5 Best Practices to Follow when Securing Government Cloud Workloads

GDIT Tech Talks’ four-part cybersecurity series consists of dialogs between cyber experts on some of today’s most pressing IT security issues. Cybersecurity in the government cloud was just one recent conversation between Melina Scotto, GDIT’s Federal Health Chief Information Security Officer, and Ravi Raghava, Chief Cloud Strategist for GDIT's Federal Civilian Division.

Security is a paramount concern for every government organization seeking to migrate their data or infrastructure into the cloud. Whether you’re looking to move to the cloud or you’re already there, the five best practices they shared for securing the cloud are a must.

1. Assess security controls

FedRAMP is an authorization process through which the U.S. federal government provides a seal of approval to cloud service providers who comply with a stringent set of cloud security best practices. The program was first rolled out in a December 2011 memorandum from the Office of Management and Budget (OMB). All federal executive offices, departments, and agencies must use a FedRAMP-compliant vendor when storing federal data in the cloud.

System owner and hybrid controls should be well-documented and tested. In order to work with a cloud service provider, federal agencies must implement the cloud service provider’s (CSP) security plan and receive authorization to operate in the CSP’s environment. Achieving this ATO (Authority to Operate) may take between several months to a year, depending on the complexity of the environment and the FIPS-199 level of the data.

2. Encryption at rest

Cloud data must be encrypted both in transit (moving between the customer and the cloud) and at rest (in persistent storage) and in use (compute). Encryption at rest safeguards your sensitive data stored on the cloud, protecting you in the event of a data breach. System owners and engineers must configure the encryption to meet federal requirements for FIPS-199 Moderate and High data.

Storage as a service offerings from public cloud providers such as Azure, AWS, and Google all include the capability to encrypt your data at rest. Enabling encryption at rest is as simple as checking a box to turn it on. Depending on the provider, the cost of encryption at rest may be included or supplementary.

3. Monitoring and scanning

FedRAMP requires cloud service providers to perform continuous monitoring (ConMon) in order to detect threats and vulnerabilities in the environment. This requirement has not changed from on-premise systems, which also require monitoring and scanning.

However, the tools and techniques for monitoring and scanning do vary between the cloud and on-premises. The defenses available to protect your cloud environment include:

• Web application firewalls (WAFs): Web application firewalls monitor, filter, and block the HTTP traffic to and from a website or web application. In so doing, WAFs impede the flow of potentially harmful traffic that may be hunting for vulnerabilities in your environment.
• Logging: Logging software is a crucial best practice for cloud IT security: it records events and transactions in your environment, including possible red flags. Security administrators can use these logs to reconstruct events and identify attempted intrusions.
• Incident management: When unexpected events disrupt your operations, incident management helps keep your business up and running while the response team finds and fixes the root cause.
• Antivirus software: Antivirus and antimalware software scans your files and data at regular intervals, detecting threats such as spyware, ransomware, and Trojan horses.
• Penetration testing: Penetration testing simulates a cyber attack on your cloud environment in order to uncover and fix security flaws.
• Auditing: Comprehensive security audits provide the peace of mind that your choice of cloud service provider has the appropriate controls to safeguard your environment.

4. Metering and alerting

Your cloud management console is an attack vector of its own. Malicious actors who can access your management console or hypervisor can spin up hundreds or thousands of cloud servers for their own nefarious purposes, all on the federal dime.

To prevent this abuse of your compute resources, construct meaningful metering and alerting systems that will detect and inform you of suspicious activity early. Multi-factor authentication (MFA) also helps block unauthorized users by requiring multiple methods of verifying your identity.

Using metering and alerting is invaluable—not just for security, but also to control expenses and prevent accidental overuse of cloud resources. An estimated $14.1 billion in cloud spending will be wasted this year due to idle resources and overprovisioning. The benefit of the cloud is that you can adjust usage up and down as needed automatically, giving you flexibility and scalability.

5. Evaluating vendors carefully

Many cloud vendors will tell you they are FedRAMP ready or just shy of authorization, while the reality is altogether different. Finding the right vendor for the government cloud will require you to cut through the sales language and evaluate their true state of readiness.

The FedRAMP Ready designation indicates that a cloud service provider has been deemed ready for FedRAMP authorization by an accredited third-party assessment organization (3PAO). This 3PAO evaluates the provider and completes a readiness assessment. If successful, the provider earns the title of FedRAMP Ready and can move to the next step of FedRAMP authorization.

Be wary of vendors who claim that they are ready for the cloud. Perform your due diligence, and assume the attitude of “trust, but verify.” Always make sure that your choice of government cloud vendor is as ready to work with you as you are with them.

For more valuable insights on cybersecurity, listen to GDIT’s Tech Talks Cybersecurity Series.