AWS Public Sector Blog

Cloud security design considerations for state and local government

Following Cyber Awareness Month, it’s time for state and local government (SLG) organizations to reflect and refocus on cyber hygiene and continuous improvement of their security posture. This is especially critical given many organizations implemented new technologies in support of requirements driven by the pandemic. This new reality requires SLG agencies to revisit how they are approaching gaining and maintaining visibility across the organization’s data footprint.

From 2017 to 2020, BlueVoyant, a cybersecurity firm, found that cyber events impacting SLG agencies on average rose by almost 50 percent. Even though the issue is not unique to SLG, these organizations have the added constraints of budget deficiencies and talent shortages due to legacy hiring practices and competition with the private sector. A 2020 study on cybersecurity by Deloitte and the National Association of State Chief Information Officers (NASCIO) identified that states’ cybersecurity budgets average less than 3 percent of their overall IT budget. Private sector companies’ cyber budgets by comparison average 28 percent.

But with constraints come opportunities. A recent study conducted by Accenture and NASCIO indicated that state chief information officers (CIOs) from 35 US states want hybrid cloud as their desired cloud model—a combination of public and private cloud services.

Here are some best practices for SLG chief information security officers (CISOs) and IT professionals to consider in their cloud journey:

Resist being resistant. Understand and accept that organizational strategies for modernization, security, and enhanced customer interactions may likely include the cloud. If not currently in use, plan for it.

Develop a cloud security governance model. Make sure to address guardrails or security controls for the protection of the organization. Make sure both security and operations teams are afforded the opportunity to obtain critical training and certifications within their scope of work.

Enable compliance by developing a continuous monitoring strategy. How do the operations and security team(s) maintain visibility into workloads on premises, as well as in the cloud? A Q&A available from Government Technology addresses how cybersecurity in the hybrid cloud differs from on-premises security needs. Security teams should ask the following questions:

  • Centralize and minimize. Does the organization have the capability to aggregate, correlate, and leverage machine learning (ML) and artificial intelligence (AI) capabilities? Do these live in the cloud or on premises? If you don’t have a solution due to budget constraints, consider leveraging open source solutions that may be cost effective and meet your organization’s needs. Make sure there is a process to securely vet the open source tools to validate they are from a trusted source. It’s important for SLG organizations to consider the operational trade-offs when deploying products whether open source, software as a service (SaaS), or managed.
  • Reduce the noise. What type of logs from both environments are critical for visibility and monitoring? Flooding log management and security event management tools without regular tuning could lead to inefficiencies and unnecessary increased operating costs.
  • Standardize priority-based patching across all environments. How do cloud services get patched? Identify what is most critical to be patched across all environments. Integrate on-premises patch management playbooks with cloud services. Use cloud native patch management and remediation solutions where possible for effective and efficient vulnerability management. Other recommendations are to use immutable, short lived systems that may not require patching in production.
  • Manage data flows. What types of data exchange occur between the cloud and the on-premises environment? Implement Zero Trust measures to restrict communication only to what is approved and necessary for the services.
  • Prioritize log retention. What is the data retention requirements for logs and specific data types? An example would be Internal Revenue Service (IRS) 1075, which provides prescriptive requirements for the security of Federal Tax Information (FTI) and requires seven years of storage for audit trail records. Leverage the cloud to meet compliance, privacy, security, and data protection requirements.
  • Develop a security architecture. Many security professionals attempt to standardize their on-premises environment with their cloud environment by using the same traditional legacy solutions, which could lead to security gaps. Prioritize native cloud security tools, like security incident event management (SIEM), built with the cloud environment in mind and cloud native patch management solutions.

Enable automation and orchestration. SLG organizations face personnel shortages, but you can leverage automation and orchestration capabilities to reduce the need for manual resources. Make sure workloads are built and deployed in a secure and consistent manner, reducing the possibility of human errors, and leverage best practices such as Zero Trust.

Audit management. Leveraging cloud services that meet or exceed regulatory requirements, whether HIPAA, IRS 1075, FERPA, CJIS, or others, can reduce the added stressors placed on small security and IT teams, allowing for more productivity and efficiencies. The May 2020 U.S. Government Accountability Office (GAO) report Selected Federal Agencies Need to Coordinate on Requirements and Assessments of States indicated that costs for 188 assessments across 24 states’ between 2016 and 2018, ranged from “$43.8 million to $67 million.” Amazon Web Services (AWS) customers with mandatory industry certifications requirements can reduce costs and quickly obtain the artifacts needed to validate security compliance of their cloud environment. With the AWS Shared Responsibility Model, customers are responsible for security in the cloud, and AWS is responsible for security of the cloud. SLG organizations can focus their staff on a reduced subset of security controls for the data they move to the cloud.

Know your limits. Leverage vendor partnerships where appropriate. In order to accelerate IT transformation, it may be necessary to repurpose and/or augment staff with subject matter experts. SLG organizations should identify training and skills gaps and weigh options and overall impact to long term mission success. Read the Strengthening Enterprise Security in Government with the Cloud brief and watch this Ease SLG cybersecurity concerns with the cloud and new funding webinar to find out how agencies can address security gaps and invest in robust, long-term security solutions.

SLG organizations need to make sure they are thoughtful in their approach, have a defined cloud strategy, and build a security framework into the foundational cloud strategic plan to actualize the benefits of the cloud.

AWS is a sponsor of Government Technology’s “Securing America’s Digital Infrastructure” microsite. Check out additional resources like Q&As with cybersecurity experts, industry resource materials like eBooks, and more. Contact us if you’d like to chat further about security within your organization.

Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.

Please take a few minutes to share insights regarding your experience with the AWS Public Sector Blog in this survey, and we’ll use feedback from the survey to create more content aligned with the preferences of our readers.

Maria S. Thompson

Maria S. Thompson

Maria S. Thompson is the state and local government executive government advisor for cybersecurity at Amazon Web Services (AWS). In this role, she brings over 20 years of experience in information technology, strategic planning, computer network defense and risk management. Prior to her role with AWS, Maria served as North Carolina’s first State Chief Risk and Security Officer. There, she was instrumental in establishing the Whole of State Approach to Cyber. This included the development and implementation of the state’s first Cyber Disruption Plan, and the Joint Cyber Task Force (JCTF). Maria also served 20 years in the United States Marine Corps and retired as the cybersecurity chief/information assurance chief for the Marine Corps. Other security roles held include certification and accreditation (C&A) lead for the Multi-National Forces – Iraq and senior security engineer in a joint military organization and Security Operations Center lead for a federal agency.