Bertolini set the stage: “Cybersecurity was a difficult, if not almost impossible, task prior to the pandemic. And now it's even tougher.”
As local governments prepare for a post-COVID environment, they cannot ignore the cost, speed, and agility advantages of the cloud. But they expect to frequently face the risk-averse nature of local government information technology (IT) operations.
There is an innate resistance to relying on cloud technologies that host critical data off-site. Stakeholders must be persuaded, and employees must learn new skills. But with cyber risks rising, government technology leaders need to think about moving some workloads to the cloud.
“It's not easy, but with good leadership, good vision, and good strategy, you can absolutely get there,” Exley said.
Bertolini shared data from a CDG research survey asking 133 technology leaders in mid-sized government agencies for their perspectives on cybersecurity. The survey found that 61 percent of respondents faced increased cyber threats since the start of the COVID-19 pandemic. A scant three percent of respondents were “very confident” in their ability to respond to cybersecurity risks.
The respondents’ top three challenges were aging, vulnerable technologies, lack of proper employee training, and low budget prioritization of cybersecurity. Human error was the most common cyber risk, followed by social engineering events (which take advantage of people’s bad habits) and compromised accounts/credentials.
These data points highlight the pervasiveness of cyber threats and the difficulties mid-sized governments face in confronting them. Exley and Grindle made the case for embracing new perspectives on technology to make it more manageable to transition workloads and applications to the cloud.
“Most people know what they need to do to prevent cybersecurity threats,” Exley said. “But they may not be sure how.”
Strengthening security in local governments starts with keeping critical applications available in a cyber event or a public emergency (like a natural disaster). Grindle and Exley cited two case studies illustrating how government agencies put the cloud to work to improve system availability.
“Our nation's first responders rely on a patchwork of telecommunications equipment,” Grindle said. He pointed to a law enforcement agency serving more than three million residents that turned to AWS to achieve higher resiliency and lower downtime for its computer-aided dispatch (CAD) system.
CAD systems average more than eight hours of downtime every year, Grindle said. The AWS Cloud promises 99.999% uptime, which translates into about five minutes of downtime per year. This gives the law enforcement agency’s cloud-based CAD system substantial resilience against threats and natural disasters.
Exley described a tollway authority whose tunnels and highways serve 150,000 vehicles. “If it failed to operate, there's a public safety issue,” Exley said. By moving critical workloads to the AWS Cloud, the tollway authority boosted data security and disaster recovery capability. They saved $500,000 on the cost of a hardware refresh and cut maintenance costs by $200,000 per year.
Cloud services promise speed, flexibility, and economy when deployed strategically. During the pandemic, local governments started using streaming applications to enable work-from-home capability, Grindle said. These apps were written to provide the same security as a virtual private network (VPN) on any device without the hassles of implementing VPN.
This level of speed and flexibility requires local governments to shift their perspective away from controlling everything in their IT sphere.
“There's often this essence of control that permeates through agencies,” Exley said. “They want to control each individual application that they're responsible for.” The pandemic made agencies cede some of that control to cloud providers and software as a service (SaaS) companies. Giving up control was challenging, but it gave governments the freedom to try new things quickly in an emergency.
“The pandemic really caused us to shift our thinking about that control in the technology and really move towards innovation—and really rapid innovation,” Grindle said.
Moving applications and workloads to the cloud creates shared responsibility for security. With its 99.999% uptime, AWS has a strong incentive to secure its data centers. Government agencies shoulder their own share of security responsibilities, and can fine-tune security on their end to mesh with the cloud provider while meeting regulatory and compliance rules. “They can make it as secure as they want,” Exley added.
Local governments also are using low or no-code applications, serverless infrastructures, and other automated solutions to reduce the potential for human error, Grindle said. For example, disaster recovery programs can automatically fail over to backups in a ransomware event.
But automation doesn’t fix everything. As the CDG survey data on human error revealed, local governments need to teach people to adopt secure practices. That can seem daunting. “There's automatically this feeling that they don't know enough, or that the cyberattackers are smarter and more capable,” Bertolini said.
Grindle noted that training people to watch out for phishing and other forms of cyber threats is a good start. Local governments also can create systems encouraging people to adopt safer practices, rewarding them for good behavior rather than punishing missteps.
Agencies can also talk to their cloud provider about simple-to-implement security tools. For example, AWS Key Management Service (AWS KMS) and AWS CloudTrail are two services that allow for quick security audits. Users can see who created keys, who received keys, who used them, and when they used them, Exley said. “So, you can see when your data was accessed, and by whom, using what key.”
Ultimately, improving security in a time of limited budgets and increasing threats comes down to persuading government leaders to adopt new ways of thinking about people, processes, and technologies.
That means learning as much as possible about cloud technologies and the opportunities they create—and passing that knowledge up the chain of command.
“Get the chief information security officer (CISO) comfortable with the cloud, that's going to be your pain point,” Grindle advised. “Get that individual comfortable, and then they will help drive your organization.” Experiment with no-cost cloud tools and use them to generate data that shows how straightforward it is to do things like spin up backup and recovery environments.
“Once you have that kind of data, then you'll find people are more likely to jump in further,” Exley said. “Don’t be afraid. Get in and play with something.”
For more information and cloud resources supporting mid-sized governments, visit the AWS Local.US microsite here.
