Close

See How Your Peers Are Moving Forward in the Cloud

New research from CDW can help you build on your success and take the next step.

Click Here to Read the Report
Jan 08 2025
Security

State and Local Governments Use the Shared Responsibility Model for Cyber Resilience

Agencies can and should collaborate more closely with internal stakeholders and cloud service providers to work toward cyber resilience by design.
Aaron Lewis
by

Aaron Lewis is area vice president for public sector sales engineering at Rubrik.

Cyberattacks targeting state and local power grids, communication systems, transportation networks, and other critical U.S. infrastructure have risen dramatically in recent months. These attacks, frequently attributed to foreign threat actors from countries such as China or Iran, pose risks for state and local governments. Attacks range from ransomware and data breaches to more insidious cyber espionage, resulting in severe operational disruptions and substantial financial implications.  

These cyberthreats highlight the urgent need for state and local governments to adopt cyber resilience best practices such as data backup and recovery, which can help agencies anticipate, withstand, recover from and adapt to cyberattacks. Without cyber resilience, attacks will continue to cause significant operational disruptions and financial losses, emphasizing the importance of quick recovery and restoration of normal operations.

Even with advancements in cloud technology and security, data breaches continue to occur. In some cases, they are even becoming more common. This raises a question: What steps should state and local governments take after an attack? 

The shared responsibility model is critical to solving this challenge. This cloud computing framework delineates security and compliance responsibilities between the cloud service provider (CSP) and state and local governments.  

Click the banner for deeper insight into achieving cyber resilience.

x-cyberattack-static-2024-clickhere-desktop x-cyberattack-static-2024-clickhere-mobile

 

Challenges and Misconceptions of the Shared Responsibility Model 

The primary challenge facing state and local governments is the complexity of effectively executing the responsibilities outlined in the model. These agencies are often under-resourced, requiring more specialized skills and budgets to manage their cloud security responsibilities robustly. Several issues compound these challenges.

Opportunities for Enhanced Collaboration

While CSPs can provide strong infrastructure security, state and local governments must actively manage data encryption and user access controls while conducting regular security audits. Recognizing the shared responsibility model is crucial; CSPs handle the security of the cloud, such as physical data center security and hardware, while agencies are responsible for security in the cloud, including configuring settings, managing user permissions and monitoring compliance. A coordinated effort ensures comprehensive cyber resilience against potential vulnerabilities and compliance breaches. 

EXPLORE: Enhance collaboration and digital government with IAM solutions.

Operational Complexities

Implementing a thorough and effective cyber resilience strategy is complex. It requires continuous monitoring, updating and aligning strategies with the CSP's security measures. Inadequacies in understanding or performing these tasks can open vulnerabilities for cybercriminals to exploit. 

Cost Concerns

Cloud computing can become more costly than anticipated. Long-term costs vary based on an agency’s size, workload and needs. If not managed properly, operational expenses for ensuring security compliance and effective data recovery can escalate.

Need for Speed and Cyber Recovery

The cloud, by design, facilitates rapid deployment and scalability. However, the speed advantage can become a double-edged sword. Rushing cloud adoption without a comprehensive cyber resilience and recovery plan can result in significant vulnerabilities. Moreover, legacy backup solutions often fall short in modern, fast-paced cloud environments. Their design does not allow quick, efficient data recovery to mitigate the damage from evolving cyberattacks.  

LEARN MORE: Vendor-agnostic backup and recovery can offer more bang for your buck.

Human Error and Misconfigurations

Human error remains a significant risk factor. Misconfiguration of cloud resources has been a common cause of data breaches. Data backup and recovery measures can mitigate this risk by automating data protection and providing a robust recovery framework. Data security posture management best practices can ensure full cyber resiliency, leading to effective data recovery post-attack. 

Rushing cloud adoption without a comprehensive cyber resilience and recovery plan can result in significant vulnerabilities.”

How Shared Responsibility Promotes Cyber Resilience 

While these challenges are significant, they illuminate a pathway for growth and improvement. By recognizing the multifaceted nature of the shared responsibility model and addressing these gaps, state and local governments can build more resilient, secure cloud infrastructures. The following are actionable steps you can take to navigate the complexities and capitalize on opportunities for enhanced security collaboration, ensuring a robust defense against evolving cyberthreats.  

1. Comprehensive Education and Training

Extensive mandatory staff training programs focusing on cloud security fundamentals and responsibilities can help state and local governments understand their role in the shared responsibility model.  

DIVE DEEPER: Thoughtful cybersecurity training yields benefits for government workers.

2. Consolidation and Automation

State and local governments should focus on consolidating data protection and automated backups, which will make managing their responsibilities easier.  

3. Trust and Accountability with CSPs

Public-private partnerships can build this trust by fostering cooperation and promoting the sharing of best practices and threat intelligence between governments and CSPs. Ensuring accountability on both sides is essential. CSPs should offer clear service-level agreements that outline their specific security commitments and performance metrics. Agencies must rigorously enforce these SLAs and regularly audit CSP compliance. 

4. Security Measures in On-Premises Environments

In on-premises settings, robust security protocols are essential to protect sensitive data and systems. These protocols should include deploying advanced encryption protocols to secure sensitive data at rest within local data centers and in transit across internal systems. Regular updates to encryption standards are critical to safeguard against emerging threats.

5. Security Measures in Cloud Environments

Implementing strong identity and access management in the cloud is also crucial. This involves multifactor authentication and stringent access controls to prevent unauthorized access. Cloud environments require continuous monitoring and periodic reviews of access permissions to ensure they adhere to the principle of least privilege, minimizing potential vulnerabilities.

RELATED: IAM’s role is evolving in complex IT environments.

6. Regular Audits and Compliance Checks

Regular audits can help state and local governments ensure security policies and SLA compliance. This step helps detect potential vulnerabilities early and enforce accountability. 

7. Data Recovery Planning

State and local governments must prioritize data recovery planning. They should also regularly test recovery processes to ensure quick and efficient restoration in case of data loss. Moreover, agencies must prioritize data stewardship through systems designed with security at the core rather than as an afterthought or fine-tuning based on configuration-based security. Proactive, design-based data recovery and protection and built-in security reduce the burden of managing complex security configurations. 

Pioneering Cyber Resilience for Public Trust and Service Delivery 

In their journey toward a digitally transformed future, state and local governments have an unprecedented opportunity to lead the charge in cyber resilience. By championing the recommendations outlined above, state and local governments can build a cyber resilient future in which they harness the power of cloud computing to deliver unparalleled public services and inspire trust.  

UP NEXT: Agencies embrace the whole-of-state approach to cybersecurity.

pixdeluxe/Getty Images

More On

Related Articles