There’s a common misconception that IT teams in government organizations are exempt from the challenges and opportunities driven by the cloud computing revolution. While public sector organizations certainly have distinct policies and objectives, they actually share many cloud security and operations issues with enterprises.
One of the most prevalent myths about public sector organizations is that their employees do not use cloud services due to security mandates. This couldn’t be further from the truth, as employees at the average government organization use a total of 721 cloud services. These services are not necessarily sanctioned by IT, but the figure shows government employees are no different than their private sector counterparts:; they want to use cloud services to be more productive at work. Kristin Russell, former CIO of the State of Colorado, and Miguel Gamiño Jr., CIO of San Francisco, both shared an article on the modernizing renaissance taking place in government IT.
— Miguel A. Gamiño Jr. (@MiguelGamino) April 29, 2015
While it looks like this renaissance may have begun with everyday users, progressive government IT leaders are catching up by enabling employees to collaborate more efficiently. No one has a wider network to maintain than Stephanie von Friedeburg, CIO at the World Bank Group. An article shared by Randstad CIO Alan Stukalsky details how Friedeburg leverages the cloud to connect employees and enhance security across offices in 186 countries. Specifically, she discusses managing BYOD while maintaining the strict security controls required of financial services organizations.
— Alan Stukalsky (@Stukalsky) April 15, 2015
Many in the industry have advocated for stronger user education, the experts at Skyhigh included. Michael Del Priore of Catalent Pharma shared an eye-catching message: Don’t count on people to prevent breaches. Security wise users may be able to resist obvious email scams asking for bank account information to collect winnings from a shady sweepstakes, but increasingly clever attacks may foil even those on guard. This article offers insights on a particularly dangerous form of phishing known as spearphishing: targeted attacks deploying advanced, difficult to detect malware. This example is a testament to the importance of detecting data theft on the way out. Given the broad attack surface of a large enterprise, detecting data exfiltration can be just as, if not more important, than keeping attackers out.
— Michael Del Priore (@m_delpriore) April 27, 2015
¿Se habla español? Shadow IT is a concern around the globe, as IT leaders in the EU and beyond turn their heads to unsanctioned cloud use. Didac Lopez, CIO at the University of Girona, shared an article on how shadow IT or “dato oscuro” comprises the majority of cloud usage in organizations. Sanctioned IT is often the “tip of the iceberg,” as the total number of cloud services in use is typically ten times what IT expects.
— dlopezv (@dlopezv) April 29, 2015
RSA 2015 is still fresh in our minds, and Theresa Rowe of Oakland University touched on a message mentioned various times at the conference. The consensus is that it’s time to take a hammer to the “secure/not secure” dichotomy. IT and security executives should be willing to accept certain levels of risk for different types of data. It doesn’t make sense to apply the same security controls across all data sets, from the “crown jewels” to less confidential documents. Instead, IT and business units should come to a consensus on acceptable risk and enforce transparent policies.
Actively living this as a CIO – Must.Act.Now. https://t.co/eKRRK1fOw8
— Theresa Rowe (@OUCIO) April 29, 2015