Security is the primary focus of any government agency. One of the most obvious pitfalls of these agencies moving highly sensitive data to the cloud is that they surrender control to a third party. Moreover, nothing on the internet is truly secure, and all data is vulnerable to attacks and threats.

The exposure footprint to those threats is staggering under the best of circumstances. For example, the complexity of mobile devices poses a significant challenge when it comes to cloud security. In addition, data commonly flows from one cloud provider to the next and between national boundaries, which runs counter to the physical security measures every government agency should have in place.

Securing Government Data in the Cloud

A Cloud Security Alliance (CSA) survey found that many executives and IT managers have serious concerns about data security. According to the report, 73 percent of respondents indicated that these concerns were holding them back from adopting cloud computing. Additionally, 38 percent cited regulatory compliance as a major barrier to cloud adoption, and the same percentage of respondents expressed anxiety about the loss of control over IT services.

To help alleviate some of these concerns, the U.S. Department of Defense (DoD) released an unclassified document titled “Cloud Computing Security Requirements Guide (SRG)” that outlined essential components for secure cloud computing. The document is intended to simplify the security requirements for the DoD and cloud providers, who must attest, control, monitor and provide evidence of data separation.

This approach to cloud computing is based on “impact levels” that consolidate data records in accordance to their sensitivity. At the lowest level, nonsensitive, unclassified data, such as information available through the Freedom of Information Act or hosted on public-facing websites, can be stored in commercial clouds that meet the strict baseline standards under the Federal Risk and Authorization Management Program (FedRAMP), a system designed to protect cloud-based government data.

When the impact level is increased, the physical requirements for data security come into play. The rub is that once the data reaches a secret classification, a public cloud is not the right place. It must be on-premises or in private clouds that are not commercial but government owned.

Enclaves that transact sensitive data must also be a part of the security architecture. Personnel must be cleared by the government and restricted by tight physical access controls. These enclaves are physically separated within a data center that does not share hardware, applications or other resources the cloud provider would otherwise share with its tenants.

Physical Cloud Security

Most governments are risk averse when it comes cloud security and safeguarding highly confidential data within their networks. Some agencies air gap their computer systems, which physically separates a secured network from an unsecured one. Air-gapped systems can also be found in major financial institutions, stock exchanges and industrial control systems within nuclear power plants. These are all examples of physical security controls that prevent access from the outside world. However, they also complicate the transfer of data between unsecured and secured networks, requiring human intervention that is prone to errors.

Data diodes are common in environments. They provide a secure, one-way channel where data can pass in only one direction. This assures that secure data cannot be leaked back to the unsecured network. Data diodes are specialized, unidirectional devices that convert Transmission Control Protocol (TCP) connections to User Datagram Protocol (UDP). They then convert the connections back on the other side. This tells applications using the File Transfer Protocol (FTP) that a connection has been established, allowing users to transfer a file from the unsecured network to the secured one, but not in reverse.

The Road Ahead

The government sets regulations as a baseline, which is problematic because the security threat landscape constantly evolves. Government standards must be flexible to keep pace with emerging cyberthreats.

Major commercial cloud providers may not fully adhere to strict data security requirements. For example, identity and access management (IAM) in the cloud should be able to authenticate government users from one online location. In addition, the authentication credentials should seamlessly pass from one provider to the next.

Obviously, for the sake of national security, highly sensitive information will not be available in the cloud. Still, the overwhelming volume of attacks and threats across the globe takes a significant toll on the intelligence and military communities. This technology may provide a useful platform for intelligence sharing between nations with private, government-owned cloud storage solutions.

More from Cloud Security

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Cybersecurity in the Next-Generation Space Age, Pt. 4: New Space Future Development and Challenges

View Part 1, Introduction to New Space, Part 2, Cybersecurity Threats in New Space, and Part 3, Securing the New Space, in this series. After the previous three parts of this series, we ascertain that the technological evolution of New Space ventures expanded the threats that targeted the space system components. These threats could be countered by various cybersecurity measures. However, the New Space has brought about a significant shift in the industry. This wave of innovation is reshaping the future…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

How Posture Management Prevents Catastrophic Cloud Breaches

We've all heard about catastrophic cloud breaches. But for every cyberattack reported in the news, many more may never reach the public eye. Perhaps worst of all, a large number of the offending vulnerabilities might have been avoided entirely through proper cloud configuration. Many big cloud security catastrophes often result from what appear to be tiny lapses. For example, the famous 2019 Capital One breach was traced to a misconfigured application firewall. Could a proper configuration have prevented that breach?…