Harnessing the public cloud in the public sector

Public agencies must carefully assess the regulatory, compliance, security and governance aspects of each cloud service they plan to deploy. How does any organization with such complex concerns plan to mitigate the potential risks when moving workloads and data to the cloud? This paper summarizes the primary risks, assesses the impacts of moving to cloud, and details key considerations. 

Our guidance is based on DXC Technology’s collective knowledge of and experience in assisting commercial and public sector customers consume secure public cloud services. Certainly, deploying a public cloud can be disruptive, and we’ll discuss how to minimize that disruption while maximizing rewards.

It is worth noting that the concept of public cloud goes well beyond the basic definition of cloud storage and infrastructure offered by third-party providers such as Amazon Web Services (AWS), Microsoft, Oracle and Google. It should also include any services hosted on public cloud infrastructure, and also all the application-specification offerings delivered as software as a service. 

Because of the sensitive nature of the data with which government entities work — and because of compliance requirements and regulations for specific countries and regions — special considerations need to be taken into account to safeguard and handle data.

Unfortunately, those considerations vary by cloud service. For example, one set of measures and controls might work well for infrastructure as a service, but another public cloud service may require a completely different set of controls. Given that there are hundreds of services to consider, it is important to analyze each one to see whether it fits into your compliance and regulation framework.

Security, privacy and compliance 

When deploying a public cloud, it’s not just about securing the cloud — it’s about securing the organization’s use of the cloud. Government agencies should be keenly aware of the regulatory and legislative requirements associated with moving data and workloads to the cloud, plus the implications of legislation that may apply to the public cloud provider due to that company’s country of origin. 

The USA PATRIOT Act, for example, allows U.S. government law enforcement and security agencies to apply for a warrant to access customer data held anywhere in the world by U.S. cloud providers such as Microsoft, AWS and Google. This includes the decryption of data where those companies manage or hold the keys. The implications of legislation like this need to be factored into the risk decision matrix when selecting the cloud platform or service, and may point up the need for additional controls. 

Of course, the first question to ask in terms of security is, “What data and/or workloads are suitable for migrating to the cloud, and how are they identified and then secured?” Another important distinction is whether the cloud in question is to be used for public sector delivery or restricted delivery, as would be required for a defense agency. 

DXC advises organizations to take an information-centric view of security, focusing on the datasets and workloads to be migrated, evaluating their unique threats and risks, along with the pertinent regulatory and legislative requirements.

Each system (data and workload) will have to be evaluated independently and should include an assessment of the native security and compliance controls offered by the platforms, as well as the additional controls that may have to be implemented on top. It is essential to know what controls will be required and how to configure them to provide the level of compliance needed. 

Key questions to ask include:

• Which supplier data centers will your data reside in at rest, and where will data be processed?
• What security certifications and assurances are provided by the supplier and what is the scope of those certifications?
• Will the supplier allow security testing and under what conditions?
• What crypto-key management options are available?
• What cryptographic standards are supported? 
• What native controls have been implemented and what scope of control does the customer have?
• What additional controls are offered by the supplier/platform, and what third-party add-ons are available?

Because of the sensitive nature of public data, public sector organizations need to know where services are administered from and where data resides. For example, it is important to know how a cloud provider defines customer data and where replication will take place. These considerations will drive what information can be put into a service and what might have to be kept out. 

Governance

Most organizations have a traditional IT governance model in place for private infrastructure, and that governance model should change significantly when a public cloud is involved. Although moving to a public cloud delivers great benefits, it also brings a new set of risks, so risk management and a risk analysis should be key components of the IT governance model. A public entity can’t risk a click of a mouse revealing highly confidential data. 

With IT governance, change management is another significant area that should be considered. Because public cloud deployments are fundamentally different from traditional infrastructure, organizations will want to know how changes will be implemented, including what revisions would have to be made to what’s already been deployed. 

Also, a cost vs. business benefits analysis should be part of any governance strategy. There should be a formal governance analysis of the cost of moving a given function, application or piece of data to the cloud to determine whether the cloud is the best choice.

Operational responsibilities

When it comes to determining who is responsible for what, to achieve success in moving to the public cloud, a shared responsibility model is preferable. Public sector organizations should clearly define who or which entity is responsible for the operational integrity and security of data and workloads. Organizations also should clearly define how operational processes will be altered to cope with migrating data and workloads. 

A shared responsibility model addresses these questions and defines the boundary of responsibility in essential areas such as infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS) (See Figure 1).

The platform and services selected typically define the boundary of responsibility for information security between the public cloud provider and the public cloud consumer, but it is critical to clearly understand where this boundary lies. In addition, organizations should consider what type of access is granted to security data for the controls under their direct jurisdiction.

When adopting a shared responsibility model, questions to ask include:

• What access to data does the public cloud provider or managed services administrative staff have? 
• What processes are enforced for escalation of privileges? 
• From where does the public cloud or managed services provider administer its service? 
• What employment checks or vetting is done by the cloud or managed services provider?
• What identity federation standards are supported? 
• What identity and access management services are provided? 

Data classification and data sovereignty 

When considering the use of public cloud for sensitive government data, organizations should consider the specific security policy requirements related to that data in terms of data classification. 

For example, when public entities in the United Kingdom have data marked “UK OFFICIAL,” the specific security policy requirements relating to that data must be fully understood, including the additional control requirements associated with data marked “OFFICIAL SENSITIVE.”

In that case, cloud security guidance from the UK’s National Cyber Security Centre (NCSC) should be used as a framework to inform the selection process of a public cloud platform and service. Major public cloud suppliers provide a clear set of assertions against the 14 NCSC Cloud Security Principles to aid in this selection, and use reference solution patterns that have been tested with customers. 

As another example, U.S. International Traffic in Arms Regulations (ITAR) guidelines spell out additional data access security requirements and a requirement to be able to provide a full audit of data access. Major public cloud suppliers offer ITAR-compliant services in the United States, using their U.S. government service instances; 

however, this is not available outside of the country. Therefore, organizations outside of the United States handling ITAR data must include the ITAR requirements specific to the relevant dataset. 

Additional measures should be undertaken to restrict data access to only authorized individuals, using tools such as consumer-managed encryption keys, enhanced access control or enhanced audit data access. Finally, specific attention should be paid to the data storage and processing locations of the public cloud service to ensure that data is not accidentally re-exported.

In terms of data sovereignty, if the data affects the security of a nation, it is critical to understand where services are managed and administered and what security certifications and assurances are provided by the supplier. Areas such as testing, cryptographic standards and transit options should also be considered with regard to data sovereignty.

Benefits of public cloud to public agencies

Moving to the cloud helps government agencies get things done more quickly and with greater agility. Among the many benefits:

Increased flexibility. One of the most significant benefits of moving to public cloud is the flexibility to implement new services and implement them faster. For example, instead of procuring new hardware or provisioning existing servers, a public agency could quickly spin up virtual machines to test new ideas and services. 

Cost savings. Moving to a public cloud brings improved operational efficiencies, along with a shift to a scalable OPEX/services model that saves costs. A cloud migration would reduce the need for maintaining legacy infrastructures and, for agencies in the United States, meet the data center reduction requirements set forth in the federal Data Center Optimization Initiative.

Improved self-service capabilities. From booking a hotel room to hailing a ride, consumers rely on self-service to get things done. Citizens will increasingly want to consume government services from their smartphones, requiring a modern and robust infrastructure and application ecosystem. Moving to a public cloud gives agencies additional flexibility to improve citizen engagement and offer a wider range of services.

Move to a software-defined environment. Public entities often operate in traditional IT environments where much of the work is accomplished through keyboard entries, manual labor and opening tickets. In a public cloud, software can be used to configure and deploy services, and to manage all phases of the life cycle, be it deploying a new server or a new network component. Moving to a software-defined environment allows organizations to do things faster and with more agility in a way that is more predictable, repeatable, auditable and testable.

Drive innovative applications and services. In a cloud-based environment, application development teams can transform processes for development, testing and launching applications. DevSecOps is an important component of any cloud strategy as part of enabling new services that incorporate technologies such as the internet of things (IoT), artificial intelligence (AI), secure multifactor authentication, self-service, personalization and increased automation. 

How a managed cloud services provider can help

Migrating to a public cloud involves much more than creating a user ID, flipping a switch and moving data. As public agencies embark on a cloud journey, the best path to success is through a partnership. An experienced managed cloud services provider can take the raw capabilities a cloud vendor provides and work with the agency to configure, deliver and manage those capabilities to meet the organization’s unique requirements. Key managed services include:

• Cloud assessment. Before migration, organizations should assess their currentstate and develop a roadmap for managing public cloud resources to align tosecurity, compliance, flexibility and scalability needs.
• Accounting and cloud governance. Consolidated billing, management andreporting tools, financial best practices, and governance controls will help managecosts and access to cloud services.
• Integrated IT service management. By incorporating automation and anintegrated, centralized dashboard, organizations can ensure a single point ofservice accountability across suppliers, lower costs and reduce complexity.
• Security monitoring and forensic readiness. Enhancements should automatemonitoring, manage risk more effectively, and get the most out of existing securitytools to ensure greater visibility and faster incident response.
• Cloud access security broker (CASB). CASB capabilities enable organizations togain visibility into and control sanctioned and unsanctioned cloud applications toensure secure and compliant use.
• Identity management. Organizations can better manage identities and ensureauthorized access to cloud services.
• Cloud data protection design. Focusing on privacy begins with protecting criticaldata and understanding the use of critical content stored and processed in cloudenvironments.
• Multi-tenant infrastructure security solutions. Organizations should applyconsistent security controls for dynamic virtualized infrastructure.

Security risk management is critical to these efforts and requires an information-centric view. Focus areas should include a risk assessment, selecting the correct platforms and add-on security services to mitigate risks, as well as ensuring that legislative and regulatory requirements are being met.

An experienced service provider can also be instrumental in establishing a proven security framework. For example, DXC’s Cyber Reference Architecture (CRA) serves as a security backbone, providing a common language, consistent approach and long-term vision. 

The CRA provides detailed blueprints to address specific challenges and consists of three levels focused on strategy, operations and technology (See Figure 2). The CRA structure provides a unified approach to enterprise security, helping an organization define security requirements and describe how to deploy targeted capabilities. 

DXC’s comprehensive Applications Services for Public Cloud offering provides specialized tools, methods and skills needed to successfully transform and optimize applications on public cloud platforms. Fifteen solution sets of DXC-exclusive and AWS/Azure-native use cases enable organizations to migrate to and run on public clouds. Applications transformed with Azure and AWS native services provide an optimal public cloud experience — more quickly, cost-effectively and securely.

Identifying the optimal cloud solution is another key to success. DXC works with organizations in both the public and private sector to find the best cloud solution, be it public cloud, private cloud or a hybrid cloud solution. DXC offers Hybrid Cloud Blueprint, a series of workshops focused on building, executing and managing enterprise cloud plans. Deliverables include application and workload placement recommendations, building business cases for future run-state costs, and developing IT policy considerations.

Public entities attempting to go it on their own face overwhelming obstacles. But working together, the government agency, cloud provider and managed services provider can build a model that is safe and efficient, and meets specific needs. An experienced managed cloud services provider delivers the experience, expertise and additive services to help government organizations complete the public cloud journey successfully.

Contact us to learn more about harnessing the public cloud in the public sector.