Cloud security is crucial when it comes to protecting your agency’s data and information. Publicized security breaches, such as the massive 2020 attack that exploited SolarWinds software, illustrate how pervasive and damaging these attacks are and therefore how vital it is to take proactive steps in defending your agency’s security. With improved security, digital transformation is achievable and cloud flexibility and scalability can grow. According to Oracle experts, the following are five attributes that your agency’s cloud security should include:
- Data Security
- System Security
- Infrastructure Security
Two of the most dangerous security mistakes a government agency can make are (1) not sufficiently protecting privileged accounts thereby allowing bad actors to gain access to critical elements of the Cloud, and (2) providing users with access to too much data, a.k.a, not enforcing the “least-privilege principle.” In the first case, strong authentication is necessary but not sufficient. Strong compartmentalization and separation of resources for admin and user functions is the other necessary action. Proven solutions for agencies to tighten user authentication include multi-factor authentication and complex passwords. This is why strong authentication is a standard practice for secure cloud operations and can be found in most security compliance rules. With regard to data access, agency IT policies should enforce least-privilege access, allowing each person to access what is required, and nothing more.
Government agencies hold a wide variety of sensitive information: personally identifiable information , personal health information, financial data, national security data, etc. What is your agency’s sensitive data, and how are you protecting its security? Action No. 1 for any government agency: encrypt sensitive data and use your cloud provider’s fully redundant storage to protect agency data from corruption. It is also important to control the role of the cloud service provider (CSP). The CSP should not have insights into your agency data, but the CSP should help you find and protect confidential data.
One way to streamline security is by ensuring that your cloud solution complies with existing federal, state, local, and international cybersecurity standards. The FedRAMP program office has simplified compliance for federal agencies by tracking which cloud service providers (CSPs) have already received an Authorization to Operate.
A key reason many government agencies migrate to cloud computing is their desire to stop running their own data centers. This transfer-of-power places great responsibility on the CSP to ensure the physical security of the data center housing all of its tenants’ IT systems. There are many factors for the CSP to consider. Does the data center have redundant power? Do devices like cameras deter unlawful entry? Can I automate patching of tenants’ systems without a system outage? Do I regularly perform penetration and vulnerability testing?
On the surface, the infrastructure layers of most clouds have similar features: virtual machines, hypervisors, storage, and network interfaces. Under the surface, however, their architectures can differ greatly in terms of the security they provide to government agencies. The hypervisor can either be a vulnerable point of attack, or (preferably) a layer designed to prevent attacks. The network can either provide bad actors a means of spreading damage, or a way to isolate critical resources from malicious intent. Ask these questions of your cloud service provider to ensure that the infrastructure you receive increases – not decreases – your overall security posture in the cloud.
Defense-in-depth is the best practice for cloud security, and deliberately using the five attributes above will provide a structured means of identifying and correcting vulnerabilities. Where possible, employ automation in cloud security enforcement as this greatly reduces the risk for human error and therefore increases the protection of your agency.
Click here to learn more about cloud security.