Government reps call for cloud providers to reveal vulnerabilities
As the federal government increasingly moves to adopt cloud computing solutions in many of its agencies, security concerns are inevitably rising to the forefront. While government leaders are eager to take advantage of the cloud's myriad advantages – including cost savings, greater efficiency and improved information access – there is a widespread and understandable focus on how to ensure that sensitive data remains protected in these environments.
Writing for InformationWeek, the (ISC)2 Writers Bureau recently tackled this issue, arguing that in order to better secure their assets when leveraging the cloud, federal agencies should demand that cloud services providers report any vulnerabilities they discover.
The writers noted that in order for government agencies to utilize the cloud, they must inherently trust the service providers to protect their data. This can be problematic, because most of these vendors do not tailor their offerings for specific clients. Instead, they offer a one-size-fits-all option, which does not take into account the unique requirements of specific departments.
"As a result, government agencies must ultimately accept responsibility for ensuring that cloud providers offer the appropriate amount of protection to manage risk," the writers explained. "It also requires agencies to directly address some fundamental questions regarding risk."
While there are a number of resources in place that can help agencies to identify cybersecurity threats, including the NIST's information, there is no equivalent for cloud computing. The writers noted that there are limits as to how effectively a given agency can scan its cloud network to identify potential risks.
To combat this issue, the writers encouraged government agencies to band together and demand that cloud services providers immediately disclose any vulnerabilities they discover.
"Agencies should ensure that sharing vulnerability information is addressed in the procurement review process and contractual agreements with cloud service providers. Additionally, organizations can take active steps to form collaborative groups of cloud service provider customers to express a common voice and common concern," the writers asserted.
Additional security considerations
In addition to an increasing awareness in this way, government agencies should also take active steps to improve the security of their cloud solutions. A critical component of such efforts is training. Beyond technical issues, human error is among the leading causes of data breaches. Considering how new cloud solutions are, a lack of familiarity with the technology can make such inadvertent breaches more likely. By ensuring that all relevant personnel receive training and education, though, government agencies can significantly cut down on the chances of such a mistake occurring.
Furthermore, agencies may need to consider partnering with third-party solutions providers to maintain and protect their cloud environments. Outsourcing security to these external organizations can significantly improve the reliability of cloud solutions without overwhelming budgets. As the writers noted, the responsibility for protecting sensitive data will always belong to the government agency itself, but third-party IT services providers can serve as a valuable ally in this effort.