Government data in the cloud: Provider and user responsibilities
- By Subrata Chakrabarti
- May 16, 2018
Data breaches at the IRS, Office of Personnel Management, Securities and Exchange Commission and the State Department underscore the risk government agencies face with hacking on the rise. A recent study indicates that tight budgets may be part of the problem. Federal agencies have struggled to secure funds to keep data safe, though help may be on the way. As modernization funding becomes available, government IT leaders will need to make decisions about security.
Cloud service providers are also taking a fresh look at how to protect data, as the current rash of data breaches is unlikely to slow down. In fact, many cybersecurity experts expect 2018 to set new records for compromised information at organizations of all types. To protect data, CSPs and users alike must embrace their roles in preventing unauthorized access to sensitive information.
What CSPs owe to the organizations they serve
Government IT managers should be able to trust the software-as-a-service vendors they use to handle sensitive data, and cloud providers must earn government user trust by deploying the most effective security measures available. It’s not a one-off responsibility because hackers are actively devising new exploits, including weaponizing artificial intelligence, creating ransomware and testing internet-of-things endpoints for vulnerabilities.
Conscientious CSPs today offer sophisticated intrusion and exploit detection processes, and they conduct routine third-party scans and implement other standard security features. But the most forward-thinking providers are going above and beyond standard measures and using techniques such as “defense in depth” to safeguard data.
Also known as the “castle approach,” defense in depth deploys multiple security mechanisms so that if one defense fails, another automatically takes its place. CSPs can apply this principle by deploying numerous protective layers for a systems that handle sensitive information, securing hardware, software and processes rather than concentrating on a single aspect. A comprehensive approach like defense in depth makes sense with threats coming from all directions.
What government organizations need to know about CSPs
Government IT professionals should be able to trust CSPs, but in an environment where hacking happens all too frequently, they have a responsibility to proactively ensure that their providers are using the latest techniques and technologies to protect data. Cloud service users should look for specific SaaS security features that address today’s critical threats.
Multiple authentication options are a must-have feature on a cloud platform, including tools like Security Assertion Markup Language, an authorization protocol that lets agency administrators control authentication without requiring the CSP to store user passwords. Another must-have tool is access control that enables the organization’s administrators to maintain separation of duties.
A bring-your-own-key solution, meanwhile, may be a good choice for agencies with the most stringent security and compliance needs. With BYOK, organizations can manage their own encryption keys. This means they can encrypt and decrypt workspaces, maintaining sole access to their data in the cloud. Detailed audit logs of all encryption activity while using BYOK provide an organization with a comprehensive validation of system integrity.
To ensure CSPs are taking the necessary precautions with sensitive data, government IT professionals should confirm that the provider conducts third-party penetration tests periodically and is able to provide evidence of compliance with widely accepted standards, like certifications from the International Organization for Standardization or Service Organization Controls. CSPs with these certifications have passed a rigorous independent audit.
Data safety is a two-way street
As endpoints proliferate and threats multiply, both CSPs and the organizations that use cloud services must proactively embrace their roles in keeping data safe. Cloud providers can do their part by continuously assessing their security posture and making sure the measures they take offer stringent protection to their customers, whether commercial or government.
Government IT professionals who oversee cloud services can do their part to protect data, assets and the communities they serve by proactively making sure their cloud solutions meet security standards. There’s no end in sight to the hacking threat, but by understanding current security trends and innovations, IT professionals can make the right decisions.
Subrata Chakrabarti is vice president of product marketing and strategy at Anaplan.