Feb 17 2021

How to Determine What Data Does and Doesn’t Belong in a Cloud

Matching up data’s classification level and sensitivity to the right cloud environment is a key task for agency IT administrators.

As the cloud’s importance to federal agency operations grows, IT leaders need to be able to efficiently and accurately take an inventory of what data the agency has in the cloud to determine if it should be there. They also need to figure out if the data is being properly secured.

This task can be tricky because many agencies have data in multiple cloud environments, each of which may have varying security protocols in place. Additionally, in November, the Federal Risk and Authorization Management Program, better known as FedRAMP, announced it would be drafting new baselines for the low-, moderate- and high-impact security levels based on recent guidance from the National Institute of Standards and Technology.

Ultimately, IT leaders and administrators responsible for an agency’s cloud strategy need to align the data they put in the cloud to appropriate security impact levels. That starts with determining what data is currently in the cloud and how it is being protected.

What Kind of Data Is Going Into the Cloud?

The first step in this process is figuring out what data is in a cloud environment and where it is. IT leaders need to inventory their cloud environments to see how they are being used and how much and what kind of data is being put into them.

They then need to determine the classification level of the data and the security requirements for it. After that, they must then validate that the setup of the cloud environment is meeting or exceeding those security requirements.

Agencies can use a cloud security posture assessment to get an inventory for all their assets and instances in the cloud. Cloud security posture management tools provide ongoing monitoring as well as visibility and control to IT staff.

MORE FROM FEDTECH: Follow the 5 R’s of rationalization for an effective cloud migration.

Finding the Right Level of Security for Data in the Cloud

As the General Services Administration notes, the levels of security impact (low, moderate and high) are based on the federal government’s requirements for the confidentially, integrity and availability of the data being put in the cloud, per the Federal Information Processing Standards Publication 199: Standards for Security Categorization of Federal Information and Information Systems.

If the data requires a higher level of security than the cloud environment provides, then the data needs to be removed because having the data in that environment represents security risk. An agency should absolutely not be putting data into a cloud that doesn’t meet the security level the data needs to be at.

An agency’s IT security division needs to work with mission areas to make sure they are following NIST frameworks for data security. This will help ensure the appropriate safeguards are put in place and, for Defense Department data, whether any Security Technical Implementation Guides need to be implemented. Agencies also need to determine the accreditation guidelines for data and whether any ethical guidelines need to be adhered to.

While that is a lot to keep track of, all of this boils down to determining the impact level of the data and then finding the right cloud that meets that impact level.

Depending on the requirements of the data, there are additional controls that mission owners may add in addition to what the cloud service provider has put in place. Not every security control always has to be applied, and some have optional requirements at different impact levels.

Mission owners may choose to add on those optional controls, which can sometimes make it more cumbersome for users to deal with and get access to certain kinds of data — but that may be precisely the point.

Cloud security is a shared responsibility between agencies and their cloud service providers. Mission owners manage and maintain the cloud stack and must do many of the tasks associated with cloud management, such as patching, locking down ports, removing unnecessary command and controls, and encrypting data.

The different aspects of that shared responsibility need to be very clear between agencies and their cloud partners. How is the CSP preventing spillage between one cloud enclave and another? What happens if the data is in the wrong enclave? Is there a process for reporting this and removing the data?

At the end of the day, IT leaders need to ensure they are only putting data in the cloud if it can be appropriately secured. Security should not be an afterthought in the rush to migrate to the cloud.

This article is part of FedTech’s CapITal blog series. Please join the discussion on Twitter by using the #FedIT hashtag.

CapITal blog logo

kanawatvector/Getty Images