While security remains a primary area of focus for state and local government IT, a more specific and pressing challenge today is how to protect and secure data that flows freely between mobile devices and the cloud.
The results of NASCIO’s annual survey of state CIO priorities reflect the importance of security and strategic enterprise thinking. Security and risk management top the list of technology and policy priorities for 2017, followed by cloud services at third. So it stands to reason that finding ways to better secure cloud data ranks as a chief concern among state and local government IT leaders.
“Consolidation and sharing of services will drive needs to improve identity management, governance and optimization,” says NASCIO President and Connecticut CIO Mark Raymond.
The Risks of Working in a SaaS Environment
As Software as a Service (SaaS) applications permeate the enterprise, the cloud introduces a new set of security challenges. One lagging misconception is that data security is the job of the cloud provider. As most of us know, SaaS providers and user organizations both share the responsibility for securing cloud-based services.
The service provider protects the cloud infrastructure and physically secures its resources, but customers bear the responsibility of handling the people and data aspects of security. That means you still need to handle many components of endpoint security, including encryption, anti-virus protection and backup. Any point of handoff can create a security gap. Another challenge is the rise of so-called shadow IT, which refers to IT services and devices that users or workgroups procure without the IT department’s knowledge and control.
The proliferation of cloud computing is just one reminder that information security is not a constant. A new year presents a fresh opportunity to review practices and adjust accordingly.
Anticipating Cloud Migration Risks
As part of your preparation for a cloud rollout, develop a migration strategy that includes identifying and mitigating risks. Surprisingly, only 53 percent of state and local governments take this step, according to the results of a recent MeriTalk study.
Decide which apps make the most sense to move to the cloud. Given the need to handle personally identifiable information and other types of sensitive data, consider adopting a hybrid strategy. Embrace the public cloud for popular office productivity and collaboration tools, but insist on a private cloud for the most sensitive or critical data. You’d be in good company. The MeriTalk report shows that 54 percent of state and local government respondents use private clouds, 33 percent use public and 13 percent rely on both types.
Choose only cloud services that are certified and enterprise-ready for your particular agency’s technical and business needs.
And regardless of cloud model, don’t underestimate the importance of rigorous authentication and access control. Force users to choose strong passwords, and change them on a regular basis. Access Management and Identity as a Service can help governments manage a large ecosystem of SaaS apps through single sign-on and ease the task of authenticating for users.
Tackle the SaaS security gap by addressing visibility, compliance, threat prevention and data security at the cloud level with the same level of consistency you’d apply to on-premises IT services.
Mitigate the risk of sensitive data being used by unapproved cloud services that crop up by conducting application visibility tests and continuing to maintain data loss prevention solutions.
Also consider implementing an emerging security technology called cloud access security brokers (CASBs). While CASBs may still be unfamiliar to many, Gartner last summer named it a top security technology for the year. Designed to reduce the risks of cloud computing, CASBs provide critical visibility into, and control over, how cloud-based services are used.
With the move to the cloud inevitable, security chiefs and IT leaders should be continually evolving cloud security strategies. By adopting some of these best practices, you can effectively combat threats to your cloud-based data and infrastructure and reduce risk through all levels of state, county and city government.