As telework expanded rapidly for the federal workforce, so did the use of commercial cloud services. A study by McAfee found it grew 50%. That in turn seems to have attracted a blizzard of cybersecurity threats. Joining the Federal Drive with Tom Temin with more on the study, McAfee’s U.S. public sector chief technology strategist, Ned Miller.
Insight by Kodak Alaris: Practitioners provide insight into how states and the IT industry are dealing with Real ID in this exclusive executive briefing.
Tom Temin: Mr. Miller, good to have you on.
Ned Miller: Good morning, Tom. Thank you.
Tom Temin: Give us a sense, first of all, across all of the sectors, how much cloud and cloud services grew–because the numbers are pretty astounding during the pandemic.
Ned Miller: Yes, Tom, that’s that’s accurate. We observed collaboration services as an example: things like Microsoft Office 365, Microsoft Teams, Slack, WebEx, etc., Zoom, as an example, increased over 600% in usage during a period of time which we were studying from late January through the April time frame–pretty significant in government and financial services, actually,
Tom Temin: What about, say, manufacturing or some of those sectors? Or food services, that kind of thing? Does it get that fine grain? I mean, how does government compare in its growth of the services compared to other parts of the economy?
Ned Miller: Great observation, Tom. We have, obviously, observed all of the sectors that we monitor globally. So across the globe, including financial services, healthcare, public sector, state and local education, retail, technology, manufacturing, energy, utilities, legal, real estate, transportation, and even business services at the small business level, have all seen a significant increase in the use of cloud-based services. And you’re 100% accurate. We’ve seen the security threat landscape also increase exponentially across all of those sectors with government being in the top three.
Tom Temin: Sure. And I guess as an aside, before we get into some of the details on security, it’s kind of remarkable how well the internet itself has held up, which is something of a security issue if operations are interrupted, because the internet, somehow, is brought to a halt.
Ned Miller: True. In my interactions with a number of C-level executives, CIOs, chief information security officers, etc., it appears as though we’ve adapted pretty well to the significant surge and increase of users working remotely. There was some challenges in the beginning, but now that we’re 12, 14 weeks into having to adapt, the challenge of getting access, now, seems to have subsided to a certain extent. What, now, we are seeing in this report provides some empirical evidence here, is that security is risen to the top again, in terms of one of the chief concerns. And it’s specifically related to the types of security clouds, specific applications that users are accessing.
Tom Temin: Yes, let’s talk about those. What are some of the specific new threats that come because of use of these things, ranging from Slack to Skype to Zoom, and all of those.
Ned Miller: Sure. So within the collaboration tool category itself, there’s a couple of things that we encourage cyber defenders and users to be well aware of. So when you’re sharing data with these collaboration tools, it’s, by design, made to be very easy for you and I to exchange information in lots of different formats. We can exchange emails, we can cut and paste, we can work jointly on PowerPoint presentations, we can share spreadsheets, and it’s made to be very easy to do. Unfortunately, what a lot of folks don’t realize is it’s actually happening in the cloud itself, and some of the traditional legacy-based security tools that would typically provide some level of visibility and enforcement on the data is not able to see what is actually occurring as it’s moving or traversing cloud to cloud. So there’s new threats that are introduced, adversaries are starting to attack these collaboration capabilities in a number of different forms. We’re starting to see a lot more attacks on credentials. As you might imagine, once credentials are compromised, then it’s very easy to get access to this data without implementing the right kinds of new cybersecurity tools to prevent this kind of behavior.
Tom Temin: We’re speaking with Ned Miller. He’s chief technology strategist for US public sector at McAfee. And when you say that they attack the cloud-to-cloud transactions and movements, does that imply that some of the services and collaboration tools providers regularly hop from cloud to cloud just for their own load balancing purposes, and that’s where some of the vulnerability comes in?
Ned Miller: Yes. And I would extend that a little bit further–just the nature by which the cloud providers provide access and can stipulate service levels to five nines, as we say in the industry. They have fault tolerance built in, so data can be stored in a lots of different locations. And as a result, we start to introduce risk because the data could reside in multiple cloud locations. So, from that perspective, now you need to have the ability to have visibility into where your data is; is it secure, meaning is it encrypted; and, with the government leveraging multiple cloud service providers now, it’s imperative that they, the cyber defenders, have tool sets that give visibility across cloud service providers. So whether they’re using AWS or Microsoft or Google or Oracle for that matter, visibility into where your data is, who’s accessing it, is critical to putting together a good governance model.
Tom Temin: So, it’s true then that the attackers are spending less time worrying about endpoints, in other words, because the endpoints are sending their data to somewhere where they found a fresh way to get at it, would that be an accurate way to put it?
Ned Miller: It’s certainly one perspective. I would also submit for consideration that we’ve seen a significant uptick in usage of endpoints that are considered unmanaged by the enterprise or by the agency or department, still getting access to cloud-sanctioned services, and these unmanaged devices, we have no idea what security state they would be in. So they also become, yet agai,n another rich target for adversaries to focus on.
Tom Temin: Got it.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
Ned Miller: We’re seeing it in both sides now.
Tom Temin: Alright, so let’s talk about the cloud end for a moment. I’m an agency and I may have applications and other data in a cloud, say, a Microsoft cloud, a Google cloud, whatever cloud. I’m also using a collaboration tool, which may also use that cloud. But that’s a different customer than I am for my source data. So what is a good strategy for making sure that your Zooms and your Ring Centrals and your Slacks and all those things, are as protected as you would be if you were accessing your stuff directly from your own cloud services provider under your own contract?
Ned Miller: So from our lens, and what we’re suggesting to customers, is to look for technologies such as what we refer to as cabbie cloud access security brokers, that provides administrators and cyber professionals and defenders, the visibility and control over cloud access for sanctioned services. It provides data protection policy enforcement, and can also provide visibility into user behavior. So when you have those key elements within your span of control, it starts to mitigate the risk as your data traverses any one of these clouds. Obviously, encryption is still key, and the ability to ensure that you have encryption and the systems where your data is being stored, you have control and visibility over whether or not the configuration of who has access to the data are continuously being monitored is critical to a successful governance model.
Tom Temin: And for those unmanaged or unsanctioned endpoints that people are using, should those be brought into the endpoint management systems that are the mobile device management systems that agencies have? Or should they maybe say, “Folks, you got to use the devices we issue and get back to some sort of security regime here?”
Ned Miller: Tom, that’s a great question. The reality is as the device, over time, continues to evolve, having unmanaged devices as part of an organization strategy is going to be the new reality that we have to deal with. Being able to manage every single classification device is extremely difficult and in some cases, cost-prohibitive for agencies and departments. What we’ve been working with Homeland Security, as an example, the CISA organization put out additional guidance related to telework, around the TIC 3.0 initiative as an example, and they specifically call out alternative approaches for unmanaged or even managed devices to get direct access to sanctioned services or SaaS-based applications that reside inside the agency. Some of the recommendations are that those endpoints go through a web security gateway and/or a CASB, cloud access security broker, to ensure that the user authentication, device authentication, and then access to the data, is monitored. And again, there’s a security profile against who has access to what data and when.
Tom Temin: And in the early days of so called BYOD, bring your own device, you heard anecdotes about people wanting their Xboxes to be accessed, because they’ve got good graphics and monitors and so forth. Are you still seeing that? Or is it mostly phones that are just simply owned by by the end users?
Ned Miller: It’s mostly still computer systems, notebook systems, there’s less of the, you know, perhaps the classification of IoT access, if you would describe, you know, Xbox and that kind of category. To us, though, it is a device and it is another way to get access to the internet. So there are protections that could be put in place for those classifications of devices as well. But it’s less of that today, at least in the way the study is looked at. It’s mostly folks using their own devices from home or agency-issued computers that they’re going back through–the agency VPN, they get access to certain classifications of data.
Tom Temin: Ned Miller is chief technology strategist for the US public sector at McAfee. Thanks so much for joining me.
Ned Miller: Thank you, Tom. We do appreciate it.