Native American Tribal Governments Face Cloud Security Challenges

Native American Tribes Face Unique Security Concerns

Tribes may use cloud technology to preserve precious data, “archiving endangered first-language pronunciations and oral histories, before elders fluent in the language pass on,” says Christopher Freeze, assistant professor of cybersecurity for the University of Oklahoma Polytechnic Institute. “A breach of this data can represent a significant heritage loss.”

Beyond those cultural concerns, tribal cloud security comes with other special challenges.

Despite the resource constraints, “tribal governments essentially have as many services to deliver as a city: They’ve got healthcare, education, fire, police, citizen services,” says Tinklenberg, who serves as vice president of IT for Sycuan Casino in San Diego. He’s also a member of the Gaming and Hospitality Advisory Board for TribalHub.

Inadequate staffing means tribal IT teams are often running behind; for example, in their management of data in the cloud. “Tribes are maturing in that area, but they’re certainly not there yet,” Tinklenberg says.

Many tribal governments are securing casino-related data in the cloud, and that raises the threat level. For criminal actors eyeing tribal assets, “the first target would be extorting a casino, because they’re going to have deeper pockets,” says Mike Hamilton, former vice chair of the Department of Homeland Security’s State, Local, Tribal and Territorial Government Coordinating Council (SLTTGCC) for critical infrastructure protection.

At the same time, “casinos don’t really have access to the qualified cyber practitioners that a lot of other organizations do,” says Hamilton, who also chairs the Public Infrastructure Security Cyber Education System (PISCES) project, which provides no-cost cyber monitoring for government organizations. “The little casinos in rural Oklahoma, they do not have the means to attract and retain practitioners.”

Add to this the challenges inherent in securing an outdated IT infrastructure. “They’re often hanging on to legacy stuff — hardware and computers and things,” says John Pescatore, director of emerging security trends at the SANS Institute. Tribal governments now are looking to shed that burden with a pivot to the cloud.

As they do, they can tap a number of essential resources.

Tribal Governments Rely on Public Sector Resources

In looking to elevate their cloud security efforts, tribal governments can find support through the Tribal-ISAC community.

“The Tribal-ISAC is specifically geared toward the needs of tribes,” Tinklenberg says. Members share information on cybersecurity issues, tools and resources “to help make each tribe more secure and better equipped to handle cybersecurity incidents.”

In addition to daily emails, monthly meetings and tabletop exercises, “Tribal-ISAC is one of several sponsors of the TribalNet Conference. It draws 600-plus attendees from more than 200 tribes around the country,” he says.

GET CAUGHT UP: Review FedTech’s 2024 TribalNet coverage.

The event, which this year takes place Sept. 14-18 in Reno, Nev., includes a capture-the-flag exercise, “where we have red team and blue team groups going after each other,” Tinklenberg says. There’s also high-level, nontechnical guidance for leaders, including questions like: “How do you make sure that you have the right people at a tabletop exercise?”

In 2024, DHS made the first awards under the Tribal Cybersecurity Grant Program. Tribes can also apply for funds through the State and Local Cybersecurity Grant Program (SLCGP), and SANS offers discounted training to tribal organizations.

Cloud Service Providers Offer Tribal Cloud Security

Tribes can also take advantage of built-in tools offered by their cloud providers. The Choctaw Nation, for example, leverages Cisco CX Cloud for real-time visibility into security advisories, updates and critical bugs.

Built on the Microsoft Azure commercial platform, Government Community Cloud was designed to meet governments’ compliance and security requirements. Amazon Web Services offers secure access service edge, a cloud-based network security service that integrates Firewall as a Service, cloud access security broker, secure web gateway and other protections.

Experts says tribal IT should leverage such tools. When it comes to cyberdefense, Hamilton says, “if they’re provided by your cloud provider, that’s probably the best one to use, because the tools that they create for their own service are aligned with that service.”

RELATED: Review the top cybersecurity takeaways from TribalNet 2024.

“They’re using details that you can’t get from an open-source tool,” he says. “If Amazon created it for Amazon’s cloud, you should use that, because Amazon knows how their cloud works better than anyone else.”

With cloud, “there’s usually some big platform that’s going to drive the biggest core of the IT infrastructure,” Pescatore says, whether that’s AWS, Azure or another service. “Regardless of which one of those platforms you choose, there’s a good way to move to cloud from a security perspective, and a bad way.”

“The bad way is: Let’s do what we were doing in our old data center on our computers or on our PCs. Let’s do that in the cloud,” he continues. Without leveraging the built-in tools, “you’re losing the advantage of cloud — the opportunity to really save a lot of money and also to get an increase in security.”

Click the banner to keep up with FedTech as an Insider after TribalNet 2025.

Tribes Can Enforce Best Practices for Cybersecurity

A few key strategies can help tribal governments deliver more robust cybersecurity across their cloud resources.

First: Understand the tools. The cloud providers make a lot of cyber capabilities available, “but you may not necessarily even know that you have that tool at your disposal,” Tinklenberg says. “Do the research to take advantage of those tools, because they are important components.”

It’s important, too, to keep personal activity off tribal devices. “When I was the CISO of Seattle, we could prove that 40% of the compromises were due to the use of personal email” on city devices, Hamilton says.

“Have a policy that says all personal use will be on a personal device. Facebook lives on your phone, Gmail lives on your phone, and not on your tribal computer,” he says. “With that, you drive 40% of the problem off a cliff with just a policy change.”

Pescatore stresses the importance of working with the cloud provider to make the most of the resources available: “Going to the cloud really is an opportunity for smaller organizations to make big leaps in security, if you take advantage of what can be baked into the virtual infrastructure for eliminating the easy-to-stop things.”

To learn more about TribalNet, visit our conference page. You can also follow us on the social platform X at @FedTechMagazine to see behind-the-scenes moments.