Survey: Most Federal Officials Expect Cloud Service Providers to Secure Their Data

U.S. federal agencies are leading global counterparts and private sector entities in digital transformation, but their use of cloud services and connected devices brings risks they’re not appropriately adjusting to, according to an annual survey of threats to data security.

“When it comes to securing data in the cloud, most government organizations incorrectly look to their cloud providers to implement data security measures for the portion of the shared responsibility model that is owned by the government organizations themselves,” reads the federal edition of the 2020 Thales Data Threat report. 

The report, released today, is sponsored by the Cloud Security Alliance and companies offering just the type of data security and information technology services it recommends federal agencies increase investments in. But it highlights a dynamic which key government officials also recently flagged: Federal administrators may be relying on cloud providers to perform actions for which the administrators themselves are accountable.

The federal edition of the report is based on a survey of 101 U.S. government respondents which the International Data Corporation, an analytics firm, conducted in November. It compares the U.S. government perspective to those of public and private sector entities in 16 countries collected through a larger survey of 1,723 individuals.

While the U.S. government respondents were the most confident about their security, U.S. federal agencies have been breached at higher rates than the global sample, according to the report.

Almost 30% of federal respondents reported breach incidents within the last year, according to the survey. 

“The more digitally transformed an organization, the more likely that it has experienced a data breach,” the report reads. “Digitally Determined organizations (those organizations making the strategic, organizational, technological, and financial decisions that will set them up to digitally transform their organization in the next several years) may also have greater data threat exposure.”

There is one big caveat. Entities with a greater level of sophistication may also be more aware they have been breached, the report notes, while less sophisticated organizations may be less exposed or may have been breached without knowing it.

Regardless, the report recommends a greater focus on data security—which it differentiates from network or application security—and highlights shortcomings in encryption practices. Almost all of U.S. government respondents said at least some of their sensitive data in the cloud is not encrypted, according to the report.

“More than half of U.S federal government data [54%] is now stored in the cloud, with a significant portion of that data being sensitive,” the report reads. “As a result, IT security departments must now, more than ever, embrace and own their portion of the cloud shared responsibility model and implement data security best practices, as the cloud provider most often does not guarantee security at the data level.”

The report adds, “U.S. federal government respondents are seemingly less worried about issues over which they have direct control, and which represent greater potential vulnerabilities, like encryption key management.” 

The National Institute of Standards and Technology’ Matthew Scholl also flagged a need to focus on the management of cryptographic keys during an event noting federal agencies’ rapid migration to the cloud in response to increased remote work needs during the coronavirus pandemic. 

Scholl and the report both also stressed the importance of user access controls given the proliferation of new endpoints being added to networks, with the report noting that insider threat is “often more about carelessness than malicious behavior.