Cloud Security Guide for Government and Critical Infrastructure

Hadi Hosn
July 1, 2020
7 min. read

The idea of a government entity leveraging the Cloud to increase the effectiveness and efficiencies of their Information Communication Technology (ICT) is attractive, especially in a period of economic challenges for the GCC member states.

A number of government entities in Europe and United States have introduced a Cloud First policy for all technology decisions. What that means is when procuring new or existing services, government entities should consider and fully evaluate potential cloud solutions first before considering any other option. The justification for that is that properly implemented cloud technology can improve speed of delivery, reduce cost and create opportunities for organisations to innovate.

Despite the benefits of cloud platforms, historically, concerns about cybersecurity have stopped a number of government entities and critical infrastructure providers from investing in cloud solutions and accelerating the migration of their workloads to the cloud. This argument has been diminishing over the last few years, with critical organizations trusting SaaS based companies like, Dropbox, Slack with their sensitive data.

Security advantages of Cloud services
Cloud services can have native security advantages over local or on premises technology. While organisations can have less visibility of the underlying infrastructure and operations, cloud providers can use economies of economically or operationally infeasible for many organisations.

Let’s take the example of Software as a Service (SaaS) and Platform as a Service (PaaS) environments. If the cloud provider you are choosing has made the right security investments, additional advantages can include:

• Out-of-the-box known good configuration and hardening of infrastructure.
• Mature vulnerability management program where security patches are applied quickly and reliable by the service provider.
• Auto-scaling, health sensing computing environment that has multiple failover capabilities
• Software-defined environment allows constant testing of failure scenarios
• Software-defined networking components that eliminate common network protocol attack vectors
• Threshold and metric monitoring that trigger automation of response procedures as well as notification, both to people and other applications
• Extensive logging and asset tracking to satisfy the most stringent compliance requirements
• Inventory and configuration services that track configuration changes over time
• Software-defined Internet gateways, domain name services (DNS), and elastic load balancing services to maintain availability and network address translation (NAT) services
• Management and monitoring tools are available for the customer to use to secure their environment, spot anomalies and issues and resolve them.

For customers of Infrastructure as a Service (IaaS) cloud solutions, the customers are responsible for managing their operating system and applications. This includes troubleshooting issues, patching and software upgrades. If a new version of installed software is released or if a service pack for the operating system is released, then the customer is responsible for these updates. The cloud provider is supplying the underlying hardware platform only.

We suggest government entities and critical infrastructure providers structure their cloud cybersecurity program following a step by step work plan.

Step 1: Start with out of the box.

There are varying security responsibility models linked to the Cloud deployment approach (IaaS, PaaS, SaaS). It is advisable for government entities and critical infrastructure providers to start the security discussions early with their cloud service providers. We recommend starting those discussions with a framework where the cloud service provider is able to identify whether they are responsible for the control, and what they currently have in place. This approach will support the government entity in understand the type of operating model expected in the future when the cloud operation is up and running. The cloud security framework can be tailored to each government entity, and should cover the following domains at a minimum:

1- Data Protection (in transit and at rest)
2- Identity and Access Management
3- Configuration Management / Hardening
4- Vulnerability & Patch Management
5- Security Monitoring & Analysis
6- Incident Response

Based on the responses from the cloud service provider on each of the domains (and more), the government entity can then build the appropriate security operating model for their cloud environment that reflects the responsibilities on the customer and not the cloud service provider.

Step 2: Understand business priorities and how cloud can be leveraged.

This includes identifying key business assets, crown jewels, critical systems and applications and business processes.

Step 3: Assess what is already in place

You can’t secure what you don’t know. With that in mind, you first need to know whether your employees or contractors are already using cloud services with or without your consent. Start by identifying all cloud services in use by your employees and contractors.

Step 4: Decide which workloads to move to the cloud.

For example, many organizations choose to move customer-facing applications or analytical workloads to the public cloud initially, while keeping core transaction systems on-premises. Then they can determine security requirements for workloads that are migrated based on the shared responsibility model agreed above with the cloud service provider.

Step 5: For each workload, assess risk against security framework.

For each workload, determine the level of security to enforce for each of the controls of the framework. For example, entities should determine whether IAM needs only single-factor authentication, requires multifactor authentication, or calls for a more advanced approach such as behavioural authentication.

Step 6: Design and build security capabilities

Once the framework requirements are defined. The entities need to determine the solutions to be put in place to meet the requirements of the framework. This could be a combination of security technologies, processes, people and capabilities offered by the cloud provider as an add-on. Here cloud security architects or advisers are very important as they have a full understanding of the cloud service provider’s security capabilities and can assess whether additional tooling and investment is required to meet the framework or a security feature can be enabled on the cloud configuration.

Step 7: Implement and Operate the Security capabilities

Implement the controls to meet the framework requirements through internal resources, vendors, consultants, integrators and partners. The operation is critical as it requires an understanding of the threats in cloud and the associated cloud security skill sets to mitigate against the threats proactively.

Step 8: Continuously improve the program

The operation should be a continuous improvement capability with metrics and reporting functionality and on-going recommendations for improvement of the entity’s security maturity. This could be done with regular health checks to assess maturity improvement over time, or a set of strategic recommendations that are implemented and therefore improve overall maturity of the environment.

At a more strategic level, in order to prepare for a Cloud First policy in the GCC region, entities should start immediately with:

1- Investment in training. Learning cloud security terms and architectures is fundamental. The cloud is a new frontier and securing your apps and data that live there requires new skills. Get your team closer to your developers.

2- Run cloud incident response tabletop exercises. There’s nothing like running through a real-life scenario to identify gaps, improve workflows and highlight areas that need new investment that can make you better prepared for when an incident does occur in a cloud environment. Dealing with that incident is different to your on-premise environment.

Of course, if you come to the conclusion you need someone to help you on this journey and monitor your cloud applications and infrastructure, we at Axon Technologies are always happy to help.