Every company is undergoing its own digital transformation project, but there is a clear gap between the public and private sectors; analyst research suggests that governments have a low to moderate maturity when it comes to digital. Gartner highlights that due to inflexible business models that aren’t easy to disrupt, government agencies struggle with digital transformation. While the private sector has been quick to adopt new technologies and digitize their businesses, there has been greater hesitation in the public sector due to concerns about vendor lock-in and security.

Just like any company, public sector organizations don’t want to be technically locked into a product for years without reaping value, so much so that the Government Digital Service (GDS) provided guidance documentation on how to manage lock-in.

On the security front, according to a UK Cloud survey, 85.2% of public sector respondents said they are worried about the security of cloud services. A research poll in 2019 indicates that UK councils experienced 800 attacks per hour; security is going to be of paramount importance for any digital project. Migrating to a new IT model securely is difficult, even more so when there is a national shortage in cybersecurity skills. It also means relinquishing partial control to service providers.

To ease the transition, the UK Government has launched a number of initiatives to catalyze digital transformation in the public sector. In 2013, the UK Government introduced a cloud-first policy for all technology decisions. In March 2020, the UK Government published ‘Cloud guide for the public sector’ in a bid to help public sector organizations determine cloud strategies, implement cloud migrations, and manage cloud usage. Earlier this year, the UK Government signed a non-binding agreement with Microsoft so that eligible public sector organizations can receive discounted pricing on various Azure public cloud offerings.

The wheels are firmly in motion for public sector digital transformation, and the benefit of doing this now is that best practices around security and management can be adopted, something that early adopters had to forge themselves.

Modernizing security for the new age of IT

In parallel to the adoption of cloud services, there has been an increased range of device types used for remote access braking the traditional, perimeter-based security model. When all users, devices, and applications sat on-premise, IT had much greater control over everything. Plus, whatever was onsite could theoretically be trusted as there were the physical badges checks in place to stop unauthorized personnel. But the notion that whatever is on the network can be trusted is intrinsically flawed, as it doesn’t legislate for threats that are already on the network such as malware or unauthorized personnel that have stolen user credentials. It also doesn’t account for insider threats.

The risks of mobility

Mobile devices present a challenge for perimeter security technologies. Firstly, there are a number of misconceptions around mobile that lead to a false sense of security:

  • UEM protects against security threats
  • Mobile devices can’t get malware
  • App downloaded from official app stores are safe
  • Employees wouldn’t access inappropriate content on their work devices
  • Phishing only occurs over email
  • Employees have had security awareness training, which is enough

All of these are untrue and failing to understand how modern threats target mobile devices as well as how employees use mobile increases the risk exposure of government agencies.

You only need to do a quick Google search to see that malware comes in all flavors on mobile and users are more susceptible to phishing attacks on mobile devices: smaller screens, imprecise clicking, and typically used in a distracted state. Our latest threat landscape report details the key threats on mobile devices with 57% of organizations experiencing a mobile phishing incident and 87% of successful phishing attacks taking place outside of email.

The risks of cloud

With the government’s cloud-first policy in place, cloud adoption is only going to increase in the public sector, and this requires a different approach to security. As cloud applications are hosted by the service provider, an organization’s incumbent security technologies like firewalls, DMZs, NAC and so forth become redundant for protecting these services.

Identity & Access Management (IAM) solutions can federate a user’s identity, enforce Multifactor Authentication (MFA) while streamlining the access process for cloud services, but this doesn’t offer sufficient protection. If an unauthorized individual manages to source legitimate user credentials, they can easily login. Alternatively, an authorized user may access the service with an infected device if there is no device assessment. To counter this, a more contextual approach is needed to properly vet the risk associated with an access request for cloud services, hence the reason why many companies are transitioning to a Zero Trust Network Access (ZTNA) model.

ZTNA removes implicit trust assumptions around access, assessing both the user’s identity and device as well as a number of other contextual factors. It provides IT administrators with a centralized policy engine with which to govern access to an organization’s entire application infrastructure, not just cloud services, and enforce a least privilege access model. Using an SDP-based ZTNA architecture, application infrastructure can be ‘blackened’, making sure that only authorized users are able to access the applications they are entitled to.

As government agencies undertake digital transformation projects, it’s important to consider the implications for security and learn from the mistakes for private sector counterparts. A mobile workforce and adoption of cloud services render traditional security technologies ineffective in mitigating an agency’s attack surface.