Defending Against Insider and Evolving External Cyberthreats
The cloud migration pathway is rife with cybersecurity potholes. Regardless of whether these hazards stem from insiders or external threats, hitting any of them could prove costly for agencies that are trying to align with federal cloud requirements.
For example, while an agency’s employees are its strongest defense against cybersecurity threats, they can also be its weakest links. Many cloud migration vulnerabilities stem from simple human error, including misconfigurations, that can lead to unrestricted inbound and outbound ports, application programming interfaces created without proper authentication, weak passwords, and other kinds of accidental or intentional insider risks.
Agencies face external threats as well. For instance, ransomware attacks against cloud services are increasing. Meanwhile, transferring inaccurate or incomplete data can cause data corruption and faulty results that can be catastrophic.
On top of it all, cyberattackers are getting more creative and adept at targeting data as it is transferred and stored in the cloud. In addition to traditional ransomware, there has been a rise in highly evasive adaptive threat attacks that target web browsers with malware and attacks on cloud infrastructure, as exemplified by Russia’s recent efforts to infiltrate cloud environments.
MORE FROM FEDTECH: Don’t migrate to the cloud without running an automated app assessment.
Combatting Cyberthreats at the Data Level
A well-rounded zero-trust strategy is key to mitigating these and other types of attacks and vulnerabilities. CDR is a more reliable zero-trust option because it proactively addresses vulnerabilities at the data level.
The way CDR works is simple: Before files are migrated, the valid information contained within the files is extracted, and the original files are either completely discarded or stored. This is the disarm phase.
Extracted information is verified to ensure that it is well-structured and free of vulnerabilities. Finally, new files are built using the verified data. This is the reconstruction phase. Those vulnerability-free files are then securely migrated to their destination.
Most cybersecurity methods are based on detecting malicious activity, but CDR uses a preventative zero-trust approach. This assumes that no data is secure at any time, especially when in transit.
Files are intercepted and reconstructed in real time, delivering secure data without disrupting employee workflows. Rather than retroactively discovering threats after they’ve breached an agency’s perimeter, CDR prevents them from entering the perimeter altogether.
DISCOVER: Three agencies give updates on their zero-trust progress.
Other Cybersecurity Best Practices That Complement CDR
While CDR is a highly powerful tool in the fight against cybersecurity threats, it cannot and should not be the only weapon in agencies’ zero-trust arsenals. Organizations should consider employing other data security best practices to bolster their zero-trust approaches and ensure that their data is as protected as possible before it is shared.
Good cybersecurity starts with controlling data access and practicing the principle of least privilege. Every agency should have a clear data usage policy specifying guidelines and rules around who can access and use data, how it should be accessed, and when and why. With the principle of least privilege, new accounts have the fewest privileges to data and are granted additional access over time.
Adding other data-level layers of protection in addition to CDR is also a good idea. Cataloging data, learning how much of it is sensitive or critical to the organization, and applying controls to ensure that data complies with government cybersecurity regulations are critical best practices.
Agencies can then encrypt data by converting plain text into ciphertext, making it very difficult for unauthorized users to crack. For added protection, agencies may opt for pseudonymization, which encrypts identifiable data with artificial identifiers or pseudonyms, such as replacing a user’s name with a token that signifies the user without revealing an identity.
Layering these strategies with CDR gives agencies a comprehensive cybersecurity approach that protects data at rest and in transit during cloud migrations. Their threat protection levels will be, in the words of the National Cybersecurity Strategy, “more intentional, more coordinated, and more well-resourced,” and they will be one step closer to a true zero-trust security posture.