Government data security is a no-brainer with the cloud
- By Mark Rohrbach
- Mar 05, 2019
Already in 2019 there have been several large data breaches, each resulting in the exposure of significant volumes of sensitive information and identities. After review of the root causes, it's clear that sensitive data left unprotected on aging infrastructure allows actors with nefarious intent to gain access using both new attack techniques and older, tried-and-true methods. A consistent theme has been impossible to ignore: Our network-centric approach to cybersecurity is not good enough.
The bad guys are after our data for various reasons: identity theft, intellectual property theft, intelligence, exploitation and more. The threat is real and frequently proves that adversaries are capable of adroitly using advanced tactics to get what they want. Government organizations are not immune from this threat, as recent breaches of state agencies in Alaska and Oklahoma illustrate the need for a much more aggressive approach to protecting government data than merely securing the boundaries.
Cloud service providers can solve many of the government’s data security challenges. As Gartner’s Kasey Panetta made clear in an article last year, through 2020, public cloud infrastructure-as-a-service workloads will suffer at least 60 percent fewer security incidents than those in traditional data centers. Government executives recognize this and have issued a multitude of “cloud first” strategies and policies. The Department of Defense’s cloud strategy released in early February and the Federal Cloud Smart Strategy released by the Office of Management and Budget in October 2018 define cloud implementation as critical to the future of government success and warfighting superiority and articulate calls to action.
In light of the acknowledged benefits the cloud provides, why has the government’s transition to cloud services been so slow? In my opinion, there are several key obstacles that may be responsible for this sluggish transition. A few of these are:
- Antiquated infrastructure and applications. Many of the applications and infrastructure that run the business of the government are decades old. These legacy systems limit agencies' flexibility, while providing them limited data security. Transformation to modern systems with robust data security is critical, but it will be expensive.
- Loss of control. The idea of having a private-sector organization store government data at a non-government facility hasn’t been fully accepted. Some think that CSPs are unable to adequately control the security as well as it can be done at government locations.
- Resistance to change. Change is almost always difficult, and some believe that if we delay this transition a bit, then perhaps a better technology or imperative will come down the line. This mindset is underscored by the antiquated policies and processes that force modernization to travel a tortuous path to implementation.
- Trust. For decades the government has not “trusted” anyone with its data. Individual entities have not even trusted other government offices that have the responsibility of securely operating data centers.
Each of these concerns has a remedy in the cloud environment that will deliver better services to the government, specifically in the area of data security -- though there are certainly other areas of significant benefit as well.
- Infrastructure. The cloud provides modern technology and significantly reduces the capital expenditure required to infuse the government with new capabilities. Infrastructure benefits include providing a secure development environment, secure data retention capabilities for meeting record retention requirements, secure data analytics as well as enabling continuity of operations and disaster recovery.
- Loss of control. Technology offered by the CSPs allows the government to have its data in the cloud and retain data security control, such as encryption keys. If an agency desires, the CSP need not have the ability to read any of the data, and if the data is exposed, only cryptographically protected cypher text is released, with the government retaining the keys. Furthermore, cloud services offer agencies the ability to secure and automate the repeatable tasks and activities, thus eliminating data and processing errors that negatively impact their overall security posture.
- Change is inevitable. Aging apps and infrastructure are failing and must be replaced. The cloud offers a secure way to house applications and their associated data and provides a transformation path that government can accelerate and control. Industry, which has similar sensitive data requirements, is adopting cloud service offerings at an ever-increasing pace. The government's emerging cloud strategies are focused on enabling and accelerating change.
- Trust. Today, many government systems are controlled by contractors that have greater access to unsecured data than if the agency’s data were in the cloud. Robust authentication and access controls can ensure only the right people are seeing the data, even excluding administrators, therefore significantly reducing the insider threat. Encryption technologies and advanced key management can ensure that data at rest and in motion is not exposed and that the principle of least privilege is executed. Hybrid cloud models can support circumstances where the government simply cannot permit industry partners to store data. Implementing a focus on “trust but verify” as agencies migrate to the cloud will improve the nation's overall security posture.
We have been working at cloud migration for years with very few organizational transitions complete. Many, if not most, still have “plans” for cloud migrations that stretch well beyond the five years of the Defense Department's Future Years Defense Program. Both the Air Force and Defense Logistics Agency, however, have demonstrated that migration of enterprise applications and capabilities to the cloud is indeed possible and results in modern infrastructure, additional capabilities and secure data.
The recently announced government cloud strategies recognize what the continued data breaches demonstrate: Boundary-based security does not provide adequate protection of sensitive data. As government and industry are pushing the protection mechanisms closer to the data, cloud solutions offer the ability to maintain the boundary while providing enhanced security at the data layer.
Financial and security benefits are pushing the government to accelerate cloud migration to protect critical data and maintain our technological advantage. It works. It’s necessary. Let’s go.
Mark Rohrbach is the president and CEO of Rohrbach Group.