The cloud, these days, is everywhere. Particularly, acceptance of the cloud has grown by leaps and bounds among state and local governments, as many, such as Arizona, turn to cloud-first policies or hybrid cloud adoptions in an effort to snag the cost and agility benefits the technology affords.
“We live in a cloud-first world,” said Joey Muniz, security solutions architect at Cisco, speaking at the Public Technology Institute’s National Symposium on Cybersecurity & Local Government in Washington, D.C., on May 23. “But what people typically don’t understand is cloud security.”
Cloud security concerns may still be holding many governments back from adopting the technology, and for those who have already moved to the cloud, what it means for cybersecurity may not be clear.
The confusion stems from the multifaceted nature of the cloud and how data can be stored — and made vulnerable — at each stage.
When it comes to standing up a firm cloud security posture, understanding and a dialogue around the possible vulnerabilities is key.
“People start to throw technology right away at the problems,” said Muniz. And although technology is important in keeping data safe and segmented, the threat landscape is constantly shifting. “It’s not necessarily about capabilities. If you’re hoping I’m going to pull out of my pocket the cloud security products, it’s not necessarily about that. It’s about understanding [how data gets] to and from the cloud, as well as all the services within there.”
So, how can CISOs stay on top of cloud security? The first step is to understand how it works and where vulnerabilities may rear their heads. Muniz earmarked two aspects, in particular: how data goes to the cloud and how data is protected within the cloud.
Securing Public-Sector Data that Goes to the Cloud
Data going to the cloud encompasses any data that goes to applications that store data in the cloud, such as Salesforce or Dropbox, whose servers are managed by the company that owns them and not by the government organization that owns the data.
Concerns with such services include stolen or hacked accounts, lost data or even sensitive data being foisted into a personal Dropbox account and leaving the organization’s security perimeter, all of which could expose sensitive data.
These security concerns are heightened by simple applications that access more data and personal information than necessary, often because the developers or companies building the applications simply aren’t thinking about this security threat.
To better understand which applications employees are actually using, and where sensitive data might be lurking outside an agency’s security perimeter, Muniz recommends a Controlled Access Secure Broker. A CASB can provide reverse token assessments that offer governments a window into where employees are storing data and which applications they are really using.
Another option is an application-layer firewall, which offers agencies visibility into which applications are being used. “A CASB or next-gen tech firewall are things you should start thinking about to get a grasp on what devices are actually phoning out to the cloud so you can start to implement security to the cloud,” said Muniz.
Securing Public-Sector Data that Lives Within the Cloud
Data stored within the cloud, is, essentially, “having a data center virtually inside the cloud,” Muniz explains, pointing to something like Microsoft Azure. “That’s different [than sending data to the cloud] because now you actually have control of what’s in the cloud.”
This can open up the data for vulnerabilities when this data needs to communicate with on-premises data.
The good news, however, is that many of the same rules apply to securing data within the cloud as to securing data within any network. And the first step is not to focus only on keeping attacks outside the perimeter, but to assume that, eventually, an attack will penetrate the system, and that new attacks will constantly be just outside the perimeter.
“The reality is that the attackers are constantly changing the way they attack to get around the defenses,” said Muniz. Eventually, it’s more than likely that an attacker will find their way into your network. The best defense, then, is to plan for when a cyberattack happens.
“Start with assuming you’ve been owned,” said Muniz.
This means preparing appropriately: Equip with the correct visibility and breach detection software, and don’t focus all investments on securing the perimeter. Take steps to segment servers in the cloud based on least privilege so, at the very least, only one segment on a network is compromised. Put together an actionable and frequently updated incident response plan.
Cloud Security Best Practice Is to Constantly Evolve
But the reality of cloud security — and all public-sector cybersecurity — is that government IT teams need to be always on the lookout for new best practices and software to combat ever-evolving cyberthreats.
“It is a cat-and-mouse game,” says Muniz, noting that any advice he offers now will likely be obsolete in six months as threats evolve. “Security is a journey; it’s not a destination. You don’t become secure; you maintain security. Best practice is going to be to change the mindset.”