A recent report by Forcepoint and Ponemon Institute, Cloud Adoption in the U.S. Federal Government, revealed startling findings that are bound to raise the blood pressure of cybersecurity professionals.
The responses of more than 600 IT and IT security practitioners highlighted growing concerns around the inability to gain visibility and control overshadow IT and non-secure cloud services. Sixty-seven percent of respondents named security as the top inhibitor to cloud adoption.
Let’s take a closer look at these challenges, and how IT administrators can get in front of them.
The shadow IT challenge
Shadow IT signifies the use of non-approved applications, devices, systems, software, and services, such as Dropbox or personal smartphones. They’re often inexpensive and easy to procure, as the acquisition process doesn’t require the involvement of an IT administrator.
Yet while these tools help increase productivity and efficiency, they can increase risk. Users can overshare sensitive data via file-sharing applications or with other applications. Security teams may be completely unaware that these applications are being utilized on their networks. This is a significant security blind spot. Indeed, on a scale of one to 10, 35 percent of survey respondents rated “gaining visibility into unsanctioned applications” a seven or eight.
The FedRAMP challenge
Nine years after the FedRAMP concept was first introduced, most agencies continue to use non-FedRAMP-certified cloud service providers (CSPs). The survey found only 9 percent of agencies reported that more than 90 percent of their CSPs are FedRAMP authorized, while 69 percent reported that fewer than 50 percent of their CSPs are authorized.
There could be several reasons behind these numbers. Perhaps it’s because the process for becoming FedRAMP-certified is highly rigorous and complex – the Guide to Understanding FedRAMP is nearly 60 pages long – which may be daunting to many cloud providers. But it’s also likely another shade of shadow IT, where employees – in an attempt to simply get things done – are downloading and utilizing non-FedRAMP applications and services.
Whatever the reason, it’s imperative that agencies ensure that their cloud environments are secure yet friction-free – something that has been historically difficult. Forty-five percent of respondents stated that the cloud is the most challenging environment for securing data, as opposed to 29 percent who cited on-premises or 26 percent who said “both” (on-premises and the cloud).
Answering the challenges
There are two ways to approach these hurdles. One involves technology; the other, education.
On the technology front, agency IT professionals need solutions that allow them to easily cut through the complex morass that is their IT stacks. They must be able to identify and categorize all of the cloud applications and services running on their networks – agency-sanctioned or otherwise. With this insight, available through solutions such as Cloud Access Security Brokers (CASBs), they can shine a light on shadow IT and potential vulnerabilities.
Agency IT professionals can also gain a clearer understanding of the risks associated with how users are interacting with these technologies through behavior analytics. Closely monitoring users’ behavioral patterns can indicate anomalies that could signal a potential problem. This is particularly important for users who are especially close to sensitive government information, who could prove to be enticing targets for external threats. Deviations from a user’s normal behavior – attempting to access restricted files, for example, or logging onto the network from a foreign IP address – might indicate the user has been compromised. This, in turn, would prompt IT to address the specific problem without having to close the entire network. In combining the breadth of insights and context delivered through behavior analytics integrated with CASBs, IT administrators today are empowered with a real-time view into potential risk exposure to quickly identify and stop high-risk insider or external attacks before critical data leaves the network.
Technology should be complemented with education. Often, employees are simply unaware that the applications they’re downloading or the tools they’re using can expose their agencies to risk. They may not know the agency’s unique security protocols. But in today’s heightened cyberthreat environment, security is not only the role of the CISO – everyone must take responsibility.
It’s critical that agencies take steps to continuously inform and remind all employees about agency cybersecurity policies. IT should reiterate the potential risks involved with using non-sanctioned cloud apps and services to share information. Education is key for organizations, because hackers see unsuspecting employees as low-hanging fruit to invade the network. But well-trained, vigilant, and mindful employees can also be the best first line of defense.
With 82 percent of respondents stating that SaaS technologies are important to helping them meet their agencies’ goals, it’s clear that allowing employees to work “at the speed of the cloud” is a top priority. But security can never be second place. Information must flow freely – yet securely – if agencies are to succeed with their Cloud Smart strategies.
TSA Releases ‘Cloud First,’ ‘Cloud Smart’ Integrated Strategy