Cloud Data Security for Public Sector
Whether its ensuring that citizen data never leaves a border via tokenization or helping our clients show regulators that it is locked down with FIPS 140-2 encryption, Blue Coat is a leader in government cloud security solutions. We are making the move to the public cloud a reality for governments across the globe
Government Cloud Security: Challenges and Requirements:
Most government agencies and public sector organizations are entrusted with sensitive data that must be processed and interpreted in order to complete their missions. Whether this data is PII associated with their country’s citizens, or confidential information that is governed by one or more of a host of compliance regimes that cover treatment of data in the sector, strict policies are always in place to ensure information is adequately protected.
But government agencies - at the federal, state and local levels - are being pressed to make the move to the cloud wherever they can. Initiatives like Cloud First in the USA and G-Cloud in the UK and Canada have defined ambitious objectives for cloud adoption in the government. Unfortunately, many agencies find that they are not able to adopt some of the leading SaaS applications that appeal to them because they cannot ensure compliance with the prevailing data security requirements governing the data they control.
Giving the data to 3rd party public cloud providers for processing and storage proves to be too great of a challenge and they stay trapped in an on-premise world. Issues include:
- Some agencies deal with information that falls under defined compliance regimes. For example, agencies in the United States that need access to FBI data need to comply with CJIS (Criminal Justice Information Services) data security requirements. Staying in the USA, Agencies that have access to data on certain U.S. Weapons systems need to comply with the State Department’s ITAR and the Commerce Department’s EAR. Many agencies that have access to PHI need to comply with HIPAA. Similar guidelines exist in governments around the globe.
- PCI DSS. Many agencies maintain payment card and bank details (accounts, routing numbers, etc.) of citizens. These details need to be protected in the systems in which they reside, including cloud systems.
- SBU Protection. Some organization work with Sensitive But Unclassified (SBU) information. NIST provides specific guidance on how this data must be treated in networked environments such as public clouds.
Blue Coat Offers a Solution for Government Cloud Security Requirements
It is clear that the issues government agencies and public sector organizations face when considering cloud adoption are quite unique. It is the loss of data control that is the hallmark of public cloud SaaS use that is the critical issue. But Blue Coat’s Gateway is being used to bridge these sorts of organizations to the cloud. It lets them use the cloud apps they want while maintaining full control of the sensitive data that is most important to them – regulated information and citizen PII.
Customer Case Study:
Government Agency Moves to the Cloud with Some Help from Blue Coat
This U.S. State Government agency is responsible for law enforcement in one of the largest states in the Union. One of the areas it is accountable for is the identification and prosecution of fraud perpetuated against the State, including fraud against public assistance programs (such as Medicare, Food Stamps, etc.).
The team responsible for working cases of possible fraud determined that a new IT system was required to effectively manage the case workload and they began to explore cloud-based systems as potential replacements to the current on-premise solution that was in use.
Data privacy and compliance professionals that were working with the IT assessment team knew of recently announced changes to CJIS, Criminal Justice Information Services, guidelines that placed restrictions on how CJIS-related data needed to be secured. Since CJIS data was an integral part of the information informing the fraud case investigation process, these requirements needed to be considered as part of the new system design.
CJIS-data security requirements specified that organizations using CJIS-data needed to be able to show that either:
- CJIS-data was never leaving the control of the agency’s own secured datacenter; or
- CJIS-data outside of the agency’s datacenter was encrypted via a FIPS 140-2 level of encryption throughout its entire lifecycle (transmission – storage – processing).
These requirements created challenges for any cloud-based system. How could data be kept out of the cloud without hampering the usability of the system? How could data be kept encrypted while it was being processed? The team identified their preferred cloud provider – Salesforce.com – but where at a standstill because of the compliance issues. At that point, the team turned to Blue Coat to help address the requirements.
The project team architected a solution that deployed Blue Coat’s Cloud Data Protection Gateway within the agency’s secured datacenter. Policies were defined in the Gateway to ensure that CJIS-data associated with case files was obfuscated before it left the agency’s control. Therefore, the information sent to the Salesforce Cloud for processing and storage was compliant with the CJIS security requirements. Any unauthorized parties that were to view the case files within the cloud system would see substituted obfuscated (meaningless) values instead of the original CJIS data. And best of all, the Blue Coat Gateway ensures that the critical application functionality that the case workers in the fraud investigation unit depends on, such as the ability to Search on certain case file data fields that have been obfuscated, is retained.