Lack of budgets for cloud security initiatives slows down cloud adoption for government
In 2010-2011, the U.S. government issued two documents, which were aimed at driving cloud adoption in state and local governments:
- The 2010 Cloud-First policy obliged government organizations that evaluate new IT deployment options to choose cloud-based solutions whenever a secure, reliable and cost-effective option exists.
- The later 2011 Federal Cloud Computing Strategy encouraged organizations to use the cloud to enhance service effectiveness, improve IT flexibility and reduce infrastructure costs. The Federal Cloud Computing Strategy also obliged organizations to ensure the security and proper management of government information to protect the privacy of citizens and national security.
However, the recent 2019 Netwrix Cloud Data Security Report discovered that despite these initiatives government organizations remain skeptical about cloud adoption. In fact, only 32% of them feel positive about implementing Cloud-First strategy in 2019, which is 21% less than in 2018. Moreover, the number of public sector organizations that are ready to move their entire infrastructures to the cloud has also decreased, from 40% in 2018 to 20% in 2019. The major reason for that is lack of resources that IT teams in government organizations obtain to ensure cloud security, which makes data protection a challenging task for them and even drives 29% of organizations to uncloud due to security reasons.
The key factors that make government organizations hesitate to move data to the cloud include:
- They store a lot of PII in the cloud and struggle to ensure its security.
The survey results show that the majority of government organizations (69%) store personally identifiable information (PII) of their employees in the cloud. Also 62% store PII of citizens and 28% store payment data there. Unfortunately, not all organizations are able to ensure security of this data. Over the last 12 months 28% of government organizations had at least one security incident that involved sensitive data.
- They lack visibility into their data.
Government organizations that had security incidents in the cloud have two things in common: None of them classified all data they stored in the cloud, and all of them stored all their sensitive data in the cloud. What is even more disturbing, 59% of government organizations couldn’t determine who was to blame for security incidents, which means they have little visibility into their IT environments and cannot investigate incidents properly to ensure they won’t happen again.
- They lack resources for cloud security initiatives.
The majority of government organizations would like to implement various measures to strengthen data security in the cloud. Overall 61% would like to encrypt data, 55% would like to improve data access management and 55% would like to monitor user activities around sensitive files. However, not all IT teams receive sufficient budget to support these initiatives: 92% say that they didn’t see any increase of cloud security budgets in 2019. However, the lucky 8% of government organizations that received a budget increase reported that it was quite substantial and averaged 80%. Also, overall 50% of government organizations say they have no financial support when it comes to dealing with cloud security issues, which makes data protection extremely challenging.
As we see from the research, the key reason why government organizations are cautious about further cloud use is lack of financial support, which results in the inability to implement adequate security measures for data protection. However, there are many ways to keep data under control and reduce security risks. You need to understand what data you have in the cloud and classify it according to its value and level of sensitivity. This approach will enable you to prioritize your cybersecurity efforts and choose appropriate controls within your budget (even if it is too tight) to keep critical data safe.
Ilia Sotnikov is vice president of product management for Netwrix, a provider of information security and governance software.