Skip to main content

Get to Know the Public Sector

Learning Objectives

After completing this unit, you’ll be able to:

  • Define the public sector.
  • Describe the types of work performed in the public sector.
  • List the reasons public sector employees are potential cybersecurity targets.
  • Explain the importance of meeting compliance standards.
  • List the risks resulting in the misuse of public sector data.

Before You Start

If you completed the Get Started with Cloud Security Engineering trail then you already know about cloud computing and how to design secure cloud solutions. Now, let’s talk about how to improve the security of public sector data in the cloud.

Overview of the Public Sector

The public sector consists of national, state, and local governments. These entities provide critical infrastructure like roads, bridges, and water. They operate public transportation. They administer elections. They even strengthen national defense and secure national security systems. In recent years, many public sector organizations have adopted digital technology to provide better service and more transparency for their citizens. However, this broad array of service offerings makes these public sector entities attractive to a variety of cybersecurity threat actors.

A public sector employee in front of a public sector building, with a cloud in the background containing 1s and 0s

To improve speed, scale, and cost of these digital technologies, many public sector organizations are migrating and modernizing some or all public services using cloud-based offerings. According to the National Institute of Standards and Technology (NIST), cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources—for example, networks, servers, storage, applications (apps), and services—that can be rapidly provisioned and released with minimal management effort. 

Cloud computing provides public sector organizations the flexibility and scalability to meet modern technology demands. These organizations may use their own cloud for internal resources. Or they can use the secure cloud services of a private company—also known as a cloud service provider (CSP)—approved specifically for public sector organizations. They can even use a distributed hybrid deployment model that employs a mix of public sector infrastructure and private cloud services. 

The shift to cloud computing has helped improve cybersecurity by taking advantage of the security expertise offered by CSPs. But it isn't without risk. Mapping out those risks and their impacts is critical to assuring the cloud and the data residing in it remains secure.

Cloud Security

Cloud security consists of a set of policies, controls, procedures, and technologies that work together to protect cloud-based systems, data, and infrastructure. These security measures are configured to protect cloud data, support regulatory compliance, and safeguard customers’ privacy.

Cloud security responsibilities are shared between public sector organizations and CSPs in contrast to a public sector-owned and managed data center. Depending on the cloud configuration and licensing agreement, public sector users may have more or less control over how shared resources and data are accessed. It’s important to note that moving to the cloud does not transfer security responsibility to the CSP. While the CSP may operate certain security controls on the public sector organizaton’s behalf, the public sector customer is ultimately responsible for validating that they do so effectively.

Cloud Service Models

NIST defines the following cloud service models in order of level of management provided by CSP vendors.

  • Infrastructure as a Service (IaaS): Vendors provide the basic infrastructure and hardware.
  • Platform as a Service (PaaS): Vendors provide a managed environment for a customer’s app.
  • Software as a Service (SaaS): Vendors provide a fully managed app, and customers need only supply their data.

When customer data is processed, stored, or transmitted off-premise and under the control of a third party, such as a CSP, the ability of the data owner to implement security controls is often limited. In cloud computing environments, the implementation of controls is largely dependent upon the type of service (IaaS, PaaS, SaaS), the type of cloud deployment model (private, public, hybrid, multi-cloud), the type of controls (physical versus logical), and the specifications of responsibility delineated in the contract between the public sector organization and the CSP.

It’s critical that public sector customers choose services accordingly and understand the risks and limitations of third-party control. Public sector organizations can outsource the functionality of a role, such as storage management, but must still verify security requirements like encryption are implemented. Whether you’re a private CSP employee or a public sector employee, if you have access to public sector cloud services, you have privileged access to critical infrastructure, networks, and data. Let’s dig a bit deeper into what makes public sector cloud security concerns unique. 

Public Sector Data Security Requirements

Public sector cloud services have unique security compliance requirements. Data stored in a public sector cloud platform must be adequately maintained and secured to meet these special compliance requirements. As more organizations adopt the cloud, public sector organizations have created a number of security aids, standards, and regulations to safeguard those transitions. The table lists some regulations and standards that outline public sector data security requirements in the US.  

Regulation/Standard
Description

Federal Information Security Management Act (FISMA) of 2002 and Federal Information Security Modernization Act (FISMA) of 2014

Strengthens information security within US federal agencies by requiring them to implement information security programs to ensure their systems’ confidentiality, integrity, and availability

NIST Risk Management Framework (RMF)

Provides a framework for federal agencies, contractors, and other sources that use or operate a federal information system to develop and implement a risk-based approach to manage information security risk

Federal Information Processing Standard (FIPS PUB 199)

Outlines impact levels of data, which are are a way of categorizing the sensitivity of data and what controls are necessary to secure data of varying sensitivity levels

NIST 800-53

Defines security controls for information systems (including cloud systems) containing public sector data, including access control, media protection, and physical and environmental protections

Federal Risk and Authorization Management Program (FedRAMP)

Defines security baselines for cloud services based upon the NIST 800-53 controls

Department of Defense (DoD) Cloud Computing Security Requirements Guide

Builds upon FedRAMP to tailor control baselines for DoD mission owners by providing a knowledge base for cloud computing security authorization processes and security requirements 

Here are some examples of security compliance requirements for public sector cloud services in other countries.

  • India’s Ministry of Electronics and Information Technology (MeitY) provides requirements and guidelines for CSPs to register their services with the Indian government to be considered eligible to work with public sector entities in India.
  • The Japanese government has a system called the Information System Security Management and Assessment Program (ISMAP) for assessing the security of CSPs to participate in public sector projects.
  • The Australian Signals Directorate (ASD) has an Information Security Registered Assessor’s Program (IRAP) framework, which assesses the implementation and effectiveness of an organization’s security controls against the Australian government’s security requirements.

Discover more comprehensive compliance certifications and attestations. No matter the country, cloud security compliance requirements put in place data location constraints, requirements for identity management, privacy, confidentiality, integrity, and availability (CIA), and more. 

Threat Actor Targets and Meeting Compliance Standards

Whether you’re a private CSP employee or a public sector employee with access to critical security systems, infrastructure, networks, and accounts, you’re a primary target for cybercriminals and foreign intelligence organizations. Combating all such threats is critical to national security and a well-functioning civil society. As a critical part of an organization’s defenses, you play an important role in protecting privacy and security.

As someone with access to public sector data, you need to be aware of, understand, and follow the increased security, privacy, and compliance measures that platforms containing this data require, and what threats to public sector cloud services may look like. This requires validating on an ongoing basis that the security controls you’ve selected are actually implemented and functioning properly. Luckily, CSPs provide a range of features and services that public sector customers can use to build cloud solutions to meet their security needs.

Risks of Misuse of Public Sector Data

There are varying levels of risk to public sector data if the CIA of the data is compromised. Depending on the type of information breached, a victim can suffer social, economic, or physical harm. If an identity thief gets hold of the compromised information, the victim may face financial loss, damaged credit, compromised medical records, threats, or harassment.

If public sector data is misused, your organization can also suffer financially. If the root cause of data loss is due to your organization not adhering to laws and regulations, your organization or its staff can be subject to criminal or civil penalties, or incur additional costs associated with responding and recovering from the incident, including having to fund credit monitoring for your customers.

Your organization can also be required to receive close scrutiny from regulators. In the end, organizations can put their public reputation at risk and shatter public confidence if they don’t protect public sector data. As someone with access to public sector data, it’s your responsibility to review and assess the risks associated with misuse of public sector data, and do your part to minimize them.

Sum It Up

Now that you understand more about the public sector and why users dealing with public sector data are potential cybersecurity targets, let’s take a look at one specific type of threat to public sector data security: insider threat.

Resources

在 Salesforce 帮助中分享 Trailhead 反馈

我们很想听听您使用 Trailhead 的经验——您现在可以随时从 Salesforce 帮助网站访问新的反馈表单。

了解更多 继续分享反馈