Like it or not, no government is permanently safe from cyberthreats. The agencies that protect their citizen data the longest are the ones that best assess the risks facing them daily.
It’s a situation that doesn’t change after organizations adopt cloud. Agencies that use cloud must make the right decisions based on the dangers surrounding them. Failure means financial damages, negative headlines and public outrage.
Organizations have long believed, however, that complying with cybersecurity standards will protect them from these hazards. It’s a mindset that won’t keep them safe, according to experts at a recent in person GovLoop training Tuesday.
“The revolution in government security compliance is centered around risk,” Greg Kushto, Vice President of Sales Engineering at Force 3, a network security provider, said. “You have to assess what’s secure and what risk you’re comfortable accepting. You’ve got the ability to assess the best thing for your mission and capabilities. You just have to do it.”
Will Ash, Cisco’s Senior Director of Security, echoed Kushto’s remarks. Cisco is a networking hardware and telecommunications company. Ash said that agencies must decide how cloud will help them achieve their mission objectives and then continuously assess the risks of using it.
“A secure cloud is imperative for the mission,” he said. “It’s baked into how you secure your network and your devices.”
David Otto, the Continuous Diagnostics and Mitigation (CDM) program’s Engineering Support at the Homeland Security Department (DHS), said that agencies’ compliance concerns are distracting them from real-time threats to their clouds.
“We fear the auditor more than we fear the adversary,” he said. “We get the auditor in stasis and we want to keep them there. We’re very locked into that culture.”
Otto recommended that organizations shift their focus from standards compliance to risk management. Agencies that factor risk into their decision-making, he continued, will make wiser choices for their overall cybersecurity.
“We are horrible at calculating likelihood,” he said. “What’s the likelihood of an Edward Snowden? There are those black swan events that we need to prepare for.”
Snowden is a former federal contractor who is infamous for disclosing classified information about the National Security Agency’s (NSA) surveillance programs in 2013. Debate still rages today over whether his actions were patriotic or traitorous.
Both potential insider threats like Snowden and external ones like foreign governments should factor into how agencies gauge their cloud security. Breaches are always possible, Otto noted, with poor cyber-hygiene.
“I’ve heard the cloud is more secure but is it?” he asked. “The cloud is as secure as we need it to be or we make it. You can leave a container out there open with sensitive data. Security is only an enabler. We need to be able to go to the cloud for the mission and enable the mission there.”
Michael Valivullah, CTO at the Agriculture Department’s (USDA) National Agricultural Statistics Service (NASS), cautioned agencies against thinking their cloud providers will secure their data for them.
“There is a shared responsibility for security,” he said. “Customers assume that certain things are their responsibilities and that the cloud service providers have some things that are their responsibilities. Agencies need to understand where the gaps are.”
Agencies have long debated whether cloud is secure while modernizing their IT. For those still doing so, factoring people into their risk management might prevent painful cyber incidents.
“You need to classify the level of sensitivity of your data as a client,” Valivullah said. “You also need to determine user access. You can’t just open everything up and let them go to town. If there are holes in the application, you can’t blame the cloud service provider.”
This seems like a classic case of “can’t see the forest for the trees”. Hopefully agencies can maintain compliance while shifting their primary focus to risk management.