The cloud is increasingly becoming the center of IT and the frontline for cybersecurity. With cloud adoption comes increased complexity in how IT is deployed, and data secured, across public cloud, private cloud, hybrid, and on-premises environments.
Given the current landscape, information security professionals at all levels of government – federal, state, and local – need to understand how threat vectors are shifting in the cloud in order to make the necessary updates to their security programs and strategy.
For example, identity-related attacks are a critical threat vector in cloud services, making proper identity and access management the fundamental backbone of security across domains in a highly virtualized technology stack, according to Symantec’s Cloud Security Threat Report (CSTR), Adapting to the New Reality of Evolving Cloud Threats.
“The speed with which cloud can be ‘spun up’ and the often-decentralized manner in which it is deployed magnifies human errors and creates vulnerabilities that attackers can exploit. A lack of visibility into detailed cloud usage hampers optimal policies and controls,” the report states. For the report, Symantec surveyed 1,250 security decision-makers worldwide in Spring 2019 to understand the shifting cloud security landscape.
Visibility into cloud workloads is a problem. An overwhelming majority of survey respondents (93 percent) report issues keeping tabs on all cloud workloads. Interestingly, poor visibility into Infrastructure-as-a-Service (IaaS) was called the top threat by just three in 10, and the most critical vulnerability by only one in 10, spotlighting again that perceptions and understanding are scrambling to keep up with the reality of poor visibility.
The CSTR also revealed 25 percent of cloud security alerts go unaddressed. A majority (64 percent) of the security incidents occur at the cloud level, and more than half of respondents admit they can’t keep up with security incidents. Moreover, 83 percent feel they do not have processes in place to be effective in acting on cloud security incidents.
The CSTR presents a lot of information that federal, state, and local agencies can use as background on the overall threat environment, but a few of the key issues identified stand out.
Risky behaviors put data at risk
One of the biggest challenges for security teams attempting to get a handle on the cloud is rampant risky user behavior. According to CSTR respondents, nearly one in three employees exhibit risky behavior in the cloud, and Symantec’s own data shows 85 percent are not using best security practices. What’s more, sensitive data is frequently stored improperly in the cloud, making organizations more susceptible to breaches, and oversharing of files is a problem.
State and local government takeaway – ransomware
Although not covered directly in the report, the cloud is a major threat vector for ransomware. As such, implementing the recommendations in this report could go a long way to help state and local governments protect against ransomware. State and local agencies should be especially concerned about employees clicking on email and attachments that might appear legitimate but contain malware. Employee behavior using email is emerging as a weak link that can be exploited by cyber criminals launching targeted ransomware attacks on municipal networks and servers.
In June, cyber criminals took control of three Florida towns’ municipal computers, forcing city officials to pay ransoms to regain control of their email and other servers. The local governments of Key Biscayne, Lake City and Riviera Beach were all struck by ransomware – all three cases started with a city employee clicking on an attachment in email and unleashing malware.
Targeted ransomware attacks will continue to rise as cyber criminals target organizations with new breeds of attacks. State and local governments will have to embark on a comprehensive campaign to educate employees about risky behavior as well as harden security architectures around email and cloud, while implementing multi-factor authentication practices.
Federal government takeaway – Zero Trust
A Zero Trust strategy, building out a software-defined perimeter, and adopting serverless and containerization technologies are critical building blocks for organizations to strengthen security across on-premises and multi-cloud infrastructures, according to the CSTR.
The concept of a Zero Trust-based approach is gaining credence in the federal IT community. For instance, the Air Force has identified Forrester’s Zero Trust eXtended Framework as one of the pillars of its Enterprise IT as a Service initiative. Also, the Federal CIO Council asked ACT-IAC to provide a whitepaper on Zero Trust and its potential role in the federal government. Additionally, the CIO Council has asked the National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCOE) to publish guidance to help federal agencies implement Zero Trust.
Meanwhile, the Defense Innovation Board, the Pentagon’s technology advisory board, is urging the military to implement a Zero Trust Architecture (ZTA) for network access. The Zero Trust Framework creates a new type of data-centric perimeter around information based on the principle “Trust No One. Always Verify.” Any requests for data or resources coming from a person or device undergoes strict verification.
According to the board, “ZTA will fundamentally change the effectiveness of security and data sharing across DoD networks. ZTA can better track and block external attackers, while limiting security breaches resulting from human error. ZTA can better manage rules of access for users and devices across DoD to facilitate secure sharing.”
As federal, state, and local agencies expand operations across on-premises and diverse cloud platforms, a broader set of vulnerabilities and threat vectors have emerged. Agencies need the right mix of technology, process, and skilled workforce to effectively address existing and future cloud security threats. Beyond technology, as the CSTR notes, it is time to recalibrate culture and adopt security best practices at the human level. This is true no matter what level of government or what mission an agency is delivering.