No one ever said it would be easy to keep cloud computing secure

Like many departments, Health and Human Services has moved much of its information technology into commercial cloud computing. Cloud computing brings many benefits to be sure, but it also takes a lot of attention, especially for cybersecurity. The HHS Inspector General completed a look at security for applications operated by the Office of the Secretary. Here on the Federal Drive with Tom Temin with the findings, the assistant IG for cybersecurity, and IT audits, Tamara Lilly.

Interview transcript: 

Tom Temin  Ms. Lilly, good to have you with us.

Tamara Lilly  Thank you. Glad to be here.

Tom Temin  And what were you trying to look at here? The Office of the Secretary, it seems pretty specific for applications you looked at. Tell us more about the extent of what you were auditing.

Tamara Lilly  So, let me give you a little context. We actually had designed a series of audits in looking at cloud security. And this is one of the five in the series. And, so, our focus here was at the headquarters level, and the offices that are within the Office of the Secretary, so, not the Secretary himself, for the deputy secretary, but there are multiple offices within that office that provide needed and critical services to the organization. And it’s their system’s cloud systems that we were focused on.

Tom Temin  And would these be systems that are used agencywide, or is it something else?

Tamara Lilly  They would be systems that would be used, in addition to agency wide potentially, but also in the cases, if you will, of an emergency. So, it’d be with external parties as well, as well as customers at the highest level that might need to interact with some of those, again, headquarter level services that they provide.

Tom Temin  So, would this be, for example, HR systems, or financial systems, that kind of thing?

Tamara Lilly  This particular audit did not focus on those two categories. We have an ongoing annual audit, that includes those. These were focused on not those specific systems, but other cloud computing systems they had contracted for.

Tom Temin  Okay. And these were things that, I’m presuming, one time, were in a data center, and now they’re in the cloud?

Tamara Lilly  Yes, in some cases, and some are new contractual relationships. As the offices’ needs evolve, rather than starting in a traditional data center, they’ve initiated those with cloud service providers. For example, we all remember COVID and what was needed from the department in terms of its communications with internal parties, as well as external. So, they had an office at the time. And I just want to highlight, this work started in 2022. They had an office that was an emergency response office, and it had and has a system that communicates in times of emergency between the various partners, and that was included in this particular review.

Tom Temin  And what were you actually looking at? What were you trying to discover about these systems?

Tamara Lilly  So, we were specifically focused on whether the controls the cybersecurity controls that should be in place as required by federal government were in place for systems that they owned, operated or maintained? And to determine whether they prevented or would detect a cyber attack that would harm operations. So, that was our focus for this particular audit.

Tom Temin  Yeah, that’s kind of the crucial question nowadays, because when agencies were in their own data centers, they were totally responsible for cybersecurity and pretty much everything else. But when you’re in the cloud, it’s not quite as clear cut what the cloud provider is securing and what you as the client, or the customer, also has to secure. Is that part of the issue here?

Tamara Lilly  Absolutely. You hit the nail on the head. That was what we were looking at, one, because those security responsibilities are shared between the cloud service provider, and the agency. In this case, it’s important, it’s key that those responsibilities are defined and understood. And then their respective party does their share, they actually implement those controls to ensure security is in place.

Tom Temin  And were you doing pressure testing and seeing whether attacks would succeed, that kind of thing? Or was it more of an audit of what’s in place in terms of cyber controls?

Tamara Lilly  We actually did a little bit of both. So, one, the foundation, if you will, was looking at the inventory. We wanted to determine whether the inventory of those cloud systems existed because you need to know what to protect. And that will be contained in the inventory. And then the other part of the audit was doing some pressure testing, if you will, but it was from two different types of approaches, where we use scanners and cloud assessment tools to determine whether the configurations of those cloud systems were appropriate. So, if you only want five people that enter or use, then you want to ensure that your configuration is set up that that is the case and then we also did what we call penetration testing. And that’s where, if you will, we act like a hacker trying to gain access from external and, to some degree, internally. They’re simulated cyber attacks.

Tom Temin  We are speaking with Tamara Lilly. She is the assistant Inspector General for cybersecurity and IT audits at Health and Human Services. And, well, what did you find, between the pressure testing, the penetration testing, and so on?

Tamara Lilly  So, again, we started with the foundation step of looking at the inventory. And what we found with the inventory is that there were some systems not documented in the inventory. And, so, again, the reason why that’s important is because because you need to know what to protect. So, you need to know what you have in your environment that needs and requires protecting. We also, the bigger, larger portion, if you will, of the audit, was focused on that pressure type testing, the penetration testing, the scanning, and assessment tools. And in that regard, we identified numerous controls that were not operating effectively, or a sample of the security, asample other systems in that inventory. A small sample actually, there were only 14 cloud information systems that we focused on.

Tom Temin  Wow. And, so, with the controls not in place, then anything is possible, sounds like.

Tamara Lilly  Well, I wouldn’t say anything is possible. They ranged from some very basic controls that needed strengthening around. We’re doing a better job with rotating passwords, if you will. But you know, there were just a couple that caused us to immediately notify the department so that they could take some sooner actions than others. But even those are not atypical of any other almost entity that focuses in this cloud arena. And you probably yourself have heard time and time again, the need to ensure multi-factor authentication is in place across the accesses that are provided to those that are accessing the the various systems. And, so, while passwords existed, what we were looking at for those multifactor whereas you need to know something such as a card or such and a pen, some information you have. And, so, that was one of the more important control weaknesses that we identified.

Tom Temin  In the inventory question, somebody must know that they were there, but there was no single point of information that the department could know everything was there. Is that a good way to put it?

Tamara Lilly  I agree. Yeah, obviously, you know, people know the systems are there, they’re maintaining the systems, the requirement for the federal government is that those systems all be listed. So, that you know, if you will, if I don’t show up at work one day, and there’s a need to patch systems quickly, such as some of the cybersecurity events we’ve had, you can’t rely on me. So, the government requires that those all be documented in one place and some key information about them. So, at any given point in time, that’s available.

Tom Temin  And by the way, who’s responsible for these systems? Is it the HHS CIO office? Or is there a separate sub-CIO, if you will, for the Office of the Secretary?

Tamara Lilly  They both, actually. So, at the headquarters level, if you will, there is the Chief Information Office and an officer and information security officer at the headquarters level responsible for policies, procedures, and those systems that they are more directly involved in. But within each of the agencies under HHS, they take direct responsibility, their respective sub, if you will, information officers take responsibility for maintaining their inventory. And together, they make one department wide inventory.

Tom Temin  So, it sounds like you had some recommendations for them.

Tamara Lilly  We absolutely had recommendations. We had four recommendations, and I’m pleased to report that they were taken very seriously and the department almost immediately while we were doing the audit, we made them aware, took action and have completed all, if not all, of the corrective actions needed to address our recommendations. But our recommendations, if you will, as you would imagine, one was that they needed to ensure that the cloud inventory was complete and accurate. The other recommendation was that they address the 12 security control findings that we had identified, and we recommended two other actions to be taken. One was to implement a strategy for identifying purchasing and implementing security control assessment tools and scanners. And this will facilitate the department’s ability to identify and remediate weaknesses, more timely, as well as to develop a policy and a process for training of security officers. It’s a challenge in our world in our environment, with keeping security officers on staff and just having a well developed program and policy to ensure that happens is is one of the things we wanted to see improve.

Tom Temin  All right. Sounds like some good advice for everyone in the cloud era. Tamara Lilly is assistant Inspector General for cybersecurity and IT audits at Health and Human Services. Thanks so much for joining me.

Tamara Lilly  Thank you for having me.

Tom Temin  And we’ll post this interview along with a link to her report at federalnewsnetwork.com/federaldrive. Subscribe to the Federal Drive wherever you get your podcasts.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.