Request your free custom report and see how you can start reducing your cyber risk exposure across your digital ecosystem: cloud assets across all geos & subsidiaries; discover shadow IT; security risk findings; and more!
Driven by the need to collaborate across remote work environments, COVID-19 has sped up the adoption of cloud services by many government agencies. Yet, questions about security remain.
For a variety of reasons, government agencies often lag years behind their private sector counterparts in cloud adoption. A common talking point among program managers is that agency figures have previously been tentative about moving to the cloud because they don’t understand cybersecurity, are not cloud experts, and don’t want to have to deal with it themselves. Their trepidation may be well founded however, as even private sector security leaders struggle with the intricacies of cloud migration. When surveyed, only 10% of CISOs reported that they fully understood the shared responsibility model, a common security framework used by cloud providers, while 82% have experienced security events due to confusion in the model.
But with cloud adoption taking on a new imperative, how comfortable an agency feels about that migration has become irrelevant. They must adjust and adapt. The question is, how can they do so securely and in a manageable way? Let’s take a look.
Assess cloud provider risk
When migrating to the cloud, government agencies must understand the risk associated with the vendors they come to rely on to enable their cloud journey. In the past, gaining visibility into these risks has been a challenge.
Before signing a contract, many agencies have traditionally relied on point-in-time security assessment practices that don’t account for evolving risk. These assessments also use a “one-size-fits-all” mentality that fails to consider the variances between different vendors. Security teams end up spending the same amount of time and money assessing every third-party vendor — using the same boilerplate questionnaires — no matter their size or risk potential. It’s a vigorous and lengthy process that can undercut cloud adoption.
But agencies can streamline their assessments and optimize the cloud vendor onboarding process by using BitSight for Third-Party Risk Management. Unlike cumbersome and cookie-cutter assessment practices that fail to scale to each third-party and only provide a snapshot, time-bound view of a cloud provider’s security posture, this solution offers immediate visibility into cyber risks within a potential vendor’s ecosystem. With these data-driven insights, agencies can reduce onboarding time and costs — and accelerate their cloud migration process.
Security teams can then keep tabs on the provider’s security posture through the life of the contract with daily alert-based monitoring of how a vendor’s security performance is changing over time.
Understand the attack surface
As agencies add cloud providers, the potential attack surface expands. Bad actors can take advantage by exploiting unmonitored or unknown Infrastructure-as-a-Service environments through common vulnerabilities, such as misconfigurations.
These hidden risks can make maintaining cloud security seem tremendously overwhelming. Without visibility into the inventory of deployed assets in their cloud ecosystems — as well as the risk associated with those assets — security teams may struggle to realize when a piece of software needs an update or runs a high risk of being breached. This places them under tremendous pressure because they lack a complete view of overall security performance and could expose their agencies to risk. Only with a complete view can teams strategically prioritize their remediation efforts and move their cybersecurity programs forward.
BitSight Attack Surface Analytics provides that visibility. Dashboard views show the location of all digital assets by cloud provider, geography, and business unit — and the corresponding cyber risk associated with each. With this insight, security teams can identify areas of excessive risk, discover where their agencies are most exposed, and prioritize remediation.
Reaching a comfort level with cloud security
As agencies move towards cloud-based solutions, assessing and continuously monitoring the performance of cloud service providers and understanding the expanded attack surface will continue to be an important aspect of security performance management. These efforts, coupled with new plans from the Office of Management and Budget (OMB) to standardize language around security liability in all government cloud contracts, can help alleviate a thorny sticking point for agencies — empowering them to transition to the cloud in a secure and manageable way.