Security is the primary focus of any government agency. One of the most obvious pitfalls of these agencies moving highly sensitive data to the cloud is that they surrender control to a third party. Moreover, nothing on the internet is truly secure, and all data is vulnerable to attacks and threats.

The exposure footprint to those threats is staggering under the best of circumstances. For example, the complexity of mobile devices poses a significant challenge when it comes to cloud security. In addition, data commonly flows from one cloud provider to the next and between national boundaries, which runs counter to the physical security measures every government agency should have in place.

Securing Government Data in the Cloud

A Cloud Security Alliance (CSA) survey found that many executives and IT managers have serious concerns about data security. According to the report, 73 percent of respondents indicated that these concerns were holding them back from adopting cloud computing. Additionally, 38 percent cited regulatory compliance as a major barrier to cloud adoption, and the same percentage of respondents expressed anxiety about the loss of control over IT services.

To help alleviate some of these concerns, the U.S. Department of Defense (DoD) released an unclassified document titled “Cloud Computing Security Requirements Guide (SRG)” that outlined essential components for secure cloud computing. The document is intended to simplify the security requirements for the DoD and cloud providers, who must attest, control, monitor and provide evidence of data separation.

This approach to cloud computing is based on “impact levels” that consolidate data records in accordance to their sensitivity. At the lowest level, nonsensitive, unclassified data, such as information available through the Freedom of Information Act or hosted on public-facing websites, can be stored in commercial clouds that meet the strict baseline standards under the Federal Risk and Authorization Management Program (FedRAMP), a system designed to protect cloud-based government data.

When the impact level is increased, the physical requirements for data security come into play. The rub is that once the data reaches a secret classification, a public cloud is not the right place. It must be on-premises or in private clouds that are not commercial but government owned.

Enclaves that transact sensitive data must also be a part of the security architecture. Personnel must be cleared by the government and restricted by tight physical access controls. These enclaves are physically separated within a data center that does not share hardware, applications or other resources the cloud provider would otherwise share with its tenants.

Physical Cloud Security

Most governments are risk averse when it comes cloud security and safeguarding highly confidential data within their networks. Some agencies air gap their computer systems, which physically separates a secured network from an unsecured one. Air-gapped systems can also be found in major financial institutions, stock exchanges and industrial control systems within nuclear power plants. These are all examples of physical security controls that prevent access from the outside world. However, they also complicate the transfer of data between unsecured and secured networks, requiring human intervention that is prone to errors.

Data diodes are common in environments. They provide a secure, one-way channel where data can pass in only one direction. This assures that secure data cannot be leaked back to the unsecured network. Data diodes are specialized, unidirectional devices that convert Transmission Control Protocol (TCP) connections to User Datagram Protocol (UDP). They then convert the connections back on the other side. This tells applications using the File Transfer Protocol (FTP) that a connection has been established, allowing users to transfer a file from the unsecured network to the secured one, but not in reverse.

The Road Ahead

The government sets regulations as a baseline, which is problematic because the security threat landscape constantly evolves. Government standards must be flexible to keep pace with emerging cyberthreats.

Major commercial cloud providers may not fully adhere to strict data security requirements. For example, identity and access management (IAM) in the cloud should be able to authenticate government users from one online location. In addition, the authentication credentials should seamlessly pass from one provider to the next.

Obviously, for the sake of national security, highly sensitive information will not be available in the cloud. Still, the overwhelming volume of attacks and threats across the globe takes a significant toll on the intelligence and military communities. This technology may provide a useful platform for intelligence sharing between nations with private, government-owned cloud storage solutions.

More from Cloud Security

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Cloud threat report: Possible trend in cloud credential “oversaturation”

3 min read - For years now, the dark web has built and maintained its own evolving economy, supported by the acquisition and sales of stolen data, user login credentials and business IP. But much like any market today, the dark web economy is subject to supply and demand.A recent X-Force Cloud Threat Landscape Report has shed light on this fact, revealing a new trend in the average prices for stolen cloud access credentials. Since 2022, there has been a steady decrease in market…

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today