Cloud security is a priority for public sector IT leaders in 2022. Here are some tips on meeting the challenge in practice.
Author: Richard Jackson, Lead cloud security specialist, Jisc
During the Covid-19 pandemic, organisations migrated on a large scale to cloud-based and internet-facing services, responding to a spike in demand for remote access and technology-driven transformation.
Now, as the Socitm 2022 Public Sector Digital Trends report points out, public-sector organisations need to manage this new cloud-based reality.
The Socitm report depicts a “multiverse” of cloud provision, made up of a variety of interconnecting systems – while separately noting that cyber security is a challenge for the public sector in 2022, and beyond.
Taking these points together, it’s clear that cloud security should be a priority for organisations. But how can you deliver this in the context of the reality of public sector IT – with small teams, squeezed budgets, and persistent security threats?
We think there are some important steps you can take. Consider the following:
Plan for cultural change
Whether you’ve migrated services to the cloud or are about to do so, it’s vital to plan for the cultural changes this could bring – and how this affects security.
You might have a team, for example, which is well-versed in on-premises security – but how do you update their skills for the risks of the cloud universe you now inhabit?
Recognising that the public cloud brings a new “edge” to your security environment is one step. Identity is critical in the cloud, which is why technologies such as multi-factor authentication (MFA) can be so important in mitigating the risks from compromised credentials – which could mean data exfiltration or even ransomware.
Of course, MFA is just one part of your security posture. As well as controlling access to services, consider the flow of data and your architecture, too. In practice, your goal should be to shift security as “far left” in your cloud development process as you can – so that it’s handled as early as possible.
If you can design services from day one with security in mind, that’s better than doing retrospective mitigation later on.
Be clear on where security responsibilities lie
When it comes to cloud deployments, one of the most important steps is to understand where your security responsibilities are.
Cloud security works on a “shared security model” – so while your cloud vendor is responsible for some aspects of security depending on the level of service you’re buying, in other respects the onus will be on you.
When organisations are compromised in the cloud, it’s often because they mistakenly thought a cloud vendor was responsible for a certain aspect of security – when in fact the responsibility was their own.
So if you deploy a server in Microsoft Azure, for example, you still need to patch that server and make sure anti-virus is running. And identity security will always stay with you, the client.
In the case of Microsoft 365, it’s not necessarily suitable for handling OFFICIAL data out of the box; to get to that standard, you need to take steps to follow the checklist provided by the National Cyber Security Centre (NCSC).
Here are two examples of ways we’ve helped organisations that are particularly relevant to pubic-sector organisations:
Compliant VPNs. When handling OFFICIAL tier information via VPNs in the public sector, you may need to meet the recommended standard as presented by the NCSC. In Microsoft Azure, for example, this is something you can’t do ‘out of the box’ due to limitations in types of authentication; instead, you need a third-party firewall to handle that kind of VPN connection. At Jisc, we’ve helped organisations to get this set up, helping to deploy IPSEC VPNs where specific standards have been mandated by third parties.
Payment systems. As a public-sector body, you may need to handle payments – which means PCI DSS compliance in your cloud environment.
But while vendors give you the “recipe” you need to deploy a compliant environment, we don’t always see that in action. In the case of PCI, there are many technical requirements that need to be met; an example we often work on is the deployment and maintenance of web application firewalls (WAF) ensuring they are deployed and configured correctly, which is not a straightforward task. WAF’s block common web application attack types. Within Public Cloud, managed rulesets are in place where the vendors themselves will provide custom protections against high-profile attacks as and when they need to.
For one organisation we helped, having a WAF deployed made a difference when the Log4j vulnerability was disclosed in December 2021. Log4j actually had WAF circumvention techniques applied often, however, we did not detect this in our managed clients at the time. The WAF bought time but was by no means a silver bullet. So having an understanding of the shared security model in this instance was imperative.
Having that protection against common exploitation attempts gave the organisation more time to fix the problem and patch it than they might otherwise have had.
To conserve budget, consider what you’ve already paid for
Public-sector organisations have limited budgets – so it pays to understand not only what your cloud licence excludes, but what it includes that you might not be aware of.
For example, Cyber Essentials (CE) requires you to show that devices accessing your network are appropriately supported and patched. This requirement can be met using Microsoft Intune, part of Microsoft Endpoint Manager, alongside Conditional Access (albeit with some further development) to help reduce the problem and which may already be included in your Microsoft licensing.
Aside from CE, M365 licensing also offers a large range of security tooling which many organisations are overlooking, we have worked with many organisations in recent years to help demonstrate how they can improve their security posture via utilising their M365 licensing, both protecting their cloud environments but also using the power of these tools to protect on-premise traditional assets. You can drastically improve security posture with your M365 licensing if deployed correctly
If you already have the right licence, this means there’s no need to waste too much time or money looking for an alternative solution.
For more on how to improve your cloud security posture, sign-up for the Jisc-sponsored webinar, Modernising ICT: Cyber security, digital transformation & driving return on investment, on 29 June.
Register now for the Jisc Security Conference, 7-8 November, ICC Wales, 9 November, online