What Kind of Data Is Going Into the Cloud?
The first step in this process is figuring out what data is in a cloud environment and where it is. IT leaders need to inventory their cloud environments to see how they are being used and how much and what kind of data is being put into them.
They then need to determine the classification level of the data and the security requirements for it. After that, they must then validate that the setup of the cloud environment is meeting or exceeding those security requirements.
Agencies can use a cloud security posture assessment to get an inventory for all their assets and instances in the cloud. Cloud security posture management tools provide ongoing monitoring as well as visibility and control to IT staff.
Finding the Right Level of Security for Data in the Cloud
As the General Services Administration notes, the levels of security impact (low, moderate and high) are based on the federal government’s requirements for the confidentially, integrity and availability of the data being put in the cloud, per the Federal Information Processing Standards Publication 199: Standards for Security Categorization of Federal Information and Information Systems.
If the data requires a higher level of security than the cloud environment provides, then the data needs to be removed because having the data in that environment represents security risk. An agency should absolutely not be putting data into a cloud that doesn’t meet the security level the data needs to be at.
An agency’s IT security division needs to work with mission areas to make sure they are following NIST frameworks for data security. This will help ensure the appropriate safeguards are put in place and, for Defense Department data, whether any Security Technical Implementation Guides need to be implemented. Agencies also need to determine the accreditation guidelines for data and whether any ethical guidelines need to be adhered to.
While that is a lot to keep track of, all of this boils down to determining the impact level of the data and then finding the right cloud that meets that impact level.
Depending on the requirements of the data, there are additional controls that mission owners may add in addition to what the cloud service provider has put in place. Not every security control always has to be applied, and some have optional requirements at different impact levels.
Mission owners may choose to add on those optional controls, which can sometimes make it more cumbersome for users to deal with and get access to certain kinds of data — but that may be precisely the point.
Cloud security is a shared responsibility between agencies and their cloud service providers. Mission owners manage and maintain the cloud stack and must do many of the tasks associated with cloud management, such as patching, locking down ports, removing unnecessary command and controls, and encrypting data.
The different aspects of that shared responsibility need to be very clear between agencies and their cloud partners. How is the CSP preventing spillage between one cloud enclave and another? What happens if the data is in the wrong enclave? Is there a process for reporting this and removing the data?
At the end of the day, IT leaders need to ensure they are only putting data in the cloud if it can be appropriately secured. Security should not be an afterthought in the rush to migrate to the cloud.