Despite the success of the UK government’s G-Cloud initiative, questions about data security still remain. In 2016, UK government departments spent £78.1m on cloud computing services via the G-Cloud digital marketplace. US cloud providers made up the lion’s share of contracts. Total spending with Amazon Web Services (AWS) in the period April to December 2017 was £14m, while £16.86m was spent with Microsoft. Yet the government sector is hit by data breaches all too often. A 2015 breach of the data.gov.uk website, for example, saw a database of 68,216 user accounts exposed for nearly two years. Major breaches like this discourage further cloud adoption.
The presence of a high number of contracts with US cloud providers makes the cloud security picture faced by the UK public sector very similar to the US Following our own survey of government IT Pros in North America and Europe we have come up with the following recommendations.
Tip 1. Choose a provider with flexible and effective security controls
The Netwrix 2018 Cloud Security: In-Depth Report reveals that 94% government agencies keep sensitive data in the cloud. Yet 27% of respondents said security was worse since cloud adoption, while 32% said it was no different. For this reason the majority (58% of respondents) are using additional security controls to those offered by cloud providers. Departments need to pay more attention to security controls when choosing a provider. Find out as much about their data security measures as possible and select the one with the best vulnerability discovery and incident response tools.
Tip 2. Assess your risks and monitor user behaviour
By far the biggest security concern for government departments (81%) is the risk of unauthorised access. Malware is next (60%). IT security pros worldwide were taken by surprise by the Petya and WannaCry attacks in 2017. The harm the WannaCry attack caused to the NHS in particular is well documented. To reduce the chances of this happening again government departments need to perform risk assessments to identify their most sensitive data. User privileges should be changed so that only those whose job function requires it can access it (known as the principle of least privilege). As an extra safeguard user behaviour should be monitored to spot any unusual activity so that immediate action can be taken to fix any vulnerabilities that result.
Tip 3. Gain visibility over your entire IT infrastructure
It is easy to underestimate the insider threat. Only 27% of the surveyed government departments name their own employees as their biggest threat. The majority put external actors at the top of the list. Yet careless employees click on malicious links all the time, unwittingly introducing viruses, spyware or ransomware onto the network. The recent Verizon Data Breach Investigations Report found that the public sector is the most vulnerable to social attacks, mostly phishing. Only 29% of government departments surveyed have complete visibility over how employees use cloud services. To reduce the insider threat, 55% of the surveyed respondents plan to increase employee training to raise cybersecurity awareness. Another 43% plan to tighten security policies. However, it is not clear how security teams will be able to tell if this has been effective if their ability to monitor user activity doesn’t change. The only way is to gain visibility across the entire IT infrastructure. This allows you to see who is accessing sensitive data to know employees are taking the training on board and sticking to security best practices.
Tip 4. Upskill your IT staff
Last year the UK Government announced a “Cloud First” and “Cloud Native” approach in its cloud strategy, meaning that public sector organisations should consider potential cloud solutions first – before they consider any other option. Our survey shows this intention is in line with global trends. 74% of surveyed government departments plan to move more sensitive data to the cloud, and 34% are going to adopt cloud-first approach. We recommend that instead of rushing into the cloud use, UK government bodies first upskill their IT teams in security procedures for the cloud. No one wants a repeat of what happened with the Department of Homeland Security (DHS) in the US. The auditor’s report on the ransomware attack there found inadequate training of IT personnel led to multiple failures that contributed to the incident. Fortunately this incident was confined to an on-premises infrastructure. Just imagine what might have happened if the DHS had been 100% cloud-based. Hiring extra security professionals is not necessarily the answer. The good news is that 73% of respondents in our study say they have the backing of senior management in their efforts to improve security. Hopefully this will translate into a sharper focus on cloud security and appropriate budgets to support it.
In summary, the UK public sector appetite for cloud services looks set to increase in line with global trends. Gartner foresees double-digit growth in use of public cloud services worldwide, with spending going up by an average 17.1% per year through 2021. The increased use of cloud is not without its security challenges. However, they are not insurmountable. By following the four tips outlined above government departments can significantly enhance the cloud security know-how of personnel and equip them with the right tools to prevent data breaches occurring.