How Federal Agencies Can Be More Proactive About Cloud Security


For starters, agencies need a deep understanding of user behavior.

Two years have passed since President Trump’s executive order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which puts cloud computing initiatives at the top of agency to-do lists by mandating procurement preferences for shared IT services. 

But prioritizing cloud adoption is one thing. Prioritizing cloud security is another.

Recently, Ponemon, in conjunction with Forcepoint, surveyed over 600 IT and IT security practitioners, including cloud administrators representing federal agencies, departments, and enterprise organizations. The survey showed that the majority of users indirectly raise cloud security risks by violating established policies, while agencies are behind in determining what information is too sensitive to be stored in the cloud. 

Federal agencies must prioritize the cloud without compromising security. That can only happen with a deep understanding of user behavior—which can only be obtained through full visibility into the cloud services that are being used on agencies’ networks.

You Can’t Secure What You Can’t See

One reason cloud security remains a significant challenge is because shadow IT is proliferating rapidly. Disparate teams within agencies are using a plethora of apps, many unsanctioned or even unknown by IT, in a bid to improve their own productivity—but without necessarily considering security costs to the organization. Regardless of what are likely good intentions, they are unknowingly putting their agencies at risk.

File-sharing apps are a particular blind spot. Far too often, users share sensitive data outside the organization via public links. Indeed, 59% of the survey respondents said users violate policies about where digital assets can reside. Worse, far too often, IT is unaware of which apps are being used (and how) in the first place.  They do this to increase productivity; however, an unfortunate byproduct of those actions is the increase in risk to the agency.

BYOD snowballs this problem. When users access cloud services from their personal devices, their activity is completely invisible to traditional IT systems. This may help explain why only 40% of survey respondents said their agencies are proactive in assessing information that is too sensitive to be stored in the cloud. Meanwhile, only half said their agency evaluates the impact cloud services may have on the ability to protect and secure confidential or sensitive information. The key takeaway? You can’t secure what you can’t see or know about.

Understanding Users Means Improving Security

The first step to proactive cloud security is knowing the details of who is accessing cloud apps and data. Only with this achieved can agencies begin to assess the risks associated with various user activities and quickly spot anomalies. Agencies must have real-time analytics on who is accessing sensitive and confidential assets and from where in order to prevent data exfiltration or access with automated policies. 

Additionally, full cloud visibility should incorporate a baseline understanding of normal, safe behavior. Behavioral analytics can provide prioritized alerts for anomalous activities, particularly for high-value targets like cloud administrators.

The Cloud Security Shortcut (and Silver Lining)

One way agencies can adopt a more proactive approach to cloud security is through a cloud access security broker, or CASB. These brokers leverage the functionality of traditional security controls and methods, applying them to cloud architecture, on-premises architecture or both. CASBs are a cloud security shortcut in the sense that they can secure any app in use in the IT environment. Many offer behavioral analytics and real-time monitoring for all applications, from the ever-popular Office 365 to custom-made tools, and allow IT to set policy in one fell swoop—a policy that removes all sharing links for sensitive data, for instance, or denies access to people outside the organization. CASBs are not enough, native integration with a dynamic data protection capability is required to understand the flow of the data as it transits from on-premises infrastructure to the cloud and back.

Shedding Light on the Shadows

While the survey contains some concerning data points about the cloud security posture of federal agencies, there’s also a concerted effort to discover those security gaps. The fact that federal agencies are aware of increasingly risky user behavior and are beginning to rely on CASBs shows cloud security is on their radar.

But agencies can’t afford to sit back. They need to shed light on the shadows and put security at the forefront of the march toward cloud adoption. Procurement of cloud services must be accompanied by a robust and proactive security posture—and a critical part of that posture is understanding the data and how users interact with it. Lately, senior government leaders have been speaking about “Cloud Smart” instead of “Cloud First,” and it’s time we get smart about protecting our data in the cloud.

Eric Trexler is vice president of global governments and critical infrastructure at Forcepoint.