Cloud security: Agency obligations and how to meet them
- By Kirk Spring
- Apr 16, 2019
As the number of available services multiply, government agencies are more willing to move their data storage and computing to the cloud. This development has resulted in the popularity of various cloud configurations, such as private, hybrid, public and multicloud environments. Yet as agencies move to the cloud, they must be more vigilant than ever to ensure that they maintain appropriate levels of security.
It’s no secret that security concerns are prompting the agencies to increasingly deploy private clouds for the high-impact sensitive data that cannot be pushed to the public cloud. Private clouds give agencies total control of their data and where it resides over its lifecycle as well as command of who has access to the cloud infrastructure.
For less-sensitive data and workloads, many agencies are turning to a hybrid cloud environment, combining legacy enterprise infrastructure with some data storage and computing sent to the public cloud. In most cases, security provided by the CSP can be used to protect data in the hybrid cloud. However, since the hybrid model combines on-premises infrastructure with public cloud infrastructure, agencies must ensure that there is seamless management of security services between infrastructures.
The full public cloud environment, in which all data storage, computing and access control is pushed to the cloud, can potentially be the most risky deployment type because it is a largely an open, multiuser, multitenant environment. Public cloud users must trust that CSPs will provide services to ensure that data integrity, confidentiality and access control are being managed within the cloud.
But even with this model, CSPs still recommend a “shared responsibility” approach when it comes to security. What does that mean? Simply put, the CSP is responsible for securing the infrastructure and managing the security of the cloud; the cloud user is responsible for securing everything put into the cloud.
What “shared responsibility” really means
The shared responsibility model must be top of mind for all agencies using public clouds. When it isn’t followed, there is potential for catastrophe.
For example, it was disclosed in September 2017 that data stored in an Amazon Web Services’ S3 cloud by the Army’s Intelligence and Security Command was openly available, due to a misconfiguration of the storage bucket. As this data was in the public cloud, security researchers were able to find and examine classified files and virtual systems.
So how do agencies address the shared responsibility model?
The most direct way is to extend the agency’s security measures for the enterprise to the cloud, creating a holistic solution across all data. This means an agency must be able to either encrypt data before it gets to the cloud or support encryption services offered by the CSP via user-controlled enterprise key management. Either solution must support the use of the CSP's business applications and data storage capabilities.
For example, when encrypted data is stored in the cloud, the last place agencies should keep their encryption keys is in the same place. It’s essential that encryption keys be stored in a separate location from the data. That way, if the data is compromised or if there is an internal breach, agencies can be confident that the keys have been properly managed and that security remains intact.
Dedicated key management that is not tied to a particular CSP is also an important consideration for agencies in a multicloud environment. A key management service from a particular cloud provider most likely can’t share those keys to another cloud provider’s environment. This makes it impossible to use multiple CSPs for seamless redundancy, load sharing and disaster recovery.
Key management should remain as an enterprise function. By doing so, agencies using a hybrid cloud -- or multiple cloud providers -- can move data into another CSP’s infrastructure, while retaining access to the keys and managing them across their lifecycle.
That’s why it seems as though the hybrid cloud will be the most common environment in the government. The hybrid cloud enables agencies to control data within the enterprise, while taking advantage of the cloud’s services and storage and scalability capabilities to meet high data processing demands. At the same time, they can follow the shared responsibility model by having key management for encryption services fully under their control.
Cloud security must evolve with the cloud
As cloud environments evolve, security must change with them. It’s a dynamic process that demands an understanding of cloud infrastructures, the services and security provided, the key management required for the security services as well as the use cases and awareness of the growth of threat vectors around the use of the data in the cloud.
When enterprise users first started moving data to the cloud, they realized that simple access control to their cloud services wasn’t enough. Enterprise data security services and key management also had to be pushed to the cloud, creating a holistic data security ecosystem.
The simple truth is that threat vectors increase dramatically in a cloud model. There is greater possibility of insider threats, as more people (including some outside the agency) have the authority to manage the enterprise's infrastructure.
Agencies, therefore, must not only worry about threats within the enterprise, but also within the cloud itself. This also supports the shared responsibility model, where the CSP is responsible for the security of the infrastructure, but the users are responsible for the security of their data.
We’ve just seen the tip of the iceberg as it concerns data breaches within the cloud. To stay ahead of the anticipated increase in breaches, agencies must implement appropriate enterprise and cloud security services.
Doing this requires agencies to understand their asset portfolio, determine the security level of those assets and conduct a risk assessment to fully address the type of protection required. What’s more, they must review possible threats annually. Bad actors get smarter every day, learning how to break systems that are not routinely reassessed for security vulnerabilities. It’s an ongoing process.
The adoption of cloud services will continue spreading over the next several years across all industries. Government agencies are not exempt. With proper data security and an appropriate cloud deployment model, agencies can take full advantage of cloud services while minimizing the threat to data and applications they push to the cloud.
Kirk Spring is President of SafeNet Assured Technologies.