Cloud security: Agency obligations and how to meet them

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Kirk Spring
 

Connecting state and local government leaders

By Kirk Spring

|

Enterprise key management helps agencies using a hybrid cloud -- or multiple cloud providers -- move data into another cloud infrastructure, while retaining access to the keys and managing them across their lifecycle.

As the number of available services multiply, government agencies are more willing to move their data storage and computing to the cloud. This development has resulted in the popularity of various cloud configurations, such as private, hybrid, public and multicloud environments. Yet as agencies move to the cloud, they must be more vigilant than ever to ensure that they maintain appropriate levels of security.

It’s no secret that security concerns are prompting the agencies to increasingly deploy private clouds for the high-impact sensitive data that cannot be pushed to the public cloud. Private clouds give agencies total control of their data and where it resides over its lifecycle as well as command of who has access to the cloud infrastructure.

For less-sensitive data and workloads, many agencies are turning to a hybrid cloud environment, combining legacy enterprise infrastructure with some data storage and computing sent to the public cloud. In most cases, security provided by the CSP can be used to protect data in the hybrid cloud. However, since the hybrid model combines on-premises infrastructure with public cloud infrastructure, agencies must ensure that there is seamless management of security services between infrastructures.

The full public cloud environment, in which all data storage, computing and access control is pushed to the cloud, can potentially be the most risky deployment type because it is a largely an open, multiuser, multitenant environment. Public cloud users must trust that CSPs will provide services to ensure that data integrity, confidentiality and access control are being managed within the cloud.

But even with this model, CSPs still recommend a “shared responsibility” approach when it comes to security. What does that mean?  Simply put, the CSP is responsible for securing the infrastructure and managing the security of the cloud; the cloud user is responsible for securing everything put into the cloud.

What “shared responsibility” really means

The shared responsibility model must be top of mind for all agencies using public clouds. When it isn’t followed, there is potential for catastrophe.

For example, it was disclosed in September 2017 that data stored in an Amazon Web Services’ S3 cloud by the Army’s Intelligence and Security Command was openly available, due to a misconfiguration of the storage bucket. As this data was in the public cloud, security researchers were able to find and examine classified files and virtual systems.

So how do agencies address the shared responsibility model?

The most direct way is to extend the agency’s security measures for the enterprise to the cloud, creating a holistic solution across all data. This means an agency must be able to either encrypt data before it gets to the cloud or support encryption services offered by the CSP via user-controlled enterprise key management.  Either solution must support the use of the CSP's business applications and data storage capabilities.

For example, when encrypted data is stored in the cloud, the last place agencies should keep their encryption keys is in the same place. It’s essential that encryption keys be stored in a separate location from the data. That way, if the data is compromised or if there is an internal breach, agencies can be confident that the keys have been properly managed and that security remains intact.

Dedicated key management that is not tied to a particular CSP is also an important consideration for agencies in a multicloud environment. A key management service from a particular cloud provider most likely can’t share those keys to another cloud provider’s environment.  This makes it impossible to use multiple CSPs for seamless redundancy, load sharing and disaster recovery.

Key management should remain as an enterprise function. By doing so, agencies using a hybrid cloud -- or multiple cloud providers -- can move data into another CSP’s infrastructure, while retaining access to the keys and managing them across their lifecycle.

That’s why it seems as though the hybrid cloud will be the most common environment in the government. The hybrid cloud enables agencies to control data within the enterprise, while taking advantage of the cloud’s services and storage and scalability capabilities to meet high data processing demands.  At the same time, they can follow the shared responsibility model by having key management for encryption services fully under their control.

Cloud security must evolve with the cloud

As cloud environments evolve, security must change with them. It’s a dynamic process that demands an understanding of cloud infrastructures, the services and security provided, the key management required for the security services as well as the use cases and awareness of the growth of threat vectors around the use of the data in the cloud.

When enterprise users first started moving data to the cloud, they realized that simple access control to their cloud services wasn’t enough. Enterprise data security services and key management also had to be pushed to the cloud, creating a holistic data security ecosystem.

The simple truth is that threat vectors increase dramatically in a cloud model. There is greater possibility of insider threats, as more people (including some outside the agency) have the authority to manage the enterprise's infrastructure.

Agencies, therefore, must not only worry about threats within the enterprise, but also within the cloud itself. This also supports  the shared responsibility model, where the CSP is responsible for the security of the infrastructure, but the users are responsible for the security of their data.

We’ve just seen the tip of the iceberg as it concerns data breaches within the cloud. To stay ahead of the anticipated increase in breaches, agencies must implement appropriate enterprise and cloud security services. 

Doing this requires agencies to understand their asset portfolio, determine the security level of those assets and conduct a risk assessment to fully address the type of protection required. What’s more, they must review possible threats annually. Bad actors get smarter every day, learning how to break systems that are not routinely reassessed for security vulnerabilities. It’s an ongoing process.

The adoption of cloud services will continue spreading over the next several years across all industries. Government agencies are not exempt. With proper data security and an appropriate cloud deployment model, agencies can take full advantage of cloud services while minimizing the threat to data and applications they push to the cloud.

NEXT STORY: Mapping Where Traffic Air Pollution Hurts Children the Most

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.