The Impact of the Cloud on Information Security
By Vennard Wright, Chief Information Officer, WSSC (Washington Suburban Sanitary Commission)
As a CIO for the Washington Suburban Sanitary Commission (WSSC), which is a 100-year-old public water utility serving 1.8 million customers in Maryland, across 475,000 accounts, I’ve realized the challenge of balancing evolving information security considerations against emerging digital demands, while also accounting for the rapid proliferation of “as-a-service” and cloud offerings. This means that, in many ways, my internal IT organization has had to modify our cybersecurity and network policies on the fly, to account for recent technology developments and transformations, while conversely ensuring those advancements don’t have an adverse impact on our operational environment.
These include active considerations around how applications are deployed, our data is governed, computing networks segmented and how information is accessed. We realize that failing to plan carefully or moving too quickly can lead to costly breaches or open our computing environment up to other security vulnerabilities.
However, we also realize that effectively incorporating cloud or “as-a-service” offerings into our enterprise level planning could help with rapid mitigation of cybersecurity incidents such as ransomware attacks by offering the infrastructure to fall back to a satisfactory point prior to the incident, without incurring the upfront capital costs of a large hardware purchase.
"Our practice is to lead with cybersecurity as the prime consideration, keeping in mind the lessons learned from very public breaches that have occurred over the past decade"
Recent research by Kaspersky Lab estimated that the cost of a single ransomware incident can cost a company more than $713,000 on average, which has the potential to be financially crippling for most small to midsized businesses with limited budgets.
To that end, we are carefully planning for multiple cloud or software-as-a-service (SaaS) migrations which will help to avoid or defray those costs by leveraging built-in tools that allow for enhanced control and management of security, compliance and usage risks of enterprise level applications.
Gartner estimates that there are currently over 10,000 SaaS applications reportedly in use, which means that single points of control, such as identity governance and administration tools and cloud access security brokers (CASBs), are increasingly important considerations for our security team, facilitating enterprise governance over what would otherwise be an unmanageable set of disconnected applications residing in the public and private clouds for WSSC.
The reality for us is that our legacy, on-premise datacenter was not originally constructed with avoidance of outsider threats as a primary consideration. However, most leading cloud computing providers such as Amazon Web Services, Microsoft Azure and Google Cloud Platform were architected from the beginning with good internal practices, possess solid security protections around their core business offerings, and are positioned to extend those protections to us as a customer, while also helping to mature our internal cybersecurity and compliance policies to align with industry best practices.
However, we do seek to effectively measure each engagement before we enter into a new cloud hosting agreement, to ensure we are not increasing our level of risk and are taking full advantage of the security advancements that are inherent in many cloud prover offerings.
With the wide array of cloud and SaaS offerings, we do rely on widely recognized industry certifications and frameworks such as ISO 27001, NIST and FedRAMP to evaluate vendors and measure their ability to protect our critical production applications and data.
This has been a bit of a departure from our previous practice of evaluating new technologies and solutions mostly based on functionality, ease of deployment and cost. Now our practice is to lead with cybersecurity as the prime consideration, keeping in mind the lessons learned from very public breaches that have occurred over the past decade, which, in most cases, has diminished that organization’s public profile and put their customers at risk.
As I seek to keep WSSC’s computing environment secure and confidential, both in the cloud and on premise, I’ve been forced to reexamine our approach, make many adjustments, develop mitigation strategies and to become intimately familiar with current information security industry developments.
Those adjustments include, among other things, hiring additional internal information security personnel, deploying mandatory end user awareness training to all users and creating solicitations to extend our existing cybersecurity capabilities, all toward the goal of achieving our collective goal of maintaining a confidential and highly available computing environment for WSSC end users and customers.
In addition, we are exploring the viability of deploying a managed security operations center over the coming fiscal year, which will be complemented by a managed detection and response (MDR) service to assist us in better understanding our hosting environments, and to enhance our threat detection and response capabilities. This will allow for real-time, 24/7 monitoring and incident response for detected threats, on-demand and around-the-clock.
In the long term, this will also aid in our efforts to continue building our security information and event management (SIEM) software platform, providing valuable insight into activities within our IT environment and in our cloud applications by providing the log and event data in real time to provide threat monitoring, event correlation and incident response.
Lastly, we regularly engage in ongoing dialogue with leading cloud providers, utilities of a similar size and complexity, research organizations and trusted advisors to remain abreast of evolving industry advancements. Our information security professionals are also encouraged, as part of their individual development plans, to continue training, regularly attend conferences and seek additional certifications to ensure they are prepared and qualified to support our cloud deployment strategies.
Each of these internal initiatives and considerations help to set the foundation for our evolving cloud strategy, which helps to further improve our information security posture and achieve our vision of becoming THE World-Class water utility, where excellent products are always on tap and, most importantly, secure.