Having the Right Controls for Your Cloud Environment
Hybrid clouds span one or more public cloud environments as well as private cloud hardware. Physical security is the responsibility of the public cloud provider, while for private clouds, it is the agency’s responsibility.
For private clouds, agencies should perform a thorough review of network topology to spot any weaknesses; use segmentation; and employ physical controls such as biometrics, locks and other mechanisms to keep employee access to a bare minimum. For public clouds, each provider should be asked to describe the steps taken to isolate the most crucial infrastructure. Service-level agreements should spell out how a zero-trust approach is being implemented, with strong authentication, authorization and step-up mechanisms if fraudulent access is suspected.
EXPLORE: How state and local governments are addressing threats with zero trust.
A Look at Technical Controls for the Cloud
Technical controls typically fall into three categories: networking, encryption and authentication. State and local governments should expand the focus from authentication to identity and access management, supported by continuous monitoring.
Networking controls govern the way in which various cloud services communicate and transmit data. Direct network connections are optimal, but not always available; in that case, many state and local governments rely on virtual private networks as a fallback, to ensure secure connections among various components.
Encryption is the primary method used to keep data safe, both at rest and in transit. Make sure agency security policies address encryption at every level of the infrastructure to protect confidential records, social security numbers, financial information and other sensitive data. For data at rest, use full-disk encryption; for data in transit, look to network session encryption and incorporate backups transmitted to other data centers or third-party sites. Some public cloud vendors provide encryption services that can be used across the hybrid environment.