Public Sector Cloud Security Strategies

Over the past 8+ years the Federal government and agencies have been adopting the Cloud. And over the past few years the page of adoption has increased.  Cloud offers great opportunities and challenges to public sector security teams defending critical mission systems against advanced threats. These 7 strategies will help your security team.

Like many of you, I was there at the birth of the cloud. I watched the evolution in the private sector, the debates of what a cloud is, the sales pitch that money will be dramatically saved, and other comments; some of which proved true and others false.  I supported adoption in the public sector, which is taking much longer, due to the time it takes government to innovate, implement new technology, determine risks, and obtain an authorization to operate or risk acceptance. In the early years, 2010 to 2015 few government CIOs succeeded on an enterprise scale.  Over the past few years FEDRAMP has evolved and guidance from NIST and the Cloud Security Alliance has been a tremendous help to those seeking cloud security enlightenment.

You must know that the public and private sector differ in cloud adoption and I certainly hope one day they will be equal.  In the private sector adoption yielded cost savings and increased efficiency across many industries. Early adopters’ ability to change and adapt quickly to the cloud fueled their success.  That agility in adoption in the private sector was like trying to put a square peg in a round hole for many large government IT organizations. Speed has not been a government attribute, but indication of change can be seen. As forward leaning public sector CIOs take the lessons learned from the private sector, coupled with productive vendor partnering with Amazon, Google, and Microsoft, will help close that gap.

Opportunities and Blind Spots

For government, there is a great opportunity in having a common architecture that propels intelligence integration and big data analytics. It starts with the flow of intelligence from collectors, people, satellites and sensors into the cloud(s).  Authorized personnel with the right credentials can check out the applications from a library of applications to interrogate, analyze and enhance the data. Products can then be developed, hosted and consumed, with usage tracked for value. The integration that happens in the cloud is a tremendous value. But as this shift takes place, government agencies often find themselves in the middle of a balancing act trying to manage both cloud and legacy systems and applications that remain.

Years ago, when my public sector organization was preparing for an external risk assessment, I wanted to ensure the two large enterprises received a minimum rating of “Excellent” based on the criteria that had been established for the review. My Director also wanted to know the outcome in advance of the inspection. I’ll call the two enterprises, Enterprise A and Enterprise B. As I pushed for compliance on Enterprise A the metrics improved, but at the same time, the metrics for Enterprise B dropped. I pushed for focus on Enterprise B, and voila, Enterprise B improved, however Enterprise A metrics worsened. The reason? The same manpower was responsible for patching both enterprises and could only keep up with one at a time.  At the time this was a very manual process. Lesson learned: managing risk, the continuous evaluation of the security posture of systems and the cloud, often use the same resources. The same resources that may be used to oversee legacy systems and applications.  You need the right balance of skilled manpower to ensure you’re a successful.

Vulnerability to Advanced Persistent Threats

As more government organizations migrate to the cloud, the balancing act of protecting, monitoring and testing thousands of legacy systems will increase, along with the advanced persistent threats from the bad guys — nation-states, cyber criminals, and hacktivists. The threat is advanced, not because of technology but because of the way hackers perform reconnaissance, collect intelligence, and persistently go after very specific targets. Today hackers operate as a consortium of talent, teamed based on their specialty, to ensure they can effectively attack a target. Any organization touching the internet, including demilitarized zones (DMZs) that have not been compromised, will likely be compromised. Only the naïve believe they are impenetrable.  Since I am speaking about the public sector, those who know it, will say, but SECRET, TS, TS/SCI systems do not touch the internet.  If its true, then you are a lot safer, if your IT support does not perform any unauthorized connections, shortcuts, etc.

Nation-State threat actors would love to have sensitive government data, so as an IT and Security leader you need to make sure you are doing the basics to prevent that.  While there are thousands of ways to tackle this challenge I think a robust risk management organization that risk evaluates and approves all IT systems and apps, good testing through the risk management process as well as Blue Teams, ruthless “really ruthless” configuration management processes, great knowledge of internet facing architecture and ingress/egress points and how they are protected, and skilled detection capabilities.

The Problem with Signature-based Technologies.

Legacy systems and the protective capabilities of antivirus, firewalls, and intrusion detection systems face far more advanced threats now than when they were originally authorized to operate in the 2008 to 2014 time period. In 2008, these technologies were solid solutions for defense-in-depth strategies. However, the benefits no longer justify the cost, and public sector organizations will need to make trade-offs for a more modern platform that uses behavioral and heuristic signatures. Solutions for the threats faced today must also incorporate intelligence.  Since we are talking about public sector cloud adoption the question is whether the legacy protective technologies can protect the organizations cloud.  I feel there might be a tendency to suggest that the security controls put in place years ago are able to provide the level of protection needed.  These systems should be re-evaluated for ROI and ability to protect the data in the cloud.

Budget and operational challenges

It’ no secret that government does not move quickly to implement new technology. The budget lifecycle is a long arduous process, typically 18 to 24 months. In the private sector processes may move faster, if desired.  The pace and evolution of threats outpace the security industries ability to adjust and even once new capabilities are available to timeline for adoption can be long. This puts the CIO/CISO in constant communication with others for adjusting the tools based if the budget is available.  As the world moves, evolves with threats and solutions, the budget processes, proposals, justifications and implementations remain as they were—not terribly fast or agile. As a result, government security executives are put in the position of having to obtain approval for silos of capabilities that individually appear great at a given moment of time but are hard and expensive to integrate.

As many large organizations move to the NIST Cyber Security Framework, the technologies required to support the PROTECT and DETECT pillars, are critical. Security Operations Centers, (SOCs) requires a faster refresh rate to keep up with persistent threats because standard SOC technologies (IDS, AV, and firewalls) do not protect against new threats like 0-days or persistent threat actors. When you combine the issues of old or signature-based technologies and the unfortunate probability that legacy system protections could be overlooked, the outcome could be devastating.  Here are 7 critical strategies and practices to avoid a worst-case scenario.

Follow the National Institute of Standards and Technology (NIST) guidance for continuously monitoring the security controls of the systems in operation.

1. Executive leadership must recognize that legacy systems and government clouds require robust and evolving protection. Measuring the security of both is critical.
2. Deploying hosting security services in both the enterprise and cloud will make it easier for legacy systems to inherit the services and ensure that continuous monitoring is performed centrally.
3. Within the SOC, develop a plan to protect legacy systems with a platform that can integrate signature-less (heuristic, behavioral) and signature tools.
4. Allocate your resources wisely. Make sure you have both the manpower and technology, to cover both existing systems and the cloud.
5. Analyze the effectiveness of your current SOC capabilities against the cost. Make sure you are getting the value you need and make trade-offs when necessary.
6. Act with a sense of urgency and purpose. An 18 to 24-month budget cycle is too long to deliver adequate security capabilities against today’s threats.

The cloud offers tremendous value for government agencies, but only if organizations adopt measures that protect legacy systems and ensure that security solutions can defend against today’s advanced persistent threats.