Moving onto the cloud is a lot like shifting houses. “You get to reassess all that furniture and clothes and everything that you have,” says Peter Klimek, Director of Technology, Office of the CTO at Imperva.
As governments begin the unwieldy task of hauling entire systems onto the cloud, they will need to rethink what to keep, change, and throw out.
At the core of this is the mandate to secure citizen data. Peter shares how governments can protect sensitive data as they shift onto the cloud.
When systems move house
A major step in moving onto the cloud is assessing which systems need to be changed. Some services in government can be “lifted and shifted”, but others will need more substantial adjustment, says Peter.
This is necessary for governments to gain the full benefits of the cloud. When done right, the cloud can help public officials build faster, more responsive tools.
This will transform public services, all the way from giving out parking permits to managing a city’s smart infrastructure, he notes. It could also help governments be more efficient in minimising waste and spending.
What to do differently
As public agencies make the shift, “it’s a good opportunity to say, we’re going to do things a little bit differently”, Peter says. He makes two recommendations.
The first is to adopt a zero trust mindset, a strategy emphasised by Singapore’s Minister for Communications and Information, Mr S Iswaran following the SolarWinds breach. It highlighted the need for an “inherent distrust of software that you’d have deployed in your environment”, even when it comes from a trusted vendor, Peter explains.
This means setting up each system within government networks with its own security controls. If one of them gets compromised, there’s a lower chance of pulling other systems down with it. “It’s all about minimising the blast radius that any one piece of software can effectively do,” Peter shares.
The second is to create security “blueprints”, or a set of basic configurations that all agencies follow when building new services. These would detail what kinds of firewalls to put up, and which best practices to adopt.
IT teams can then build tools more quickly and securely. “Not every single team has to worry about solving these problems,” says Peter.
Keeping unwanted visitors out
Imperva offers three types of tools to help governments keep unwanted visitors out of the cloud and away from citizen data. The first of these tackles application security.
Developers can build Imperva’s security tools into the service as they create it, making each service inherently more resilient to attacks. This ties in with a zero trust approach, in which each app resides in its own little container in the cloud, with its own security controls.
This approach also protects services from bad bots that rain attacks to try and steal sensitive information. This type of attack is particularly common for tools that serve a lot of people, as they would hold a lot of citizen data. A relevant example would be booking systems for Covid-19 vaccine appointments, Peter notes.
For such systems, AI and automation can help to identify the person accessing them, and the speed of the requests coming in, to separate automated bot attacks from legitimate users, he shares. The system will also help to discover, monitor, and protect all API traffic in any environment from exploits and breaches.
The second addresses data security. Imperva allows organisations to monitor all of their data, whether it’s stored on-premise or in the cloud. IT teams can quickly understand the 5 “W”s and 1 “H” to data: Who has been accessing the data; What has been accessed; Where was it accessed from; When was it accessed; Why was it accessed, and How was it accessed.
Imperva also keeps data within a country’s borders to ensure that governments have full control over their citizens’ information.
The third type of tool focuses on keeping systems up and running. “There are certain times of the year when governments tend to be targeted more”, such as on election days or tax filing deadlines, Peter says. Malicious actors would try to cause chaos by stalling online services in denial of service attacks.
Imperva’s DDoS mitigation software has been supporting US state and local governments with combating denial of service attacks. This has been important in keeping elections online and secure.
Moving onto the cloud can be intimidating, especially with the scale of government systems. Imperva helps to break this process down into smaller, manageable steps to focus on securing individual systems and give agencies full visibility into their data.