This blog post is an excerpt from our recent report created in partnership with Micro Focus Government Solutions. To download the full report, head here.
In today’s era of digital transformation, data is everywhere – stored on internal systems, in the cloud and on mobile devices; moving through and beyond the boundaries of an organization’s networks; and being accessed and used by a digital workforce and citizens who want to make more informed decisions in real time.
Cloud providers stepped up efforts to give organizations tools to protect agency and business data as more applications and workloads migrate to public cloud infrastructures. To the surprise of many, moving data to the cloud does not necessarily make it secure. Agency IT and security operations teams must still use cloud providers’ tools and processes, as well as their own existing infrastructure, to protect data.
Moreover, access to big-data analytics systems and through mobile devices increases the attack surface adversaries can exploit to steal or compromise data. Agency managers moving data to the cloud must first recognize that data is no longer going to move between applications and data repositories in static, well-defined paths, said Reed.
“Once you’re moving these systems into the cloud, the data’s going to be traveling constantly, and it’s going to be replicated in multiple systems,” Reed said. The systems could include backup analytic systems, third-party contractors’ systems or systems from other providers, which makes data inventory and data management much more complex than in traditional, on-premise IT environments.
On the other hand, traditional security controls for data protection do not work as well in the cloud environment. Plus, many of the cloudfocused solutions are complex or difficult to deploy.
To simplify data protection, IT and security managers might try encrypting the entire data store, or the entire virtual machine, or application container. “However, this just provides a false sense of security, because anytime a user or an application needs to access any part of that data in the repository or virtual machine, all the sensitive data is once again exposed and put at risk,” Reed said.
The best approach is to ensure that security is an integral part of an application’s entire lifecycle. Federal agencies should start looking at the commercial sector, specifically the financial industry, and how it handles encryption beyond just protecting data at rest, Reed noted.