How Cloud Is Directing Government’s Focus to Cyber and IT Risk Management

This blog post was created in partnership with Amazon Web Services.

If security experts can agree on one thing regarding data breaches, it’s this: The attacks aren’t going to stop. And as government agencies continue to move IT infrastructure to a commercial cloud, they’re also instilling a model of shared responsibility that emphasizes across-the-board attention to cybersecurity.

John Wood, Chairman and CEO of Telos Corp., spoke to Francis Rose, host of Government Matters, about this on a recent episode, Security in the Cloud, sponsored by Amazon Web Services (AWS). Wood cited Verizon’s 2018 Data Breach Investigations Report, which documents on an annual basis how many phishing attacks global businesses field. In the past year, for example, organizations experienced more than 53,000 incidents, with 2,216 confirmed data breaches, the report stated. Officials have noticed an alarming ease of access to systems — a vulnerability largely caused by human error.

“You really only need one person in your organization to give away credentials to really mess things up for the entire operation,” Wood said. “And we’ve seen from these phishing attacks that in many cases, they’re a lot more successful than one — a lot more people than one give up their credentials.”

He identified two steps that organizations should take.

  1. Employ training strategies.

Phishing attacks are only going to grow in scale and frequency. Government workers need to be ready to identify and report them. All employees should be experts in recognizing schemes, so they don’t fall prey.

  1. Implement multi-factor authentication.

This is a highly acclaimed solution — and a fairly easy (and cheap) one to bring to fruition. For example, if a user tried to access a system on a laptop in a new location, they would receive a text on their cell phone to confirm their identity. It’s not an especially complicated fix, but a meaningful one.

One of the key tenets of the National Institute of Standards and Technology is a risk management approach. When President Donald Trump signed the cybersecurity executive order in 2017, he mandated the NIST framework, which in turn established a common language for security professionals. It’s another demonstration of the government moving toward a rigorous set of shared controls, which is very important from a risk management perspective, Wood said. It brings agencies one step closer to using automation for daily protections.

“Every single agency is pushing hard down this path,” Wood said. “In the end, I think I’ve seen for the first time the support at the administration level, at the legislative level, and most importantly within each of the agencies, so we as taxpayers can feel protected.”

This upper-level support is ideally leading to what Wood referred to as continuous authority to operate, where the body of evidence in support of cloud migration is widespread and dynamic enough to justify an expedited process. In this case, an operational security professional could be provided with near real-time updates as to how their underlying security posture is changing.

The future of government will almost certainly be on the cloud, and as it turns out for cybersecurity, that’s a very positive reality.

Want to learn more? Check out the full Security in the Cloud segment on Government Matters here: https://govmatters.tv/aws/

To learn more about Telos, visit : https://www.telos.com/

For more information on AWS in the public sector, head here: https://aws.amazon.com/government-education/

Leave a Comment

Leave a comment

Leave a Reply