With the disclosure of the full impact of the breach at the Office of Personnel Management, demand is growing for an explanation for how the sensitive contents of 21 million government background checks were left vulnerable to hostile actors. Breach post-mortems rarely result in a single black and white preventative step, and this case is no different: OPM did not implement key security controls, namely data encryption and multi-factor authentication.
This failure did not stem from blatant neglect but rather from a systemic shortcoming of many legacy systems. As an OPM IT spokesperson argued, implementation of industry-standard technologies like encryption and multi-factor authentication is “not feasible on networks that are too old.”
Faced with antiquated infrastructure, it’s clear that government organizations require a fundamental shift in security strategy to stay ahead of threats from criminal and state-sponsored attackers. Cloud computing and the utility model have revolutionized collaboration, productivity, customer experience, and agility, and hold similar benefits for resilience and data security. The breach at the OPM is a stark notice that the reluctance of many government organizations to migrate to the cloud has left our nation’s most sensitive data in antiquated and fundamentally insecure homegrown systems.
An Irrational Cloud Phobia
Many public sector organizations are irrationally reluctant to leverage cloud services. Meanwhile, cloud adoption is relatively mature in the private sector. Private sector companies have flocked to cloud services to take advantage of huge boosts to business, experiencing a 20.6 percent improvement in time to market and an 18.8 percent increase in process efficiency.
The less publicized side of the story is that enterprise-ready cloud services offer best-in-class security capabilities that, in many cases, exceed those of on-premises systems. Public perception, however, has often mistakenly labeled cloud services as categorically insecure. Enterprise-ready cloud providers are more battle tested, they have more resources, oftentimes more skilled resources, and they have more at stake in terms of the security of their systems. A data breach at a large organization can cause the CISO (or director) their job; a data breach at an enterprise cloud service provider can put the vendor out of business.
Human Resources Software: Cloud’s Strong Suit
Nowhere does the cloud have a better advantage over on-premise solutions than in the human resources category. The OPM has demonstrated that homegrown government databases are ticking time bombs due to insurmountable challenges to updating, implementing, and scaling security technology. HR cloud applications, on the other hand, have made significant investments in security to meet the growing market demand for user-friendly, enterprise-ready HR solutions.
Security tends to be an emotionally charged topic, especially with regards to the cloud, but hard data reveals the maturity of these solutions. Zero of the 40 most popular HR cloud service providers are rated high-risk, and nearly a third (27.5 percent) are rated Skyhigh Enterprise-Ready, meaning they meet the strictest enterprise security requirements. Crucial security capabilities are well represented among the top 40 HR services: 20 percent encrypt data at rest, and over a third (35 percent) support multi-factor authentication.
The top HR services are, on average, much more secure than the rest of the over 13,000 cloud services, of which only 7 percent are rated enterprise-ready, 9.4 percent encrypt data at rest, and 15.4 percent offer multi-factor authentication. The private sector has already embraced HR cloud services. Four different applications – Workday, SuccessFactors, SAP Human Capital Management, and Silkroad – have large deployments within at least 20% of the more than 400 large companies analyzed. Many cloud HR service providers are well-funded, highly profitable companies and have some of the sharpest minds across the world working to ensure continued progress and innovation in security.
A Risky Status Quo
HR records are treasure troves for hackers, whether attracted by geo-political or financial motives. The hesitation of many government organizations to leverage cloud services is largely based on an outdated and inaccurate perception that cloud services are inherently less secure. On the contrary, the numbers illustrate that there are a wealth of enterprise-ready options for managing sensitive data. For organizations who have so far held out, the OPM breach should be a call to action: it’s time to stop thinking of cloud computing as risky when the alternative is clearly riskier.