The move to cloud computing in government has changed from a focus on Cloud First to Cloud Smart. The initial push to cloud encouraged agencies to look at cloud options when adding or updating technology but provided no direct guidance. This "Cloud First" push provided a way to educate agencies on what cloud is and why it is a viable option for deploying applications to the government workforce. This education worked, making even the most security-conscious agencies comfortable with moving data and applications to the cloud to gain new efficiencies in time and budget.
The Cloud Smart policy, a logical evolution of Cloud First, was introduced last year and provides more guidance surrounding security, procurement, and workforce skills to foster cloud adoption and implementation. While the value cloud can provide is widely accepted, procurement of cloud remains a stumbling block to wider, easier cloud adoption. The shift in spending from capital funds to operating funds and the fluidity of the fees based on need and usage require different language and structure in contracts. Security also continues to be a focus, creating new "shared responsibility" language in cloud agreements and plans.
To help you get smarter on how to be cloud smart, we've compiled a list of upcoming events that cover the areas related to a successful cloud deployment.
Every October, the cybersecurity community comes together to highlight how each of us plays a role in the security of not just our own online identities, but of cyberspace as a whole. This year, National Cyber Security Awareness Month, organized by the Department of Homeland Security, is celebrating its 15th anniversary. This month is a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online while increasing the resiliency of the Nation during cyber-threats.
The theme for 2018 is "Cybersecurity is our shared responsibility, and we all must work together to improve our Nation's cybersecurity." This focus on responsibility, both individual and organizational, is critical for a population becoming more and more dependent on Internet connectivity. A recent study found that while government tends to have better cyber hygiene than most industry sectors, overall, we are not doing all we can to secure our networks and all of the devices that connect to them. Only 50 percent of respondents said they were running authenticated scans and were able to patch vulnerabilities within a week of detection. Almost half use dedicated workstations and networks for administrative activities, but over 40 percent do not use multifactor authentication or don't require unique passwords for each system. Continue reading
Biometrics is the use of an individual's unique physical and behavioral characteristics, typically used for identification and access control. Fingerprinting, the oldest form of biometrics, can be used for much more than identifying criminals. Fingerprint sensors have long been in use to allow individuals to login to their laptops, control physical access to buildings, track attendance of employees, and much more. Today, the focus is on improving facial recognition both for access to systems and facilities and as part of national security practices.
Facial recognition holds promise for accurately identifying who should and should not be in a specific place - whether that is a physical location like a building or an airport, or a virtual one like a set of classified files. However, the technology is not as reliable as the market requires. The impact of false positives and missed identities are measurably bigger when you are talking about identifying someone on a terror watch list rather than simply being locked out of your cell phone. There is considerable work being done to close the gaps between the promise of facial recognition and the reality of today's technology.
In a world where we are conducting more and more business online, biometric identification seems like a no-brainer for increasing the security of accessing personal data. But there is a privacy concern. Using biometrics means that organizations have access to very personal credentials and a recent ruling showed that the FBI does not need to disclose what biometric data it has on citizens. Continue reading
Whether it's an Edward Snowden situation or "simply" just someone clicking on a rogue link, insider threat is a real issue for every organization. Insider threat is defined as a malicious threat to the security of an organization and its data that comes from people within the organization, such as employees, former employees, contractors or business associates. These people have some level of legitimate access to systems and information and therefore can open an organization up to attack or a breach. One statistic estimates there is one insider threat for every 6,000 to 8,000 employees within a government agency.[Tweet "Agencies need a combination of monitoring and detection technologies. #GovEventsBlog"]
To mitigate this threat, government agencies need a combination of monitoring and detection technologies, identity management tools, process and policy reviews, forensic capabilities, and user training.┬á It's a complex problem to "solve" but luckily there are a number of events and resources available to help make sense of all of the issues.
We've pulled together a list of several upcoming events to help in understanding and mitigating insider threats to any agency or organization.[Tweet "Upcoming events covering insider threats to any agency or organization. #GovEventsBlog"] Continue reading