In the effort to continuously modernize, federal agencies increasingly are moving to a Cloud First model. In CGI’s 2022 Voice of our Clients, central and federal government leaders state that they plan to modernize more than 20% of their portfolio over the next two years. Target environments for modernization include cloud-based infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS) solutions.
While a foundational element of many federal modernizations, cloud services bring their own challenges. Cloud users can be lulled into an unrealistic sense of their security posture: “with the cloud, we inherit the security of the public cloud and can procure and deploy servers and applications in a secure manner without intervention.” It’s not that simple.
Agencies well into their cloud adoption journey understand the shared responsibility model inherent with the cloud. Yes, Cloud Service Providers (CSP) implement security hardening, policies and procedures to meet the conditions of NIST security controls for the cloud infrastructure. Your engineers must configure cloud services, such as Infrastructure-as-a-Service (IaaS) or Software-as-a-Service (SaaS), based on the architecture they want to deploy. They also must ensure the security of individual applications.
Addressing security first within the cloud environment
The misconception that operating in the cloud automatically protects your environment and data has led to some of the biggest security breaches in recent history. The National Cyber Security Division within the Department of Homeland Security and the nonprofit National Cyber Security Alliance shared their Top 10 security issues to keep an eye out for in enterprise cloud computing. Insider threat and misconfiguration are among them. (See the full, detailed list here.)
Those who have moved workloads to the cloud recognize that cybersecurity must become a pillar within a culture that shifts the collective mindset from reactive to security first. The best defense-in-depth is in the skillset of teams responsible for cybersecurity – making no assumptions about the security of commercial cloud.
Five key steps to a more secure cloud
- Perform a cloud risk assessment: The essential first step to properly securing workloads in a cloud environment is the cloud risk assessment (CRA). A risk-based approach is a must. Identify potential risks associated with the intended use of the cloud and the sensitivity level of the data—detailing, for example, whether personally identifiable information (PII) is in play.
- Establish a public cloud request process: A formal, standardized process for requesting cloud services or accounts enables consistent governance and stronger security. Establishing a formal process at the enterprise level drives consistency and compliance.
- Implement managed security services: Engaging an industry partner to provide managed security services relieves you of some of the responsibility. A well-qualified partner can manage your services, processes, policies, strategy and technologies to maintain a defined security baseline.
- Require strict identity management: Establish and enforce policies limiting users to the lowest levels of access appropriate to their roles. With the mandates for moving to zero-trust, identity becomes a foundational element of protecting assets in the cloud.
- Institute frequent user training: Ensure that every individual with access to your networks and systems, whether agency employee or contractor, is trained. Training must be ongoing, including a regular cadence of refresher training regarding each individual’s responsibility for cybersecurity, with particular attention to maintaining the security of cloud services.
Cybersecurity is everyone’s responsibility. The adoption of cloud does not push that responsibility to the CSP. When all members of your team are trained to understand and appreciate their role in securing agency assets—supported by solid policies and precise governance reinforcing them—your risks drop significantly.