Agencies That Bought Cloud Services in Response to COVID-19 Need to Review Security Duties, Officials Say


Officials should ensure the security roles of the agency and vendor are clearly spelled out. 

Federal agencies that rushed into cloud services to allow telework during the novel coronavirus pandemic should ensure they know who bears the security burden, key federal officials said. 

“We want to ensure that in these quick migrations that we’ve done, that we fully understand both the positives as well as some of the assumptions we’ve made about our security,” said Matthew Scholl, chief of the Computer Security Division in the Information Technology Laboratory at the National Institute of Standards and Technology.

Scholl spoke along with Cybersecurity and Infrastructure Security Agency Deputy Associate Director Michael Duffy during a webinar on cloud adoption and security in a virtual work environment, which the law firm Venable hosted Thursday.

The Trump administration has been pushing federal agencies to move operations to the cloud for years, in part to reap cybersecurity benefits. Some agencies made quick acquisitions in response to the pandemic, though the officials warn security could be compromised a number of ways if contracts with vendors aren’t appropriately derived and managed.

“We’ve been saying for a long time that cloud adoption is the future,” Duffy said. “This is really the first time that everyone is sprinting in the same direction to really make a big change when it comes to cloud adoption.” 

Scholl and Duffy both stressed the need to stay continually engaged with the cloud service provider, with Scholl noting “cloud migration is not a set it and forget it.”

Overall, whether the cloud provider is FedRAMP-certified or locally authorized, Scholl said there can be “misunderstandings” about whether the vendor or customer is responsible for certain security protocols.

“Even if you’ve done a flash migration, follow up,” he said. “Sit down with your providers to make sure you fully understand where those breakpoints are, what those hybrid parts are, what those shared responsibilities are, and who’s doing what. Things you would have assumed were common controls you naturally inherited may not be the case anymore.”

Scholl said agency customers should specifically examine their identity management and access controls, trust algorithms and connections, and cryptographic key management.

“Now that you’ve potentially pushed out to user end-points through [virtual private networks], what are your [data loss prevention] settings?” he said, noting it’s especially important to check if these still work in the cloud environment if agencies are allowing workers to use their personal devices.

Scholl also noted some of the benefits of moving to the cloud, including “wonderful opportunities” for network isolation and segmentation through virtualization. 

He encouraged agencies to implement “zero trust architecture concepts” that would have had a much higher overhead if they had to be done physically. 

And “as we look to...a [fifth-generation networking] future,” Scholl said, “[a] distributed end-point connection environment looks to be more of the future of what we’re going to be doing, rather than a revision back to a perimeter defense.”