Three things to consider when securing multi-cloud environments in the public sector
By Calum Roberts, UK Director at SailPoint
Public sector organisations are all at different points on the cloud transformation and digitalisation journey. Many already recognise the benefits of moving to the cloud and have advanced multi-cloud strategies and stacks, whereas others may just be making the first forays into building a cloud infrastructure. But in both cases, the digital transformation has led to traditional network perimeters eroding and the cyber risk coming to the fore. In fact, almost a fifth of public sector organisations experience over 1,000 cyberattacks each year. At the same time, the public will naturally hold all public sector organisations to the same high cybersecurity standards, including GDPR.
The recent demands of the coronavirus outbreak have highlighted both the benefits and potential pitfalls of working in a multi-cloud environment for many public sector organisations. A first-time occurrence for some staff, there is now growing acceptance that in the future home working might become a more everyday practice. This expected trend is likely to encourage many public sector organisations to revisit their cloud strategy and implementation plans after the current coronavirus outbreak. But where there is opportunity for improved productivity and access, there can also be opportunity for malicious entities trying to get the virtual “keys to the kingdom”.
Here are three security considerations to have in mind to ensure the security side of your IT strategy doesn’t fall by the wayside during digital transformation:
Keep an eye on your attack surface
One of the key challenges of using a multi-cloud approach is keeping track of the number of applications and associated logins staff are using. The more applications and systems that are involved, the more credentials that will be created overall, so there needs to be a strategy in place to ensure they are all monitored and refreshed regularly. Changing staff numbers and the need to quickly onboard and offboard additional human resources (such as agency workers, or part-time volunteers) also mean that the shape and size of an organisation’s attack surface can evolve rapidly. If left unchecked, much of this newly created access will be left ungoverned once no longer needed – leaving a range of orphaned identities open to brute force password cracking attack by cybercriminals.
Ensuring visibility over all applications across multiple clouds is key to understanding your attack surface at any one time – including those which may be set up outside the purview of the IT team (also known as ‘shadow IT’). By implementing a strong identity strategy, organisations can finally answer the question of who has access to what. Leveraging a security platform which can detect new access and bring it into existing structures, security programs and compliance policies is essential to ensuring that cybersecurity can keep pace with the speed of growing user needs and evolving hacker tactics.
Build compliance into your cloud strategy
By harnessing the power of an AI-enabled identity platform that can work across clouds and identify access patterns, it is possible to find outliers. This might mean outlining a group of users who require a large amount of access to perform daily tasks, implementing regular recertification programs and security training for them. However, this might also highlight identities which are overprivileged and suggest deprovisioning to ensure the least access necessary is being used. In both these cases, by automating simpler tasks, such as provisioning access which poses no compliance conflicts, time is freed up for IT teams to work on more strategic initiatives.
This approach can be taken even a step further, to check for non-compliant access patterns. For example, many identity platforms now allow IT teams to set up policies which prevent contradictory permissions (such as the right to set up a supplier, and the right to approve an invoice) from being provisioned to the same account. The level of access to data can even become granulated in order to better support compliance – for example, by preventing users from copying unstructured data being kept in a text document or PDF file into another online document. A nuanced approach such as this helps ensure that each employee has the tools and data access they need to perform their role, without unnecessarily expanding the attack surface of the organisation and keeping compliance as a constant watchword in your cloud strategy.
Bring security for all your cloud infrastructure under one identity approach
One of the main appeals of a multi-cloud IT strategy is being able to harness the best tools for the job, building resilience and agility into IT operations. However, a hybrid cloud infrastructure must also be protected from a range of unauthorised access attempts, be they from malicious hackers or employees lacking the right security know-how. To avoid unneeded complexity and potential gaps in security, it is important to select a solution that can integrate with all your systems and report on everything from compliance to password resets in one place.
For many public sector organisations, part of the appeal of moving to a multi-cloud IT strategy is the potential to scale their operations to meet current demands. The same must be the case for their identity programme – as the ability to provision and monitor access quickly and at scale is essential to making sure that employees can fully leverage the benefits of cloud applications.
Whatever their cloud strategy maturity, public sector bodies in the UK are all subject to the same regulatory obligations, facing heightened public scrutiny in the event of a breach. At the centre of most compliance concerns is the security of sensitive/mission-critical data – which must be defended against both external cyberattacks and human error leading to internal vulnerabilities, which are all too easily exploited. However, with the right identity strategy governing all application and data access, public sector organisations can be several big leaps closer to fully securing the cloud transformation.