Cloud security is key to cybersecurity resilience in state and local governments
The evolution of cloud technologies and the magnitude of what they are enabling in state and local government is immeasurable—from enabling first responders in the field, vaccine distribution and tracking, to remote learning and working. In fact, cloud technologies largely enabled government operations when the COVID pandemic hit.
As the old saying goes, along with great power will always be those seeking to exploit it. Cyberattacks are far from a new phenomenon, but cybercriminals are becoming more sophisticated and evolving attacks faster. In 2021, several high-profile ransomware attacks on state and local governments, healthcare organizations, and critical infrastructure paralyzed operations and threatened the safety of citizens and their information.
And now, industry experts are warning of the advent of killware—where operational technology (OT) “is not the objective of the attack, but the means. The actual objective of the attacker is to cause harm to humans by using killwarein an OT environment.”
As state and local governments continue their cloud modernization efforts at scale and across multiple cloud environments, they face even more complex cybersecurity and compliance challenges. To manage this complexity and ensure security, state and local organizations are looking for new approaches, such as secure Multicloud-as-a-Service (MCaaS).
Navigate and everchanging cloud security landscape
According to the 2020 Cybersecurity Insiders Cloud Security Report, 66 percent of organizations lack confidence in their cloud security posture. With recent high-profile and dangerous cyberattacks elevating cybersecurity from a technology issue to a national priority, the Biden administration’s Cybersecurity Executive Order is having a ripple effect across both the public and private sectors and is expected to bring changes to compliance requirements across the nation.
Securing the cloud is not as simple as buying cloud services from a vendor and assuming all the security needed is automatically included. Cloud vendors only secure the perimeter of cloud infrastructure—the physical layer—which is about 15 percent of the total security equation. The remaining 85 percent encompasses data, applications and workloads. This poses the biggest challenge as it involves designing, securing, and managing the environment to meet ever-changing security and compliance requirements while preventing cybersecurity attacks.
These challenges have been particularly acute during this long pandemic, which has exacerbated issues related to funding, IT human resources and the ability to ensure optimal levels of cybersecurity for an increasingly virtual state and local government workforce and enterprise.
To help ease the burden, state and local agencies are embracing the FedRAMP model to standardize security and compliance for cloud environments and cloud solutions.
StateRAMP, which announced its first group of authorized vendors in September 2021, is on track to become an essential bridge for secure modernization. Based on a “complete once, use many times” concept, StateRAMP stands to improve cybersecurity by transforming cloud solution procurement while reducing costs and complexity. It aims to standardize state and local governments’ approaches to security and risk assessment across cloud technologies.
However, the road to StateRAMP compliance is still under construction. It will be a rocky journey for states and their solutions providers that don’t carefully plan and craft their cloud modernization plans.
It is imperative to design for security and compliance by leveraging strong multicloud strategy and solutions from the outset. Cloud and security experts are needed to evaluate systems, data and assets to determine the appropriate level of protection. Building alignment between developers, security experts and agency stakeholders will help ensure a uniform understanding of operations and optimize and standardize security across them.
Leveraging secure multicloud-as-a-service
It is not uncommon for agencies to use multiple cloud providers to leverage best-of-breed cloud capabilities. For example, an agency might host its call center application on Amazon Web Services (AWS) and its Windows applications on Microsoft Azure. Or it might want to use an AWS data rationalization tool, with employment data translated by Google Cloud Platform (GCP) to identify potential fraud and then store that data in Azure.
While a multicloud approach takes advantage of the strengths of multiple vendors to optimize costs and performance, reduce downtime, leverage geographically dispersed clouds to meet data sovereignty requirements, and help avoid vendor lock-in – it presents many security challenges. Secure multicloud requires a new layer of expertise, management, and reporting from public sector IT teams.
Secure MCaaS can rewrite the cloud trajectory for agencies, no matter where they are in the cloud journey. It enables agencies to leverage highly skilled cloud, security, compliance and governance expertise and automated security and compliance solutions to help accelerate, secure and optimize cloud investments. This approach frees agencies to optimize internal resources and focus squarely on service delivery and mission priorities while entrusting the overwhelming majority of cloud operations and security to dedicated experts.
Secure MCaaS provides the necessary tools to comprehensively address cloud security across multiple technologies and help business owners and cybersecurity services craft the right plan for security at the outset.
For agencies at all levels, an integrated cloud cyber strategy also means being able to move more quickly to leverage automation, software-based analytics tools and capabilities using emerging technologies like AI and machine learning that improve daily operational efficiency, deliver mission and essential citizen services, and evolve cybersecurity posture from passive to active.
By leveraging “buy, not build,” agencies reduce their risk profile because the vendor is responsible for ensuring the environment is secure and resilient. This reduces the burden on in-house IT teams and speeds time to mission, enabling secure solution delivery in a fraction of the time it normally takes.
For state and local agencies, a comprehensive strategy across the multicloud modernization lifecycle—access, design, build, migrate, operate and innovate—and the solutions and resources to deliver on that strategy will optimize value and reduce risk and cost. The complexity of secure multicloud does not need to halt progress in its tracks for public sector organizations that plan carefully. The key is a fully baked multicloud strategy and MCaaS solutions that streamline and optimize planning, compliance, security and management.
Rick Rosenburg is the vice president and general manager of Rackspace Government Solutions at Rackspace Technology. He oversees services in support of government agencies and holds 35 years of leadership experience across companies that have supported the Federal government’s technology needs. Prior to Rackspace Technology, he held leadership roles at NTT Data Services, Seros, and Dell Services Federal Government.