The following article was submitted by McAfee to CIO Canada. Although it has been edited to remove all traces of vendor bias, the arguments presented likely favour the vendor's approach.
Across all levels of government in Canada, departments and agencies are trying to combat rising IT costs by consolidating their systems and moving toward a shared services model. In many cases, this requires government IT leaders to not only streamline their government services and networks, but also reduce the number of data centres they operate.
In order to effectively transition from siloed government IT systems to one centralized system, government CIOs have been turning to cloud computing services to help move forward with the new delivery model.
But anyone familiar with the complexity of government IT knows that moving toward cloud services in the data centre comes with new management and IT policy headaches – especially when it comes to security.
McAfee and the Security and Defense Agenda, a Brussels-based think-tank, recently released a report on global cyber-security, titled “Cyber-security: The vexed question of global rules”. The report’s recommendations include the need for government and industry to examine new problems and opportunities created by cloud computing and state that cloud computing needs an appropriate architecture to achieve optimum security.
To ensure a seamless transition to a cloud-based infrastructure on the security front, government CIOs need to re-evaluate their security policy ownership, security control solutions and their relationship with cloud service providers.
Setting new standards
Regardless of whether public sector organizations maintain their own private cloud infrastructure or outsource it to a third-party vendor, CIOs need to adapt their security policy ownership accordingly.
Security policies are typically very overarching, but that trend cannot continue for public sector organizations moving forward in the cloud world.
In the move toward a decentralized, hybrid data centre – which brings together physical, virtual and cloud computing infrastructures – these policies not only have to become more definitive, but the ability to enforce those policies has to be driven back into technology.
Enforcing security policies with better security controls
Multi-layered data centre security solutions, which involve layered defenses that properly segment and zone data depending on its sensitivity and type, can be built directly into the design of any next- generation data centre architecture. This can be achieved with security control technologies that provide IT administrators with a unified management and reporting environment that can help defend against threats across an entire infrastructure.
Whether an IT department chooses to deploy this as an on-premise appliance, software-as-a-service or a combination of the two delivery models, the ability to protect a data centre’s network, servers, data, storage and access controls is crucial.
Government CIOs and security IT leaders need to deploy an integrated security system that guards data centres across all key threat vectors, which include files, the Web, e-mail and the network.
This ties back into an integrated security policy that focuses on the most vulnerable clusters in the data centre and works backwards. For example, a critical system that would expose sensitive citizen information if breached should have different policies than clusters without personal data.
On top of that, a system that is required to interact with cloud-based systems or virtualized computing components needs to be classified and treated differently than an on-premise, mainframe computer.
This integrated, data-centric approach to security becomes even more important as targeted attacks against cloud infrastructure become more prevalent.
When dealing with service providers, CIOs need to be cognizant of the fact that many managed hosting services have now begun to partner with smaller cloud providers. With more managed service providers entering the fray, and varying levels of security and expertise, it will become extremely difficult to adopt a proper cloud security policy across multiple providers.
Assessing a provider’s environment will help you determine which cloud services they are using and whether or not you feel comfortable with those providers.
Systems that talk no matter what services you use
For public sector organizations, a breach that might have been a minor event in the physical world can turn into a large-scale disaster if it occurs in the public cloud environment. Ultimately, citizens do not care how their personal information has been compromised when a data breach occurs. The finger will always point back to the government IT systems.
Government agencies are under increasing threats from both domestic and foreign agents targeting personal citizen information and state secrets. In many cases, these attack types will vary based on the agency or level of government. In its 2012 Threat Predictions report, McAfee Labs™ predicts that attacks involving political motivation or notoriety will make headlines, including high-profile industrial attacks, cyberwarfare demonstrations and hacktivist attacks targeting public figures.
Drafting a definitive security policy that is supported by an integrated security solution is the only way for a CIO to properly protect a next-generation data centre. The same controls and auditing capabilities also need to be extended to any service providers helping support the mix of physical, virtualized and cloud-based infrastructure found in today’s new data centres.