Securing data in the cloud requires planning, constant vigilance
- By Greg Kushto
- Nov 28, 2018
Government agencies know -- and have largely accepted the fact -- that moving to the cloud is inevitable. Where many start struggling is with the “how.” How do they move legacy systems to the cloud? How do they choose the right provider and, perhaps most importantly, how do they keep their agency’s data secure in the cloud?
While the cloud may be new, it is not that architecturally different from an agency’s own environment. Data in all environments must be kept secure. The general formula in a data center environment is to determine the risks, mitigate them and then keep constant vigilance to spot and stop threats. Security in the cloud is no different.
Assessing data security needs
Data across government agencies spans a wide spectrum, from content that is shared with the public to data that requires top-secret security. When building a plan to move to the cloud, agencies should first look at all of the types of data they have and then determine what level of security it needs. There are different considerations for an agency that plans to transfer highly protected information to the cloud, such as sensitive government communications, compared to an agency that tracks the weather and releases that information publicly.
It is important to assess the type of data moving to the cloud, set security goals for each dataset and then work with the cloud provider on a security plan for each application. Keep in mind that many of the risks involved in cloud storage are handled in much the same way they are for information stored on premises. It will take agencies some time to assess and prioritize the data, but doing so before the transition is crucial to ensure security needs are met.
Agencies should remember that even when dealing with unclassified data or information meant for public consumption, there are other considerations besides access. Data integrity must be secured and protected from manipulation. Determining and setting up the permission system for modifying the data is crucial. It’s worth it for agencies to spend the time and take a good, up-front look at the restraining factors on their data so they can plan their move accordingly.
Finding a security solution
Once an agency has determined what security it needs in the cloud, it should work to align those requirements to the capabilities offered by cloud service providers certified by the Federal Risk and Authorization Management Program. Hopefully, after auditing and outlining the particular demands of their agency’s data and services, IT managers can more easily evaluate potential service providers and objectively determine which one is the best fit.
It may be tempting to lean towards the loudest or most-recently-praised provider, but doing so is akin to making an educated guess. All providers are different, and even if there were a single service that was better overall, there would still be others that excel at specific tasks. In other words, providers -- like agencies -- have their specialties. With budgets being what they are, agencies must be thoughtful about the scope of the service they purchase and ensure they get the capabilities most important to them and the success of their particular mission.
Re-evaluating security risks
The work doesn’t stop once an agency's data has been moved to the cloud and proper security measures have been put in place. As in all security matters, constant vigilance is necessary to keep the cloud environment in prime, secure condition. With the pace of technology, nothing in cybersecurity will ever be “set it and forget it.”
Agencies must constantly review and assess the performance of their solution and make ongoing decisions about how to mitigate risk. No matter how much planning is put into the front end of the migration process, chances are agencies will encounter unexpected events and unintended consequences. CIOs will reckon with those factors as they learn more about how the cloud can best be implemented in their space.
Keep in mind, this is different than the authorization and accreditation process. While agencies must continue to assess the effectiveness of the security controls that they have put in place, they must also evaluate their current cloud provider and other external options to see if they want to make a switch.
Getting the solution just right may mean tweaking the way data is stored or the kind of data that lives off-premises. In some cases, it may mean changing service providers altogether. Luckily, moving to the cloud provides the flexibility to do just that.
Greg Kushto is director of security and enterprise networking at Force 3.