Seven years ago when the Federal CIO’s office released the Cloud First policy, moving to the cloud seemed like a very complicated and expensive proposition. However, over the course of time and with numerous innovations and iterations of improved cloud solutions, being cloud smart is now a top priority for all government agencies and educational institutions.
As Lauren Burnell, who heads up US Public Sector Cloud Alliances at FireEye, explained in a recent webinar, the ubiquity of the cloud among federal agencies is a great opportunity to build more data-driven and mission-responsive agencies. “We all use cloud day in and day out in our personal lives and organizations are similarly looking to reap the benefits,” she shared during the conversation. But, as she readily acknowledged, just as the cloud is ubiquitous, so are the threats from hackers looking to exploit the vast amount of data government agencies and educational institutions are looking to move to the cloud.
What concerns Burnell is that with “fewer than a third of organizations [having] a documented cloud security strategy,” the likelihood of assets stored in the cloud being compromised is too high for most organizations’ risk appetite. So, as organizations plan their move to the cloud, or refine their strategy, they must develop a security strategy to protect cloud-based apps and assets.
By starting with a background on security threats to cloud-based apps and assets and sharing insights on recent threat trends, Burnell laid the foundations for an in-depth exploration of how government agencies and educational institutions can develop a comprehensive cloud security strategy and shared best practices for managing risk.
For Burnell, the foundation of a cloud security strategy is understanding the current threat. Based on FireEye threat intelligence and incident response engagements, Burnell shared that the greatest threat to an organization’s cloud is to its users, not infrastructure. “Many public cloud compromises occur without any cloud hacking at all – there is no direct compromise of the cloud infrastructure,” she said, highlighting that credential theft is attackers’ tool of choice. “The best first defense you can have for your cloud is strong email security,” she concluded.
But risks from email are just the tip of the iceberg when it comes to cloud threats. Burnell provided in-depth analysis of the risks that come with a hybrid cloud strategy, from cloud services hacking to shared security with cloud service providers. A common gap she sees in cloud security strategies stems from assuming that the cloud provider has all the necessary security controls in place to protect the assets the organization has put in the cloud. “A lack of understanding here is leading to a lot of challenges organizations are having with cloud security,” Burnell said as she walked through the shared responsibility model.
Despite what might seem like a gloomy outlook Burnell assured the participants that with a robust cybersecurity strategy and team threats can be managed and mitigated effectively. She urged agencies to take the first step by developing a clear understanding the risk environment and potential threats based on what assets they are moving to the cloud. Any agency that takes the time to map out a goal-oriented cyber plan, educate themselves on threat trends, and be proactive in monitoring can have an easy transition to the cloud. “The important thing is that your organization has clearly defined goals for your cloud efforts and that your cloud security strategy supports those end state objectives,” said Burnell.
To hear more from Burnell on cloud security and strategy, listen to the webinar here.