Trust and Risks Both Growing in Government Clouds

As the 2017 RSA Security Conference kicks off in San Francisco, Intel Security released the results of its second annual survey on cloud security practices. The report outlines the current state of cloud adoption, the primary concerns with private and public cloud services, security implications, and the evolving impact of shadow IT of the more than 2,000 IT professionals surveyed.

The full report titled Building Trust in a Cloudy Sky, is available for download here. Here are some of the highlights:

• Trust now outnumbers distrust for public clouds by more than 2-to-1.
• 49 percent of professionals slowed cloud adoption due to a lack of cybersecurity skills.
• 65 percent think shadow IT is interfering with keeping the cloud safe and secure.
• 52 percent indicate a malware infection can be tracked to a cloud application.
• 62 percent store sensitive customer information in the public cloud.

To discuss the report and the importance of current cloud computing trends, I spoke with Eric Trexler, who is the National Security and Civilian Programs director at Intel Security. Eric leads all non-DoD security program activities at Intel Security, and I found his passionate comments about the survey results to be both helpful and insightful about federal government.

Here are a few of the top quotes from Eric during our 30-minute phone discussion:

“Cloud-first is catching on! Cloud adoption is accelerating rapidly! We are seeing both business areas and IT shops putting more and more data in the cloud.”

“Boundaries are blurring between private, public and hybrid clouds. This means the same tools sets are being used to access data, encrypt data and manage data across diverse platforms and cloud infrastructures.”

“Shadow IT is growing, and business professionals are not as aware as IT professionals of the risks that they are introducing into the enterprise by moving their data into the cloud.”

“Ninety-three percent of organizations use cloud services in some form.”

“I think security technologies such as data loss prevention, encryption and cloud access security brokers (CASBs) remain underutilized. Integrating these tools with an existing security system increases visibility, enables discovery of shadow services, and provides options for automatic protection of sensitive data at rest and in motion throughout any type of environment.”

“The shortage is security staff is driving more cloud adoption. More and more gaps is cybersecurity disciplines means that the cloud will be a helpful solution in the long run. However, in the short term, this rapid move to the cloud is causing a greater need for security staff and security architectures as infrastructure usage evolves. This is making the immediate staffing shortage an even larger issue.”

“It is significant that over 2,000 global IT professionals participated in these survey results. Research participants were senior technical decision-makers from small, medium and large organizations located all over the world.”

“FedRAMP is helpful, but not enough. The rigor involved is helping improve the security capabilities of many government cloud offerings, but public and private sector teams still need to ensure that the right level of security is applied to different data sets after FedRAMP certification. The work does not end there. Security processes must be integrated in persistent ways. IT shops understand this, but many government business areas do not. We need to mandate the path to the cloud through the IT shops.”

Other Cloud Security Report Recommendations

Beyond Eric Trexler’s comments, some other Intel Security report recommendations include:

• Attackers will look for the easiest targets, regardless of whether they are public, private or hybrid. Integrated or unified security solutions that provide visibility across all of the organization’s services could be the best defense.
• User credentials, especially for administrators, will be the most likely form of attack. Organizations need to ensure they are using authentication best practices, such as distinct passwords, multi-factor authentication and even biometrics where available.
• Organizations need to evolve toward a risk management and mitigation approach to information security. They should consider adopting a cloud-first strategy to encourage adoption of cloud services to reduce costs and increase flexibility, and put security operations in a proactive position instead of a reactive one.

Final Thoughts

In 2010, when I was the Michigan chief technology officer (CTO), I asked the question: Cloud First Policy — What Does It Really Mean?” Here were three points for state and local government to consider at the time:

• Cloud computing is the new normal for all of us. "Shared services" is here to stay. Learn more by reading and learning about what your federal, state and local counterparts are doing now.
• Develop a cloud computing strategy for your government with meaningful deliverables and milestones. Figure out what can go into a "public cloud" and what needs to remain in your government's "private cloud." Or, more likely, will you implement a “hybrid cloud?” Federal Computer Week suggests that agencies should start with cloud-based email.
• Build partnerships. We need help from the private sector companies, other governments and associations like NASCIO to help.

We’ve come a long way in almost seven years, and yet many cloud security challenges remain. I found this new Intel Security report to offer a very good status on the global state of cloud security in 2017.

We reached a tipping point long ago on data moving to the cloud, with 93 percent of organizations using some type of cloud services.

But now we are reaching new milestones with more sensitive data being moved into the cloud in the public and private sectors. Use this report to help build your cloud strategy for 2017-2020. The report data and recommendations will certainly help.