Cloud Security Cloud Security
CREATING A BLUEPRINT FOR
CLOUD SECURITY
Government efforts to construct secure cloud environments have intensified during the coronavirus pandemic
GOVERNMENT OFFICIALS premises systems, they’re far from immune Authorization Management Program
NATIONWIDE had to hit the fast-
forward button on modernization initiatives to ensure that teleworking
employees could access networks and data from remote locations. For many agencies, that meant a higher reliance on cloud technology and a possible expansion of their cybersecurity vulnerabilities in an environment already attractive to hackers.
Agencies had been increasing their use
of cloud technology before the COVID-19 outbreak. Over the years, cloud adoption was spurred by the Obama-era Federal Cloud Computing Strategy (popularly known as Cloud First) and the Trump administration’s update of that strategy, called Cloud Smart.
The policy emphasis is having an impact. According to research conducted by IDC on behalf of Thales, 54% of federal government data is now stored in the cloud, surpassing private-sector cloud adoption. Furthermore, federal agencies estimate that 51% of the data they store in the cloud is sensitive.
Although many experts say cloud environments can be more secure than on-
to vulnerabilities. On March 13, as agencies began shifting to telework in response to the coronavirus pandemic, the Cybersecurity and Infrastructure Security Agency (CISA) warned agencies to be prepared for an increase in phishing attacks on teleworkers and encouraged agencies to use multifactor authentication.
Two months later, CISA issued an alert stating that advanced persistent threat groups were targeting organizations involved in pandemic response, including local governments and health care entities.
Guidelines for structuring
cloud security
In response to the security challenges raised
by the cloud, the federal government has provided myriad foundational documents, guidelines and strategies to help agencies create a strong security posture, which is not always straightforward given the mix of on-premises, private and commercial cloud environments that many agencies use.
Most notably, the Federal Risk and
(FedRAMP) provides a standardized approach to assessing, authorizing and continuously monitoring cloud services and products. FedRAMP ensures that agencies have access to cloud technology that meets the government’s rigorous standards and has encouraged providers to raise their own standards.
Furthermore, security is one of three main pillars of the Cloud Smart strategy, which reinforces a call for agencies to use “data-
level protections and fully leverage modern virtualized technologies.” It states that “encryption and [identity, credential and access management] implementation is particularly relevant in the context of cloud-based environments, namely in those instances where an agency is partnering with an external service provider to manage network visibility and data protection.”
The Cloud Smart strategy also recommends service-level agreements that give an agency “continuous awareness of the confidentiality, integrity and availability of its information” and notes that the governmentwide Continuous Diagnostics and Mitigation program “continues
S
S-
-1
16
6
S
S
P
P
O
ON
N
S
S
O
O
R
R
E
E
D
DC
C
O
ON
N
T
TE
EN
NT
T
Gluiki/Shutterstock/FCW Staff