When agencies go to the cloud, they usually do so with aspirations of more efficiency and new possibilities.
Security’s job then is straightforward: Keep everything safe, and stay out of the way.
The problem is, that job isn’t so easy to execute when you factor business realities into the equation. For as many cloud vendors as there are that boast powerful and effective security solutions, agencies still go to multiple clouds because of cost and technical debt, creating an inconsistent landscape of security.
This danger is especially pronounced when it comes to tracking users. As users bounce in and out of different workflows and multiple clouds, agencies need a way to enforce that these accounts are only accessing what they’re authorized to. This is known as privileged access management.
“We’re looking to ensure that people have the tools to do their job, and nothing more,” said Kevin Jermyn, Manager of Federal Engineering at CyberArk. CyberArk specializes in privileged access management and can work with multiple cloud providers simultaneously.
In an interview with GovLoop, Jermyn provided three ideas for how agencies can make sure that access is secure in the cloud.
1. Install multifactor authentication.
For starters, there’s no need to increase systems’ exposure. Portals that are meant for internal use should be left locked down on the web, as public access to those systems increases the chances that a hacker will get lucky.
Agencies also have to continue promoting security on the edge, even as mobile security becomes more complex. Installing multifactor authentication, whereby users not only need a password but another form of identification such as a texted code, is a must.
2. Remember nonperson entities.
One of the largest benefits of cloud technologies is that users can introduce automation to the broad portfolio of data that they now have. Robotic process automation (RPA), specifically, is a coded computer software that performs repetitive, mundane activities that do not require high-level thought.
For RPA to work, however, it needs to access different systems, which often are hosted by different cloud providers. If processes are interrupted, RPA’s value is limited.
“When we talk about credential sprawl, it’s both a security problem, where it presents a lot of risk for a breach, but also an operations problem, where you’re now managing credentials and identities across all of these different systems,” Jermyn said. “That’s a lot of administrative overhead.”
By flexibly credentialing RPA bots to access all the systems needed in their workflows, agencies can prevent any snags in their delivery. Then, agencies and workforces can truly reach their full potential.
3. Incorporate automation into privileged access management.
Just like automation can be used to accelerate business operations, it can also be programmed into security responses.
A major threat to government security is when agencies fail to decommission credentials of contractors, part-time workers or employees who no longer require access to a project. Privileged access management can step in during these situations.
Additionally, successful access solutions can trigger stopgap measures to withhold access if a breach is suspected. If a user’s profile has abnormal behavior, agencies can cut off access to files so that no information is compromised.
“If you’re doing all the identity access management and privileged access management pieces manually, you’re losing a lot of the benefits that come with digital transformation and moving to the cloud,” Jermyn said.