Remember the good old days of mainframe? Things were simple, we had contained environments, users had to get to their green screen terminal to gain access and no one could access a single thing from a mobile phone! Even though the concept of multi-tenancy was around then, for a lot of reasons it was just simpler. Things sure have changed!
Cloud offers us many advantages regardless of the implementation being IaaS, SaaS, or PaaS: rapid development, agile acquisition of new compute resources, and allowing the organization to stay core to its objectives where IT is a means to an end.
But for many, the daunting task of deploying to the cloud is much more than a simple, “lift and shift.” To truly gain the benefits of the environment there are many more considerations. One of the major concerns for any organization is security.
In the most recent Data Threat Report commissioned by Thales and conducted by 451 Research, several key elements were derived from Federal security professionals on areas of concern:
Breaches are up (substantially): U.S. Federal tops the list of any vertical (34%) to have a recognized breach in the past year. More importantly, over 65% of Federal agencies responding claim to have had a breach sometime in the past.
Sensitive data is everywhere: 92% of all systems deployed have sensitive data, and over 71% do not have any measure of data security! And with the aggressive path towards cloud computing, this number is only likely to increase in what is a different environment for many IT staffs. As a matter of fact, respondents stated that over 64% of the sensitive data is in a SaaS environment followed up by IaaS at 62%. Newer environments are quickly being embraced for agile deployments such as Docker. Which with all its advantages is an emerging environment that traditional tools are still playing catch up in supporting.
Sounds like bad news all the way around doesn’t it? It’s not all bad. Most U.S. Federal security professionals acknowledge the gap in expertise in securing data and 73% believe encryption, in some form or fashion, meets many of the concerns in securing the cloud environment. Although, over 50% believe that budget constraints and expertise are limiting factors, despite budget increases for cyber. The research also recognized the need to secure data with key management external to the cloud service provider. An overwhelming 73% agree this is an important component to strong cloud security.
Breaches are up, sensitive data is being compromised, and bad actors pursuing government data targets for monetary gain is not receding. What can agencies do to weather this storm?
Re-prioritize the cyber spend: Respondents have confirmed cyber budgets are up, the investment is still on traditional perimeter and tried and true security tools. But the numbers don’t lie, breach success is increasing, and the notion of preventing adversaries from breaching the network perimeter is a fleeting and somewhat fruitless endeavor. Protection needs to increase around the target (the data!).
First things first: This is a big task, where do you start? As an organization, determine what is really critical. By that I mean not just to you, but think like a cyber criminal, what data would you pursue? Just as critical, think about the roles in the organization that could be compromised to net the biggest gain. Generally, these are senior staff and privileged accounts. Respondents to the research confirmed these are the user profiles of greatest concern as well. Once this has been determined, a plan can be devised to secure the data with encryption, determine fine grained access controls, and key management owned by the data owner, not the infrastructure host.
Compliance and security are not the same: Does anyone really believe some of the blue-chip companies were not following industry standards when they were breached? No question being in a Fedramp approved cloud instance should not provide much more comfort to the data owner either. Sure, compliance is important, but securing the data in a way that mitigates the size of the attack space is critically important.
The cloud brings great promise to our government agencies and its constituents. But let’s be sure what is important is truly protected from the risk of being compromised.