Cloud security is the agency’s responsibility
- By Joe Merces
- Nov 15, 2018
As more government agencies move to the cloud, they may not realize that much of the security responsibility stays with cloud users and not with the provider. In fact, security requirements for content, disaster recovery and backup will not change from the policies that agencies had set for on-premise datacenters.
To see the extent of agency responsibilities, just consider the Amazon Web Services discussion of the “shared responsibility model.”
In short, AWS agencies are expected to maintain the updating and patching of operating systems and application software. What’s more, network and firewall configuration, authentication, encryption and security awareness and training also remain the customer's responsibility.
For its part, AWS’ responsibility extends to “protecting the infrastructure that runs all of the services offered in the AWS cloud,” including “the hardware, software, networking, and facilities that run AWS Cloud services.”
In some ways this shared responsibility is better for agencies, because it relieves them of funding and managing the security of the physical hardware and related infrastructure. However, it also obliges agency IT professionals to maintain closer control over the three pillars of what’s increasingly known as “data protection” -- backup, security and infrastructure management. Taken together, these data protection elements allow agencies to rebound more effectively from network incursions, protect critical information and prevent problems from being repeated.
A complete view of data protection should look across an agency’s entire hybrid network -- ideally if that view allows users to work natively in the AWS structure, following best practices of the provider.
To maintain data protection while abiding with the AWS shared responsibility requirements, agencies must be able to:
- Manage infrastructure in the cloud for backup scheduling.
- Develop and enact retention policies.
- Replicate their infrastructure across regions and accounts, with system restoration from entire instances to the individual file level.
Additionally, agencies should incorporate security countermeasures using the AWS web application firewall with appropriate security groups across the entire AWS cloud-based infrastructure. There must be a process for management and backup of AWS instances, volumes, RDS databases, Aurora and RedShift clusters.
Security groups must be applicable to AWS instances, cross-account firewalling, and AWS web application firewall rules management. By integrating security countermeasures, agencies will gain layers of overall data protection on top of any security programs they have already established. And backups ideally should work natively within AWS’ elastic cloud environment. That eliminates the need for on-premises backup media or offsite storage locations.
Now that AWS has introduced GovGloud Region 2, agencies must be able to backup and replicate across regions. Native elastic cloud capacity gives that capability to even the smallest agencies -- a step forward in disaster recovery that formerly had been available only to the largest enterprises with distant geographic scope.
And to ensure agencies’ can recover from disasters, the answer is simple: They must test and test again. Periodic recovery testing must be an agency’s best practice.
Switching agency infrastructure to the cloud will certainly remove the burden of maintaining the physical hardware and network. But only a holistic approach that tears down the traditional silos of backup and recovery, security and infrastructure management will ensure the security of agency data in the cloud.
That’s up to you, not your cloud provider.
Joe Merces is the former CIO of the New York City Law Department and CEO of Cloud Daddy.