Today in government, process efficiencies and increased network agility are driving SaaS, IaaS and platform-as-a-service (PaaS) technology adoption at a rapid pace. And while many agencies are adopting cloud at different rates and for different purposes, it’s top of mind for nearly all government leaders.
Agencies of all sizes are rapidly migrating workloads and data to public cloud environments to improve efficiencies, drive innovation and increase responsiveness to market conditions. This new adoption, however, is also presenting agencies with a unique set of security challenges. Below are some of the main challenges that highlight the complexity of cloud security in government today.
1. Shared responsibilities between agencies and vendors in terms of security: Cloud service providers are not responsible for securing agencies’ applications and data in the cloud. They manage security of the cloud and its global infrastructure – but not what’s in the cloud. Agencies still must secure their network, data and applications – and this can be difficult given limited budgets, time and skills.
2. Dynamic ever-changing workloads across multiple cloud platforms: There are multiple teams working in an agency’s cloud environment, from different departments to contractors and other third parties. These users are constantly changing the cloud environment in multiple cloud platforms. This makes it difficult to implement a consistent and simultaneous security posture across a dynamic cloud environment.
3. Minimal visibility across workloads: Another obstacle to implementing a consistent and simultaneous security posture in a constantly changing environment is not having full visibility. It’s critical that agencies have a tool that provides full visibility into workloads, applications and assets across multiple cloud platforms in real time. Without this visibility, they will not be able to implement continuous compliance and maintain their security posture.
4. Internal risks: Even with the best of intentions and protocols, there are benign human errors and misconfigurations that happen in the cloud. This could be a result of staff lacking expertise, having multiple management platforms or not having automation and auto-scaling available. Having to repeat processes multiple times across multiple platforms increases the likelihood of inconsistencies and configuration errors. An overwhelming majority of incidents are the result of misconfigurations, and organizations having weak identity, credential and access management. Of course, there are also the usual malicious insider threats of disgruntled employees, and the constant struggle that security teams have with shadow IT.
5. External threats: Today’s attackers know that there is this new increased attack surface and that organizations are not investing enough in advanced threat prevention for their cloud infrastructure. They are relying on organizations to misunderstand the Shared Security Model, to lack visibility into their environment and to ignore misconfigurations. These vulnerabilities were not present in traditional data centers, and provide a more attractive target. This leads to large-scale, multi-vector mega attacks using advanced tools.
6. Governance, risk and compliance (GRC): Agencies need to comply with multiple regulations and compliance standards. These can be federal, state, industry or customs requirements. Furthermore, they need to be able to provide audit ready reports showing that their public cloud infrastructure conforms to these regulatory requirements.
Given these challenges, agencies need a holistic security strategy for moving to a world where complex cloud solutions are a necessary reality. Download our full report to find out how.