How to Assess a Cloud Provider’s Security Posture
Cloud security has always been a concern among government IT and business leaders.
According to a recent survey by the Society of Information Technology Management, 47% of public sector IT professionals surveyed would not use the cloud for IT services involving personal data or business-critical functions. (Source: Computer Weekly).
The creation of FedRAMP has done a lot to alleviate many cloud security concerns. As we discussed in our earlier post, “Ready for the Cloud? Get an Introduction to FedRAMP”, FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products. Basically, it’s a “do once, use many times” approach that can save 30-40 percent in government costs and time (by eliminating the need for redundant security assessments on an agency by agency level).
While FedRAMP documentation can help you determine whether a cloud provider meets your security requirements, you also need to look at the big picture. This involves assessing your agency’s entire IT environment, the cloud model you intend to procure, and understanding your data (how it moves, how people use it), only then should you start reviewing the security profile of your potential cloud provider.
This balancing act is a delicate one and it’s something we emphasize again and again in Cloud Computing for Govies™, our comprehensive eBook for public sector cloud deployments.
To help you assess your cloud provider’s security posture, before signing on the dotted line, here are some tips outlined in the eBook:
- Review the Fine Print. Go over the ToS and SLA until you are sure you have a firm grasp of the potential provider’s terms and conditions before you sign. Get legal and technical advice as you conduct your review.
- Assess Provider Certifications. Certifications and compliance alignment are good indicators of the maturity of a provider’s security posture. Have they achieved a FISMA rating? Have they received an authority to operate from a government agency? From a security perspective, do they have FedRAMP or DIACAP certification, SAS 70 Type II audits or are they ISO 27001 or ISO/IEC 27018:2014 certified? Look for the sort of certifications appropriate to your environment.
- Will they Allow Penetration/Audit Testing? It’s worth asking if the cloud provider will allow this. Not all will be willing, but be sure to ask. Find out if they have a clearly defined process for dealing with audits and penetration testing. Without visibility into and control of the cloud, you are often going to need to rely on third party audit organizations and testers to conduct trust and verification audits on your behalf.
- Understand Incident Response Processes and Procedures. The goal here is to ensure that if there is an issue, the response from the provider is not ad hoc.
- How is Service and Data Recovery Managed? Understand the provider’s processes to ensure continuity of operations, prevent data loss, and ensure high availability.
For more tried and true strategies for securing public cloud resources, get your copy of the Cloud Computing for Govies eBook.
Related Blog Posts
Cloud Computing, Cybersecurity, Market Intelligence
Originally passed in 2014, the Federal Information Technology Acquisition Reform Act (FITARA) was designed to improve the management of all-things-IT across federal agencies. It essentially realigned how the government purchases and updates its technology, with an aim at grading agencies based on their ability to adhere to and improve on the following categories:
Susanna Patten
Cloud Computing, Cybersecurity, Education, Market Intelligence, State & Local Government, Technology
The annual EDUCAUSE conference highlighted higher education technology trends, goals, challenges, and how to identify a way ahead for higher education institutions to be successful in today’s modern world.
Yvonne Maffia
Cloud Computing, Cybersecurity, Market Intelligence
The Air Force hosts an annual summit known as Department of the Air Force Information Technology and Cyberpower (DAFITC) in Montgomery, Alabama, right next to Maxwell Air Force Base. It’s an opportunity for Guardians, Airmen, academics, and IT industry to come together to discuss pain point remedies and high-level plans and strategies. It is also an opportunity for branch heads to strike deals that lead to the adoption of modern and effective systems, meant to enable air superiority. Ms.
Kevin Shaker
Cloud Computing, Cybersecurity, Education, Federal Government, IT Infrastructure, State & Local Government, Technology
The Cybersecurity and Infrastructure Security Agency (CISA) has seen increased malicious activity with ransomware attacks against K 12 educational institutions. Malicious cyber actors target school computer systems, slowing access, and rendering the systems inaccessible to essential functions, including remote learning. In some instances, ransomware actors stole and threatened to leak confidential student data unless institutions paid a ransom.
Ransomware attacks on US government organizations cost $18.9bn in 2020.
Asad Zaman
Cloud Computing, Cybersecurity, Federal Government, State & Local Government, Technology, Tips and How-Tos
TD Synnex Public Sector’s Chief Cybersecurity Technologist, Don Maclean sat down with Mark Guntrip, Senior Director of Security Strategy at Menlo Security, to discuss one of the latest emergent security threats.
James Hofsiss
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos
Every year, there are more and more security breaches, and it gets harder and harder to spot them. According to a leading cybersecurity vendor1, it takes almost seven months for organizations to find breaches, which gives malicious attackers plenty of time to get what they want.
Most often, system misconfigurations like default settings or credentials leave the door wide open for exploitation, resulting in these breaches. As organizations grow, this problem only gets worse because quick changes frequently result in skipped steps.
Heather Sweet
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos, Training
Security is paramount in the digital age, especially when it comes to keeping networks secure. Having network security monitoring services stand between your organization and malicious attackers is crucial. Still, the volume of alerts and issues that come with them can easily overwhelm your team.
The volume of these alerts is rising every year too. According to a report by TrendMicro, 54% of teams surveyed felt like they were drowning in alerts, and 27% said they spent most of their time dealing with false positives.
Heather Sweet
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos
The digital landscape evolves fast, and attackers are even faster. New ways to attack systems and organizations appear every day, and traditional methods are starting to fall behind the times.
Highly Evasive Adaptive Threats (HEAT) are the newest step in the digital world for malicious attackers. These attacks are unlike anything security experts have seen before and lead to some of the most devastating breaches ever seen.
In this article, we’ll explain how HEAT attacks impact companies worldwide and how Menlo Security’s Isolation Core can help protect your organization.
Heather Sweet
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos
The term "Integrated Management Workplace System" (IWMS) was first used by Gartner in 2004 to refer to a program that could manage and integrate all business and workplace requirements into a single, centralized solution. Since then, a number of solutions have emerged with the aim of bringing together various operational and organizational areas that had previously tended to operate in isolation from one another.
Heather Sweet
Cloud Computing, Cybersecurity, Technology
The development world has changed, and organizations are still adapting to developing in the cloud. Cloud native technology and containers are now at the forefront of software development, meaning that software no longer exists and operates locally. However, despite these quick advancements, cloud native application security still lags behind.
This article will cover how you should approach cloud native application security and why Snyk is the best solution for your needs.
Adam Fyffe
Cloud Computing, IT Infrastructure, Market Intelligence, State & Local Government
The 2022 fiscal year-end is drawing near for 46 states, which means the time to leverage last-minute opportunities is coming to an end as state, local and education (SLED) organizations set their sights on next year’s budget and priorities. With FY23 just around the corner, SLED organizations will start executing on budget plans and drafting request for proposals (RFPs).
Yvonne Maffia
Application Lifecycle, Cloud Computing, DevSecOps
In this post we will look at how to accelerate the development of cloud native applications, give you a snapshot of the USAF deployment of D2iQ, and provide a link to the DLT Cloud Security Assessment to see where you currently stand.
Jeff Schad
Cloud Computing, Cybersecurity, Federal Government, IT Perspective
Over the last few years, the federal government has begun to embrace a zero trust approach as the new cybersecurity standard for agencies. Utilizing the latest solutions and best practices, the hope is to bolster federal cybersecurity and create a robust and resilient IT infrastructure that can protect and secure networks from attacks and breaches.
Kevin Tierney
Cloud Computing, Cybersecurity, IT Perspective, Technology
Last January, the Office of Management and Budget (OMB) released M-22-09, a memorandum that set forth the federal government strategy on zero trust adoption, in an effort to reinforce the security and protection of government agencies’ critical systems, networks, and IT infrastructures.
David Presgraves
Application Lifecycle, Cloud Computing, Cybersecurity, DevSecOps, Market Intelligence
"We are making progress. This really is not just about technology. This is about changing our processes changing our approach to delivering and operating technology to IT systems and our cyber mechanical warfare systems as we move forward," said Robert Vietmeyer, DoD Director for Cloud and Software Modernization.
Toan Le
Application Lifecycle, Big Data & Analytics, Cloud Computing, Cybersecurity, DevSecOps, IT Infrastructure
For the second year in a row, Gartner named IBM a Leader in Gartner Magic Quadrant for 2021 Cloud Database Management Systems based on its Ability to Execute and Completeness of Vision. With emergence of a single cloud DBMS market, We believe our portfolio of feature-rich, enterprise-tested offerings, bold acquisitions, and partnerships enable our clients to address the unique needs of their business, respond to the growing volume, velocity and variety of today’s data and drive more accurate data driven decisions.
Holly Vatter
Application Lifecycle, Big Data & Analytics, Cloud Computing, Cybersecurity, DevSecOps, IT Infrastructure
This week's roundup of the latest news and insights gathered from IBM's Government Research Institute thought leaders:
Michael J. Keegan
Cloud, Cloud Computing, Cybersecurity, Federal Government, Technology
As organizations adapt to hybrid work and more and more cloud services are deployed, new service entities that collaborate and exchange data without human interaction, such as virtual machines and containers, are proliferating. The growth of these service accounts and identities and their increasing volumes of permissions, privileges, and entitlements expose organizations to new attack vectors.
Kevin Tierney
Cloud Computing, Federal Government, IT Infrastructure, Technology
You’ve gathered requirements, evaluated technologies, gotten all the right people to sign off on acquiring new technology, and now comes the hard part — procurement. IDIQs, BPAs, GWACs...the contracting officer is throwing out a bunch of complex terms, options, and estimates of how long it will take to get through negotiations. NetDocuments believes our public sector customers should have contracting options that are a lot like our solutions — easy to use.
NetDocuments
Cloud Computing, IT Perspective, Tips and How-Tos
What’s next for cloud in 2022 (and how can you prep for it?)
There were so many noteworthy AWS re:Invent 2021 announcements out of this year’s big Amazon Web Services (AWS) conference. But what will that news mean for the year in cloud ahead? And how can learners and businesses prepare for the opportunities these will create?
Pluralsight
Cloud Computing, Cybersecurity, Federal Government
The Department of Defense (DoD) is taking major steps to boost cloud performance, with the promise of a tangible, positive impact on military missions throughout the world. Specifically, the Joint Warfighter Cloud Capability (JWCC) contract is replacing the Joint Enterprise Defense Infrastructure (JEDI) initiative, which was intended to establish enterprise-class cloud capabilities for the military community.
Carolyn Ford
Business Applications, Cloud Computing, Market Intelligence
At this year’s Department of the Navy (DON) IT Conference, the U.S. Marine Corps discussed its enterprise cloud delivery strategy and how it is derived from its mission to evolve antiquated networks. Before, a Marine working out of headquarters or a U.S. base would use enterprise systems, applications, and infrastructure, but when a Marine goes out in the field, a new email and identity are assigned to operate from different servers and shared drives. For the Marine Corps, that approach is going by the wayside.
Lloyd McCoy
Cloud Computing, Cybersecurity, DevSecOps, Market Intelligence
"Zero Trust is a cybersecurity strategy and framework that embeds IT security mechanisms throughout an architecture that generate metadata used to secure, manage, and monitor every device user, application, and network transaction at the perimeter and within every network enclave."
From the Department of Defense (DoD) Zero Trust Reference Architecture v1.0
Toan Le
Cloud Computing, Cybersecurity, Federal Government
There has been an increased focus among U.S. government agencies on adapting to modern IT environments and enhancing cybersecurity solutions. This increased focus on security government networks, data, and critical infrastructure is a result of ongoing digital transformation initiatives that are resulting in more mission-critical connected systems and more data for agencies to secure. It’s also a result of the increased number of cyberattacks and more sophisticated cyber-criminals that are targeting our nation’s networks.
Kevin Tierney
Cloud Computing, Cybersecurity, Market Intelligence, State & Local Government
If you have been looking for the right time to sell your technology product or service to the state, local and education (SLED) market, now is the time to act. With thirty-six states beginning their fiscal year on July 1st, now is the time to position yourself to take advantage of a confluence of once-in-a-lifetime conditions that have left the SLED market booming with opportunity. Here are some of the factors driving that opportunity:
New Leadership
Yvonne Maffia
Analytics & Data Science, Big Data & Analytics, Cloud Computing, Cybersecurity, Market Intelligence
The COVID-19 pandemic has spurned greater demand for health information technology (IT) by demonstrating the importance of having robust medical research, health surveillance and healthcare systems capable of rapidly responding to new and developing situations, something which requires strong IT investment in big data, cybersecurity and cloud. In addition, both the pandemic and emerging technologies have led to numerous changes within the healthcare industry, such as telehealth expansion and increased use of wearables, which necessitate robust health IT solutions.
Gabriel Zighelboim
Cloud Computing, Cybersecurity, Market Intelligence, State & Local Government
On December 8, 2021, the National Association of State Chief Information Officers (NASCIO) released its 2022 annual top 10 priorities list identifying the most pressing technology and policy issues that state CIOs are prioritizing for the upcoming year.
Yvonne Maffia
Big Data & Analytics, Cloud Computing
What is the difference between AI and ML?
Artificial Intelligence and Machine Learning are two of the most transformative technologies in the computing space that are changing the world in which we live. However, there is often confusion in in what constitutes Artificial Intelligence, and what constitutes Machine Learning.
Ricardo Dutton
Business Applications, Cloud Computing, Cybersecurity, Market Intelligence
Recent signals by the U.S. federal government suggest that customer experience (CX), primarily citizen-facing services will receive attention and investment from funding sources like the Technology Modernization Fund (TMF). The initial $311 million awarded by the TMF primarily went to projects focused on cybersecurity in keeping with stated priorities and the prevalence of cybersecurity threats. From the beginning, however, TMF has emphasized CX projects that focus on how taxpayers engage with government services in secure digital environments.
Dawit Blackwell
Cloud Computing, Market Intelligence
The concept of cloud computing has been around for many years now. Anyone positioned in the information technology (IT) world knows the language: SaaS, PaaS, IaaS, multi-cloud, hybrid, on-prem, and the list goes on. How has the concept of cloud morphed? More importantly, what are the cloud buzzwords and concepts that you should be aware of to get in front of end-users? Edge computing, data-centric architecture and sky computing are emerging, and here to stay. Let’s break down what each is and its current or future role in the U.S. federal market.
Susanna Patten
Big Data & Analytics, Cloud Computing, Cybersecurity
With another busy year behind us, it’s time to look ahead to fiscal year (FY) 2022. The official information technology (IT) budget request is $97B, a 4% increase over FY21, which would be a new record. Of course, those numbers undercount all the IT spending that goes unreported. Furthermore, remaining provisions in the American Rescue Plan, the Technology Modernization Fund and IT provisions in the Infrastructure Bill will represent additional pockets of opportunity worth billions for channel partners and technology vendors.
Lloyd McCoy
Business Applications, Cloud Computing
Assuring the best digital employee experience is now a business imperative.
DLT Solutions
Cloud Computing, Market Intelligence
The numbers don't lie. The U.S. public sector is rapidly adopting cloud technologies across the spectrum. According to the NASCIO 2020 State CIO Survey, only 14% of state chief information officer (CIO) organizations do not have a cloud migration strategy, whereas 41% of respondents indicated that they had implemented a cloud first strategy for all new applications.
David Blankenhorn
Cloud, Cloud Computing
As I.T. professionals, security needs to be at the forefront of everything that we do. Even in mature organizations with robust cloud deployments we must always believe there is room for improvement. Here are four considerations to make when evaluating the security of your AWS workloads.
How will you utilize your logging data?
Ricardo Dutton
Cloud, Cloud Computing
Cloud billing can be a tedious and complicated task if not planned for correctly. If you do not have a well thought out plan on how to approach your AWS bill when charging back to various departments or projects, things can get messy when attempting to divide the bill correctly. In this article we will discuss three methods to make strategizing your approach ahead of time to make things much easier when it comes to invoice time.
Cost Allocation Tags
Josh Gazes
Application Lifecycle, Big Data, Cloud, Cloud Computing, DevSecOps
2020 was a transformative year for public sector IT. Accelerated by necessity, agencies rapidly scaled and secured their digital ecosystems to accommodate a newly remote workforce. Against this backdrop, significant cybersecurity hacks revealed continued vulnerabilities in the federal supply chain and state and local IT infrastructures.
Looking forward there is much work to be done. A new administration, new regulations and continued reliance on the cloud will shape public sector IT through 2021.
Brandon Norris
Cloud, Cloud Computing
Teresa Carlson, Vice President, AWS Public Sector held a leadership session, From complexity to clarity: The strategic value of AWS. Teresa’s breakout highlighted how crucial cloud technology has been for organizations. The AWS cloud provides the ability to respond quickly to the new reality brought on by the ongoing global crisis. Several AWS customers shared how they were able to solve some of the world’s most pressing challenges using the cloud. Furthermore, how they are driving impact around big ideas, discoveries, and turning points to solve some of the world’s largest challenges.
Zev Stern-Coder
Cloud Computing
This will be the first in what DLT intends to be an ongoing series of posts highlighting what our partners are building for the Public Sector using AWS.
The Challenge
A Global Service provider wanted a way to develop a messaging solution, to augment, marketing and sales teams for promoting events using a standard Calendar Invite.
Greg Hanchin
Cloud Computing
Before reading this month's Thought Light interview, we invite you to read about BMC's multi/hybrid cloud initiatives for federal government, click here.
What is BMC and how does it help the public sector?
DLT Solutions
Cloud Computing, DevSecOps, IT Infrastructure
Cloud governance shouldn’t be an afterthought. Indeed, it should be a foundational element of any cloud security strategy. Why? Because the cloud is enormous – it’s software, hardware, developer tools and platforms, and more. All delivered by a host of vendors.
DLT Solutions
Cloud, Cloud Computing
It has been 10 years since the U.S. government began warming to cloud computing, beginning with the federal Cloud First initiative in 2010 leading to today’s Cloud Smart strategy – a game plan for bringing processes and applications into a new hardware environment.But to take advantage full advantage of a cloud-driven ecosystem, the government must have more than just a cloud strategy. Agencies also need a data strategy.What is a cloud data strategy?
DLT Solutions
Uncategorized
Article originally posted on GovDesignHub here.
Autodesk University (AU) returns to Las Vegas from November 19-21 – and we have some good news. In addition to discounted conference passes now available on GSA Schedule, Autodesk Certification exams are back at AU 2019!
Caron Beesley
Uncategorized
By Mav Turner, VP, Product Management, SolarWinds
For federal IT pros, moving to a cloud environment is a “when” rather than an “if” proposition. From the government’s recently released Report on IT Modernization, calling for agencies to identify solutions to current barriers regarding agency cloud adoption, to the White House’s draft release of a new “Cloud Smart” policy, which updates the “Cloud First” policy introduced in 2010; cloud migration continues to be a priority.
DLT Solutions
Federal Fiscal Year End, Uncategorized
The old business adage runs, “Nothing happens until somebody sells something.” To which you might add this corollary: nothing good happens in the absence of strong requirements.
Brian Strosser
Cloud Computing, Cybersecurity
It’s often said that there are two types of organizations: those that have been hacked, and those that will be – turning the conversations around security breaches from ‘what if?’ to ‘when?’.
Isabella Jacobovitz
IT Perspective, Uncategorized
The latest data on the progress of federal government agencies’ implementation of the Federal Information Technology Acquisition Reform Act (FITARA) was released on June 26 by the House Oversight and Reform Committee as Scorecard 8.0.
Melissa Perez
Cloud Computing, Uncategorized
Key takeaways show how public sector customers are achieving more with cloud.
As cloud continues to transform the public sector, cloud has had its own metamorphosis: from a trendy buzz word to a catalyst for meaningful change, innovation, and more. Last month, AWS hosted its 10th annual AWS Public Sector Summit. The conference brought together more than 17,000 attendees for 2+ days of insights, sessions, and networking, and explored how cloud is fueling the public sector for a limitless future.
Recap
Isabella Jacobovitz
Cloud Computing, Uncategorized
Key takeaways show how public sector customers are achieving more with cloud.
As cloud continues to transform the public sector, cloud has had its own metamorphosis: from a trendy buzz word to a catalyst for meaningful change, innovation, and more. Last month, AWS hosted its 10th annual AWS Public Sector Summit. The conference brought together more than 17,000 attendees for 2+ days of insights, sessions, and networking, and explored how cloud is fueling the public sector for a limitless future.
Recap
Isabella Jacobovitz
Cloud Computing
The AWS Public Sector Summit is just around the corner. Part of a global series of summits, this year’s event in Washington, D.C. brings the public sector cloud community together to connect, collaborate, and learn about AWS. DLT will be exhibiting at the Summit this year with its technology vendors including AWS, Crowdstrike, NetApp, Quest, and more in booth #800.
DLT Solutions
Uncategorized
Many states' fiscal years are quickly coming to an end, and at DLT we’re committed to making the job of the procurement officer as easy as possible as they scramble to make smart and responsible purchasing decisions with remaining taxpayer dollars. Part of this process is raising awareness of what’s new in our extensive portfolio of IT solutions including big data and analysis, cloud, cybersecurity, application lifecycle, digital design, IT consolidation and management, and more.
Brian Strosser