures avert common threats to cloud security, such as misconfigurations of security controls. They can also help agencies make certain they are managing multi-cloud environments with common policies. An enterprise approach to cloud can help organizations take a “risk-based approach” to determine what they should and shouldn’t migrate to the cloud in the first place.
Implement robust data governance
One of the keys to cybersecurity in a cloud world is recognizing that the focus shifts from discrete systems and software to the integrity of the data they use. But not all government data is created equal, nor does all of it require the same level of control. A key part of risk management is for agencies to determine what data requires the highest levels of security and develop policies and systems to ensure they are managing, using and storing data in appropriate ways.
“Data-centric security management necessarily depends on organizations knowing what data they have, what its characteristics are, and what security and privacy requirements it needs to meet so the necessary protections can be achieved,” states a 2021 National Institute of Standards and Technology (NIST) report on creating data classification frameworks.
State and local governments should verify that both their internal systems and external cloud vendors have appropriate controls in place and are adhering to them to protect their different types and levels of data. They “have set themselves up on doing a tremendous amount of due diligence, which can be limited by lack of internal resource” says CDG Senior Fellow Dugan Petty, who formerly served as CIO for the state of Oregon. “An alternative is to require continuous monitoring by a qualified third party as a condition of the contract for cloud vendors,” Petty says.
Coordinated efforts at the federal and state levels, including the federal government’s FedRAMP standards, makes this work easier. While only a small subset of state and local government data may need to meet the most stringent FedRAMP standards, it and the corresponding StateRAMP initiative offer models for third-party certification of data standards, practices and continuous monitoring.
Carefully select vendors
It’s important to evaluate cloud vendors’ commitment to security and transparency, including their willingness to communicate information about potential security breaches and their risk-management policies to ensure their supply chains are secure. At the same time, that doesn’t absolve government IT leaders from their need to do the same.
With recent exploits through third party software, cyber supply chain risk management (C-SCRM) is receiving more attention when contracting. To help address this vulnerability, revision five of NIST SP 800-53 increased supply chain controls for cloud service providers and their upstream suppliers. “When evaluating a contract offering, it’s a good idea make sure appropriate third- and fourth-party supply chain risk management is in place” Petty says.
The recently updated NIST SP 800-161 is a great resource to help develop supply chain risk management practices.
“Choose your vendors with care, but always remember the main responsibility lies with the organization, not your service provider,” Snyder adds.
Focus on authentication
Access and identity management are critical to ensuring sensitive data remains secure from both external and internal threats. Continued migration toward Zero-Trust design strategies will help, as will emerging technologies such as biometrics.
Don’t forget about training
It’s essential to train all staff on cloud usage policies, including “the risks and the rules of the road in leveraging them,” Snyder says, as well as what data and materials are appropriate to migrate to the cloud based on the data governance protocols described above.
IT staff will also require additional training on the protocols for specific cloud environments. For example, incident response can look different in a hybrid environment, as new methodologies are often needed to investigate and compile forensic evidence, Snyder says.
It’s also important to consider new methodologies that reflect the iterative challenges of a hybrid multi-cloud environment. One such methodology is DevSecOps, a hybrid role that can focus on key cloud vulnerabilities such as APIs. CDG Senior Fellow William (Bill) Rials, Ph.D., describes the responsibilities of the role as “a little bit of coding, a little bit of infrastructure, a little bit of hardware, a little bit of software,” so addressing this need may require new staffing or training.
Consider automation and AI/ML
Already used to help secure systems by many cloud service providers, automation technologies can continuously scan networks and identify potential gaps in security. The complexity of hybrid and cloud-based resources can make these solutions difficult for individual organizations to configure, but solutions that leverage artificial intelligence and machine learning (AI/ML) to learn network topographies and flag anomalies in user behavior can “help organizations keep up with cyber-tactics, automate threat detection and respond more quickly than in the past,” Snyder says.
While AI/ML will power the next generation of cybersecurity in the cloud, it’s also important to recognize that governments and cloud providers aren’t the only ones benefitting from these technologies. “Cybercriminals are leveraging AI/ML to look for and leverage targets of opportunity,” Snyder says. “It’s always good to keep that firmly in mind.”
Sponsor Content