5 Steps to Protecting Government Data Repositories in the Cloud

BlackJack3D/istockphoto.com

 

Connecting state and local government leaders

COMMENTARY | From ransomware to exfiltration, cybersecurity attacks are targeting sensitive government data. Here’s a reliable approach to protecting mission-critical information.

Government organizations are storing, accessing and sharing more of their data in the cloud. Cloud-computing contracts were expected to grow by $500 million year over year to reach $6.6 billion in fiscal 2020, and then increase to $8.5 billion by fiscal 2023, according to Bloomberg Government. The cloud gives agencies the flexibility, for example, to allow employees to work remotely.

At the same time, cybersecurity attacks against government organizations and critical infrastructure are proliferating. Ransomware attacks, like the recent Kaseya and Colonial Pipeline breaches, have been dominating the media headlines. But breaches that could result in data exfiltration—such as the exposure of data on 191 million voters in 2015, the Office of Personnel Management hack, or the breach of the Department of Energy in 2020—are the bigger and longer-standing problem. While a ransomware attack can net tens of millions of dollars for cybercriminals, theft of personally identifiable information or government research data could potentially be worth hundreds of millions or even billions of dollars.

Organizations repel literally millions of attempted digital intrusions every month, and there’s always a danger some attacks will succeed. But to minimize their cybersecurity risk, organizations should take these practical, achievable steps:

1. Embrace a zero-trust mindset.

President Joe Biden’s May 12 Executive Order on Improving the Nation’s Cybersecurity states that the federal government must “adopt security best practices” and “advance toward Zero Trust Architecture.” Zero trust replaces implicit assumptions about who is trusted with explicit decisions made every time a user or system attempts to access data.

Zero trust starts with the concept of “least privilege”: Permit entities to access only the data they need. It then applies multifactor authentication to ensure that only authenticated and authorized entities can access data. MFA requires two or more factors to establish identity, combining something users know, like a password, and something they have, like a smartphone app, or something they are, like a fingerprint. In fact, MFA can potentially block up to 99.9% of account hacks.

2. Identify and segment your most sensitive data.

Next, analyze all your data to identify which information is most vulnerable. Data repositories might be considered sensitive because they contain PII or high-value research and development data, or because they need to be accessed or shared regularly by a wide range of employees, contractors or other organizations.

Then consider whether you can segment sensitive repositories from less mission-critical stores. The Department of Defense and the intelligence community have been highly effective at segmenting “low,” non-classified networks from “high,” classified networks. Other organizations should consider a similar approach. Such separation can prevent ransomware, for instance, from spreading from low-value repositories to your most sensitive data troves.

3. Adopt the latest cross-domain safeguards.

Organizations routinely deploy antivirus and firewall protections. They’re clearly necessary—but not wholly sufficient. What’s needed are cross-domain solutions (CDS) that provide a higher level of data protection—especially in collaborative environments where data needs to move between networks of different sensitivity levels. 

CDS act as zero-trust gateways between segmented networks. They can automate the safe movement of data between networks to remove human error and prevent data spillover from one network to another. They differ from firewalls since they can perform deep data inspection and validation. Only authorized data that complies with the data transfer policies can be passed. They can be combined with data diodes to ensure one-way data flow in situations where you want to restrict the movement of data to only one direction.

4. Leverage content-threat removal to filter out hidden malware.

Organizations access, store and share digital content such as Microsoft Word documents, Adobe Acrobat PDF files and JPEG images in their daily operations. Cybercriminals can conceal malicious code within these files, bypassing traditional detection-based defenses such as antivirus and firewalls. The embedded malware can then take actions such as launching ransomware attacks.

Content Disarm and Reconstruction or threat removal technology can remove malicious code to make your content files 100% malware-free. It works by extracting the valid business content from the original document and using it to create a new file. It then discards the original document and transmits the new, clean file—all at speed, so it doesn’t slow productivity. In short, content threat removal extends the zero-trust approach to documents and files.  This technology is also used within CDS gateways to provide a comprehensive zero-trust gateway. 

5. Apply behavioral analytics to establish user risk scores for continuous monitoring.

Finally, on an ongoing basis you should consider implementing continuous user activity monitoring technology to understand how entities are accessing your data. You can then assign each user a risk score based on their usual behaviors. If a user’s risk score is typically 35 and suddenly jumps to 50, you know the user is accessing more sensitive data or behaving in a riskier manner, and there could be a problem.  

By establishing a baseline of normal behavior, you can instantly and automatically recognize anomalous activities that could indicate a threat. For example, if someone stole your credentials, they would likely use those credentials in ways that differ from your usual practices, and behavioral analytics would recognize that—in real time. Or if an external supplier suddenly started accessing your HR systems, you could detect and block the activity—again, at the moment the risk emerges.  This is no different to what the credit card companies do to prevent credit card misuse or fraud.    

Government organizations will continue to move data repositories to the cloud. Cybercriminals will continue their efforts to tamper with that data. But by following these five steps, agencies can make tangible progress in reducing vulnerabilities and hardening defenses. Ultimately, they can more effectively protect sensitive information while allowing their people to use those resources to advance agency missions.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.