The cloud brings many benefits to federal agencies, including scalability of resources, cost savings and the ability to develop modernized applications. However, IT leaders need to ensure their agencies’ data is secure as they reap the benefits of these new architectures.
As agencies move more of their information to the cloud, more of that data becomes visible to third-party information systems.
The new federal Cloud Smart strategy suggests that agencies make sure the third-party system provides access to its log data and notifies the partner agency immediately of incidents that could affect the agency’s cybersecurity.
Agencies and their IT security teams should take a series of interconnected actions to ensure their data is secure when being shared with third-party systems, including access control policies, deploying multifactor authentication, separating authentication from access control and other best practices.
The Importance of Data Security When Sharing with Third Parties
Agencies are the custodians of their data and hold it on behalf of the public, the Cloud Smart strategy notes. “As such, each agency should determine its own governance model for cloud-hosted data that aligns with their identity and credential management systems,” it states. “Additionally, where a cloud solution is deployed by a vendor, a Service Level Agreement (SLA) should be in place that provides the agency with continuous awareness of the confidentiality, security, and availability of its data.”
Meanwhile, the strategy explicitly adds, agencies should know if their data resides on third-party information systems, get access to log data on how their data is used and be notified promptly if a cybersecurity incident or other adverse event occurs. “Agencies should consider having an agreement with all providers, be they federal or commercial, regarding access to and use of log data for their information security operations,” the policy notes.
Further, agencies should be aware of the third-party provider’s privacy policies for personally identifiable information and other sensitive information, as well as who within the provider has access to agency information, and what the provider’s internal security practices are.
As a blog post from nonprofit information security organization ISACA notes, third parties include, but are not limited to, technology service providers; payroll services; accounting firms; invoicing and collection agencies; benefits management companies; and consulting, design and manufacturing companies.
“Most third-party commercial relationships require sending and receiving information, access to the enterprise network and systems, and using the enterprise’s computing resource,” the blog post notes. “The risk posed at different levels and the impacts range from low to very significant.”
When a third party stores, accesses, transmits or performs business activities for and with an enterprise or agency, the ISACA post adds, “it represents a probable risk” for the agency. The degree of risk and the material effects of a breach are highly correlated with the sensitivity of the data and how much data is being transferred.
How to Enhance Data Security in Third-Party Systems
There are numerous best practices agency IT leaders should implement to safeguard data that may traverse or reside in third-party information systems.
- Implement supporting processes and controls that define and enforce access policies for third-party privileged users. Essentially, you as an agency IT leader don’t want personnel at the third party to have unfettered access to your data.
- Improve user verification by operating multifactor authentication technology, so privileged credentials are more difficult to compromise, even if attackers use social engineering and phishing attacks. Two-factor or multifactor authentication is a must-have in today’s security environment.
- Separate authentication from access control, in a form of least privilege access. This way privileged users “have only limited visibility to internal networks, minimizing the possible damage one user — or one set of stolen credentials — can inflict.”
- Prevent unauthorized commands and mistakes with “real-time policy enforcement as a first line of defense, protecting the infrastructure from malicious activity and mistakes.”
- Monitor activity and investigate suspicious events to “quickly catch breaches, improve training when needed and continuously refine automation and processes.”
These are just a few of the ways agencies can safeguard data in third-party systems and ensure they are maintaining their responsibility as custodians of the data they hold in the public’s trust.