Federal agencies face scrutiny from all sides. Auditors, regulators, Congress and even private citizens place pressure on departments to comply with the latest security standards. In this era of uncertainty, agencies are often reluctant to modernize their IT infrastructure, failing to achieve the cost savings and security automation that virtualization and cloud enable. Worse, each innovation can lead to a data breach, compromising personal data, national security or both, in addition to financial losses. Given the risks, it’s no wonder that government organizations still hesitate to move to the cloud seven years out from the Obama administration’s 2010 “cloud first” mandate.
Changing Threats to Data Protection
Often, pushes for IT modernization occur during times of heightened scrutiny due to data breaches in the public sector. For example, a recent major breach involved the physical theft of a flash drive from Washington State University containing the personal information of one million survey participants. Previous incidents include the Office of Personnel Management’s (OPM) loss of 21.5 million federal employee Social Security Numbers in 2014. The breach led to House Resolution 1770, the Data Security and Breach Notification bill, which aimed to improve both cybersecurity policy and incident alert practices. In this environment of changing standards and threats, federal IT practices must move from reactive to proactive.
Clearly, the issue of data security is nothing new in government. However, most existing strategies focus on preventing external threats, while a significant portion of data breaches occur internally. According to a report from Intel, 43 percent of disclosures are the result of employee actions – half accidental, half intentional. That leaves federal agencies with a one in five chance that an individual will knowingly cause a data breach.
Traditional threat-based security controls focus on stopping the outside threats but do not enforce security policies inside organizations. In the OPM example, the movement of information from databases to external websites should have triggered a red flag. However, the actors obtained valid credentials, allowing the breach to continue unnoticed for over a year. When hackers can misuse the credentials of high-level employees and employees can intentionally subvert security policies, a new breed of software is needed.
Enter automated security-policy software. These solutions continuously enforce user policies in real time by restricting authentication and authorization. In short, agencies can automate good behavior on their networks and limit the human element. Digital enforcement also allows companies to generate reports on compliance levels, reducing the amount of time required for audits. These practices are not only more efficient than traditional audits, but more effective as well. Bad behavior that’s hidden from auditors is still bad behavior.
A More Secure Cloud
Data breaches won’t go away overnight. As the government moves toward cloud platforms, some agencies believe these innovations will sacrifice control over their data. Automated security policy-enforcement platforms offer the best path forward to maintain protection without reducing accessibility or usability. Any solution must address both outside and inside threats to data security. With the human element in check, departments can dedicate themselves to innovation without a loss of control, the fear of financial losses and data breaches, allowing the cloud to finally come first.