The adoption of cloud computing is growing exponentially in governmental organizations around the world. Governments in the U.S. are no exception. According to a study commissioned by the Federal Risk and Authorization Management Program, roughly half of all U.S. state, local and federal governments have either some or most of their systems and solutions in the cloud.
If you’re a decision maker in government, this statistic might trigger some anxiety. After all, headlines about cloud security breaches have become a standard part of the news cycle. And if you’re in a field that manages sensitive personal information — such as government, healthcare or financial services — lapses in security will be difficult to explain or forgive.
But the age of digital transformation, avoiding the cloud has its own costs in terms of lost opportunities and unnecessary spending. Years ago, IT professionals asked whether the cloud was secure. Today, there’s a more appropriate and accurate question: Is the cloud being used securely?
Know where your provider’s responsibility begins — and ends
In discussing cloud security, Gartner offers some troubling predictions. They speculate that between now and 2025, sensitive data will be exposed by 90% of organizations that fail to adopt an appropriate cloud security strategy. In the same time period, Gartner says, 99% of cloud security failures will be the customer’s fault. Both these predictions point to a gap in the understanding of exactly how secure the cloud is, and of who is actually responsible for safeguarding your data.
AWS explains the distinction elegantly in its Shared Responsibility Model, which distinguishes Security of the Cloud from Security in the Cloud. The cloud provider states that it is responsible for protecting the infrastructure running all the services offered by AWS. This includes all of AWS Cloud’s hardware, software, networking and facilities. But when it comes to Security in the Cloud, the customer can’t afford to be complacent. While the platform is responsible for security, patches and configuration on its infrastructure devices, the customer remains responsible for their own guest operating systems, databases and applications. The lapses that happen there have nothing to do with the security of the cloud itself. The platform provides the vault, but closing the door is up to the customer. And that leads to what is perhaps the most powerful statement in the Shared Responsibility Model: “AWS trains AWS employees, but a customer must train their own employees.”
Defend your data through training
Malicious actors are constantly upping their game when it comes to the sophistication and effectiveness of their attacks. Unfortunately, governmental organizations have been less than consistent in defending themselves. That’s because cloud strategies tend to lag behind cloud use, and most organizations are better at responding to breaches than anticipating them. Your single best weapon to counter any attack is an awareness of the threat and an understanding of how it can be thwarted. To develop that awareness and understanding among your teams, start with a commitment to training. ExitCertified offers nearly 300 courses in security, including courses specific to the leading cloud platforms:
Even today, the question still arises in online forums: Is the cloud really safer than my on-premise solution? The answer depends largely on the quality of your security posture. But consider this: It’s very unlikely you’ve matched the investment of the major cloud providers when it comes to security, reliability and resiliency. The astonishing growth of the cloud is due in part to the providers’ understanding of the importance of mission-critical data. That customer-focused service can be a powerful tool for government organizations. To use that tool securely, invest in training today.