This article is an excerpt from GovLoop’s recent guide, “5 Cloud Trends to Watch in Government.” Download the full guide here.
Some agencies are preparing to move more sensitive data to the cloud, and they are using FedRAMP to set the parameters for security. But about 70 percent of CIOs told the Professional Services Council that FedRAMP changes have not helped their agency adopt cloud services, according to the council’s 2017 Federal CIO Survey.
FedRAMP isn’t the only resource for the latest in cloud protection, however. The National Institute of Standards and Technology released in February Special Publication 800-145, a report that clarifies how to qualify a computing capability as a cloud service and how to determine whether a service fits in the IaaS, Platform-as-a-Service or SaaS models. Additionally, the “Report to the President on Federal IT Modernization” calls out the transition of perimeter-centric security efforts to data-centric ones, which “emphasizes placing protections closer to the services and information systems in which sensitive data is stored and accessed.”
See it in action at the federal level:
The Small Business Administration is pilot-testing a workaround to the Trusted Internet Connection, an 11-year-old initiative to optimize and standardize the security of individual external network connections that federal agencies use. The agency’s deputy CIO says TIC, which was designed to secure on-premises systems, doesn’t mesh well with cloud, and he plans to prove there are other options.
“We think the cloud is more secure,” SBA’s Guy Cavallo said at a recent GovLoop event. “So [whatever is] not nailed down, we’re moving it to the cloud.”
SBA is working with another unnamed agency on the pilot, with each testing separate solutions. The security features are comparable, if not better than what TIC provides, Cavallo said. For example, his team picked up on 13 attempted connections from Vietnam, a country where SBA doesn’t maintain offices. As a result, the agency blocked those IP addresses from making future access attempts.
TIC isn’t ready to be made obsolete, however. TIC 3.0 is in the works with an eye toward cloud.
See it in action at the state level:
When Pennsylvania’s Office of Administration, Office for Information Technology (OA/OIT) moved from an on-premise service model to a cloud-based one, officials worried about putting data outside its protected network. To ease fears, the commonwealth instituted a Risk-Based Multi-Factor Authentication (RBMFA) enterprise service.
It uses two-factor authentication. The first factor is a worker’s username and password, and the second is a software token on the employee’s device of choice. Once installed on a trusted device, the token is unlocked for each use by entering a preset personal identification number. On an untrusted device, it could be unlocked by answering registered challenge/ response questions or providing a one-time code sent by text message to a registered smartphone.
“The service encompasses a risk profile which considers various factors including the data or application being sought, the geographical location of the request, the nature of the device being used, and number of access attempts in a given time period,” according to a document submitted to NASCIO.
In choosing a service, OA/OIT piggybacked on an MFA solution that the Pennsylvania Department of Human Services was successfully using, state Chief Information Security Officer Erik Avakian wrote in an email. “This enables us to avoid having multiple, siloed MFA solutions being used by different agencies,” Avakian wrote. “Working collaboratively also helped drive quicker adoption and economies of scale and reduction of duplicative effort.”
RBMFA went live in June 2016 and serves all agencies on the state network. This single system has cut multifactor authentication costs from $15 per year to about $1 per year, contributing to an annual savings of more than $1 million.
“Overall, the RBMFA service has performed well and met our expectations,” Avakian wrote.
Next Steps:
- Use a layered approach that can protect data on-premise, in the cloud and even at the edge. Data is king, as they say, but it doesn’t exist in one place – nor should it. If all your eggs are in one basket, that would be a mighty valuable basket to breach.
- Develop an enterprise security strategy with the help of agency leaders, who “need to agree that cloud computing has become indispensable and that it should be governed through planning and policy,” according to Gartner.
- Study Gartner’s Hype Cycle for Cloud Security, which indicates technologies that are ready for mainstream use or future implementation.