The vast majority of councils are now well-aware of the benefits cloud adoption presents. As research shows, in 2018, 62 percent of councils stored data in the cloud, up from 52 per cent two years prior – local authorities’ adoption of cloud to facilitate digital transformation is only going to grow in 2020 and beyond, writes Chris Bartlett, Business Unit Director – Public Sector at SoftwareONE. At the same time, cyber threats are constantly evolving, with hackers continually finding new attack vectors.
While securing the cloud against these threats is a priority for any organisation, it is especially important for councils, which hold a huge amount of sensitive, personally identifiable information. This unique security position makes them an attractive target for would-be attackers, but squeezed budgets and small in-house IT teams can make it difficult for local government to know where to begin. So, here are four steps they can take to secure data and protect against the rising tide of cyberthreats.
1. Gain a Holistic View of the Cloud Environment
Poor visibility into the cloud environment creates security challenges, and councils must address this to improve security posture. This is particularly important as IT infrastructures become more complex; for instance, research finds that 64 per cent of councils are using a hybrid cloud model of consumption, which can be more difficult to secure. As different cloud models emerge, risk also increases, since SaaS, PaaS, and IaaS can all put a heavy weight on security infrastructure. This is because as more of these models enter the organisation, the chance for a security breach grows.
Cloud must be monitored closely for a complete view into what is being used and where it is being used – understanding where the possible vulnerabilities lay is crucial to protecting councils from attack. An overarching layer of control can help by delivering cloud insights to a central location for review. IT teams can then enforce consistent policies, detect vulnerabilities, and react quickly to abnormal activity. Yet none of this is achievable without a holistic view of the cloud environment.
2. Evaluating Third-Party Protocols
Public cloud providers are a popular route to cloud for councils, with 80 per cent found to be using services such as Azure, AWS or Google Cloud. Working with a third party requires both partners to share the security responsibility, which necessitates a joint effort to decide what this approach should look like. Councils must carry out a risk assessment before any migration or engagement with a new provider.
Due diligence on the cloud provider’s security protocols guarding their critical data is essential to determine any adjustments they will also need to make. Having visibility into a third-party provider’s control environment is also crucial for councils, so they may identify areas for improvement in their cloud security approach – helping to ensure both partners are sharing the load and have the best possible security protocols in place.
3. Tighten Employee Access
In the cloud, the traditional perimeter disappears. Physical security measures like firewalls and antivirus software have been replaced by users’ identities, usernames and passwords – spreading the risk opportunity to each individual council employee or partner. Local government can reduce this attack surface by adopting strict policies to manage access to cloud data and applications.
Councils can specify protocols for who can reach what information, configuring security groups to allow a select few types of traffic through. Having the narrowest focus possible will ensure personally identifiable information, like bank account details or National Insurance numbers, is only available to those who need it for specific use-cases. This will make it easier for teams to spot when unauthorised entities attempt to gain access, and help build staff understanding of data vigilance as they’re only able to access what they really need.
4. Making the Most of What you Have
As well as deploying new techniques to help securely manage the cloud, cash-strapped councils can also make the most of features they already have.
Take, for instance, enterprise software suites – research shows 90 percent of councils use Office 365, part of the all-in-one Microsoft 365 bundle that includes Windows 10, and also encompasses a number of security capabilities many are unaware of that can significantly help secure the cloud.
One example is Office 365 Advanced Threat Protection, which provides cloud-based email protection, and wards off phishing or malware attempts. This could help local government better understand the kind of attacks threatening them, like the ‘password spray’ attacks recently highlighted by the National Cyber Security Centre, where automated attempts are made to access local authority accounts with common passwords. Councils are already paying for these features even if they’re not using them, so it makes sense to assess which could be implemented to help boost security.
Local government IT leaders need a robust security strategy for the cloud to protect their assets and stay ahead of security threats. While this may seem easier said than done given the budget constraints councils face; improving visibility into external and internal cloud environments, tightening access to personally identifiable information and making the most of existing assets are a good place to start.