Securing the Government Cloud: Focus on Cloud Visibility, Not Control
Government agencies are moving to the cloud. It’s been a recurring message for a number of years, but in 2018 new statistics from Gartner give us concrete data on cloud spend: local governments spend 20.6% of their IT budget on cloud, while national governments spend 22%.
Although spend levels may be on a parity, the objectives for cloud adoption are different. In the federal government, a cloud first approach is seen as a long-term path to strategic IT modernization. The White House plans to modernize federal IT by moving agencies into more secure, cost-effective infrastructure that maximizes the secure use of cloud computing, modernizes government-hosted apps, while maintaining legacy systems. In contrast, at the state and local level, cloud is seen as a tactical enabler of innovation and cost savings in the face of shrinking budgets and rising expectations of digital engagement and transactions from constituents.
Yet, while Gartner finds that public cloud growth is healthy in government, concerns remain around security and privacy issues, a lack of features, and vendor lock-in. This leads Gartner to expect that governments will implement private cloud at twice the rate of public cloud through 2021, despite private cloud not delivering the same benefits in scale, functionality, cost savings or agility as public cloud.
It’s not surprising that governments continue to be the most reliant on private cloud. In addition to the regulatory and cross-border concerns of sensitive data storage, procurement and budgetary issues impact cloud adoption for those public institutions. Many governments have restrictions on multi-year service contracts, forcing them into sometimes undesirable yearly-renewal options. It is also easier to justify spending to support an asset, such as physical server hardware, than operating expenses such as cloud services in the yearly government budgeting process.
Top Security Concerns with Private Clouds
Yet, private clouds also give government agencies security jitters for several reasons, as McAfee points out:
1. The increased complexity of infrastructure results in more time and effort for implementation and maintenance
2. Advanced threats and attacks
3. A lack of consistent security controls spanning traditional server and virtualized private cloud infrastructures
4. A lack of staff with skills to manage security for a software-defined data center
5. Data theft by malicious actors
6. An inability to prevent malicious insider theft or data misuse
7. Insufficient control over identity and access management
As agencies migrate to the cloud, McAfee suggests three cloud security best practices based on its research that all organizations should be actively working towards:
1. Embrace DevSecOps Processes – DevOps and DevSecOps processes can improve code quality, reduce exploits and vulnerabilities, while increasing the speed of application deployment and feature development. Integrating development, QA, and security processes within the department or application team, instead of relying on a standalone security verification team, is crucial to operating at the speed today’s service delivery environment demands.
2. Automate Security across Cloud Deployment and Management – Help security teams keep pace with cloud deployments using automation. Automation can augment human advantages with machine advantages, says McAfee, creating a fundamental component of modern IT operations. Automation tools such as those from DLT partner, Ansible, can be used both public and private environments. Read more from Ansible in this blog: Security is Hard, Why Not Automate It?
3. Unify Security with Centralized Management Across Cloud Providers – Multiple cloud provider management tools make it too easy to for something to slip through. A unified management solution with an open integration fabric reduces complexity by bringing multiple clouds together and streamlining workflows.
Finally, while the natural inclination when moving to the cloud is to attempt to take the same kind of control over IT services and security as was achieved with on-premises applications, particularly in multi-cloud environments, McAfee stresses that a trade-off needs to be made. Better visibility, not greater control may be the number one priority. “It is better to be able to see everything in the cloud, than attempt to control an incomplete portion of it.” If you can’t see what data is in the cloud or monitor cloud workloads the more difficult it becomes to secure the cloud, regardless of the level of controls available.
Read more in McAfee’s 2018 report: Navigating a Cloud Sky: Practical Guidance and the State of Cloud Security.