State and local government IT leaders say the cloud helps them collaborate and innovate more easily. However, cloud security and compliance concerns need to be a key area of focus for IT leaders and decision-makers, since such concerns can stall cloud migrations and inhibit agencies from fully achieving the benefits of shifting to the cloud.
State and local governments use the cloud for all manner of IT tasks and to gain a wide range of efficiencies. The Douglas Omaha Technology Commission, the centralized IT department for Omaha, Neb., uses Google Cloud to enhance collaboration and cut IT infrastructure costs. The California Department of Technology offers cloud-based Infrastructure as a Service to other state agencies. And in Kansas, the state moved its cattle brand registration program to the cloud last year, Government Technology reports, allowing the state to streamline and move online a process that was previously all done via mail.
Cloud adoption is likely going to continue to grow at the state and local level. Gartner expects double-digit growth in government use of public cloud services, with spending forecast to grow 17.1 percent on average per year through 2021. Across all industries, companies spend an average of 20.4 percent of their IT budgets on the cloud, according to the research firm, compared with 20.6 percent for local governments.
“The key to successfully implementing cloud in government is accounting for the unique technical, organizational, procedural and regulatory issues of individual organizations,” Neville Cannon, research director at Gartner, says in a blog post. “For example, national governments typically see cloud as a long-term pathway to strategic IT modernization, whereas local and regional governments tend to pursue the immediate tactical benefits of innovation and cost savings.”
How the Public Sector Should Approach Cloud Security
Security is an area that state and local government IT leaders always need to keep top of mind, including when it comes to cloud deployments. An April 2017 Symantec white paper on state and local government cloud security notes that, when it comes to cloud security, agencies have long “focused on patching together a range of security products to oversee each part of the process,” resulting in “agencies picking individual purpose-built solutions that were not intended or developed to work with one another, which created a patchwork, and often incomplete, security infrastructure.”
Symantec argues that the best approach to cloud security is to use “a unified, network-based platform with a flexible security architecture that can manage the ever-changing cloud environment — from the endpoint through the data transmission pipe to the cloud and back.”
The white paper says agencies can use such a platform to “unify access governance, information security and threat protection across cloud platforms and on-premises security infrastructures — offering the same level of protection that agencies are used to in their own physical networks.”
The white paper suggests that agencies first establish the policies that will govern their people and processes and ensure that employees have access to only the data they need. Next, agencies should implement network security solutions to complement endpoint security.
“Agencies have the ability to identify where data is stored across cloud, mobile, network, endpoint and storage systems, classify that data, monitor how the data is being used, and protect the data from being leaked or stolen,” the white paper states. “This ensures that the routes of all valuable traffic are seen and monitored for anomalies.”
Additionally, agencies should invest in data loss prevention tools to help “uncover data loss blind spots in both sanctioned and unsanctioned cloud applications.” Further, Symantec says that “integrating Cloud Access Security Brokers (CASBs) can extend an information technology department’s reach to protect users and data as they interact with cloud applications and services, providing visibility and control directly over the use of an application.”
Top Public Sector Cloud Security and Compliance Concerns
Despite the numerous benefits of the cloud to state and local agencies, cloud security concerns remain strong.
The top cloud security challenges, according to the 2018 Cloud Security Report from Crowd Research Partners, are protecting against data loss and leakage (67 percent), threats to data privacy (61 percent) and breaches of confidentiality (53 percent), InfoSecurity Magazine notes.
The report, based on an online survey of cybersecurity professionals in the 400,000-member Information Security Community on LinkedIn, also revealed that only 16 percent think traditional security tools are sufficient to manage security across the cloud, down 6 percentage points from 2017.
The survey found that there are other concerns, including visibility into cloud infrastructure security (43 percent), compliance (38 percent) and consistent security policies across cloud and on-premises environments (35 percent).
Sebastian Taphanel, principal consultant at Stratical Solutions, writing in GCN, notes that “malicious cyber behavior and inadvertent nonmalicious mistakes are difficult to anticipate or change, so agencies have to treat security and compliance as a continuously critical priority.”
Taphanel notes that public clouds “operate according to a shared responsibility model for security in which cloud service providers (CSPs) implement security of the cloud, while customers are responsible for security in the cloud.” That means agencies musts secure their data and transactions conducted through application programming interfaces and connectors and monitor the compute, storage, database and networking services of their CSP, he says.
StateScoop notes that CSPs “have made key investments to ensure government clouds are keeping — and in some cases exceeding — pace with government cybersecurity compliance standards,” including IRS 1075, Criminal Justice Information Services and others.
Microsoft Azure Government services handle data that is subject to certain government regulations and requirements, such as the Federal Risk and Authorization Management Program (FedRAMP), NIST 800.171 (DIB), ITAR, IRS 1075, DOD L4, and CJIS, according to Microsoft. “In order to provide you with the highest level of security and compliance, Azure Government uses physically isolated datacenters and networks (located in U.S. only),” Microsoft says.
Google Cloud is also compliant with numerous regulations, including NIST 800-171, CJS, FedRAMP.
FedRAMP assesses security for and authorizes cloud programs used by federal agencies. If a state or local agency’s cloud vendor has received a FedRAMP authorization, they can be assured that it meets stringent security compliance regulations.
An overview of the FedRAMP governance structure; CSPs must go through a rigorous security check to be authorized by FedRAMP. Source: FedRAMP
“Azure Government has received a FedRAMP Provisional Authority to Operate (P-ATO) and DoD Provisional Authorization (PA),” Microsoft notes. “These authorizations reduce the scope of customer-responsibility security controls in Azure-based systems. Inheriting security control implementations from Azure Government allows customers to focus on control implementations specific to their IaaS, PaaS, or SaaS environments built in Azure.”
Compliance helps ensure that agencies that put data into the cloud are meeting the appropriate standards for data protection, especially of residents’ personally identifiable information. However, Stuart Mckee, Microsoft’s state and local government CTO, tells StateScoop that compliance is just the first hurdle agencies and their cloud service partners must achieve.
Cloud security compliance enables a stronger and more resilient approach to cybersecurity that protects state and local agencies from a wide range of cyberattacks, he says. “Unfortunately, reported attacks are just the tip of the iceberg,” McKee says. “There are a lot more cyberattacks that are not reported than reported.”
Why State and Local Governments Adopt the Cloud
Agencies are shifting to the cloud to gain agility, lower costs and be able to innovate faster. “Digital transformation through cloud technology enables state and local government agencies to rapidly modernize their systems, taking advantage of infinite resources while ensuring the best use of time and budget,” Karina Homme, senior director of Microsoft Azure Government, says in a Microsoft blog post. “Agencies can achieve better citizen services while driving stronger governance, compliance, and accountability.”
Cloud lets agencies build everything from simple mobile applications to internet-scale solutions, Homme says, which can then enable them to launch new initiatives, increase efficiency, provide faster decision-making, improve citizen services and optimize operations.
State and local agencies often turn to the cloud to cut IT infrastructure costs by adopting elastic and on-demand, pay-per-use services managed by cloud service providers, Homme adds. The cloud’s on-demand flexibility, scalability and overall accessibility also empowers employees and drives efficiency.
They also turn to CSPs for increased security, compliance and regulation to protect residents’ critical data and services. The cloud also enables agencies to adopt new methods for app development, IT management and data protection, Homme notes.
According to the National Association of State Chief Information Officers’ 2017 State CIO Survey, email and collaboration services continue to be the most common services that state CIOs have migrated to the cloud, closely followed by office productivity and storage.
However, the survey adds, security-related services are also growing in popularity, and project and portfolio management solutions are now more commonly being considered for migration in the cloud.
The 2017 survey asked CIOs how the results of cloud migration efforts have compared to the benefits originally expected of them. In general, the reported actual benefits match closely to their initial expectations.
For example, 75 percent of those surveyed reported that the cloud lowered their asset investment threshold and improved their ability to innovate, compared to 78 percent who expected to achieve that benefit. Additionally, 38 percent said they had achieved cost savings compared to 44 percent who expected to. And 23 percent saw improved compliance and reporting, compared to 28 percent who expected to.
The one significant area of difference was in enhanced scalability through more flexible utilization and pay-per-use, the survey notes. While 81 percent of CIOs expected this to be a benefit, only 65 percent reported actually achieving those benefits.