What State and Local Governments Need to Know About Risks in G Suite and Office 365
Software as a Service (SaaS) collaborative platform adoption is increasing among state and local government — but along with increased adoption comes added risk. In this blog, you’ll learn how to reduce the risks from ransomware and malicious insiders if you’ve adopted Office 365 or G Suite. You’ll also learn more about:
- Why SaaS collaboration platforms are becoming more widely used by state and local governments;
- The new division of responsibility for those adopting these tools;
- The rise of ransomware attacks on local and state agencies;
- Assessing sources of SaaS collaboration data risks, as well as suggested next steps to reduce those risks.
State and local governments are increasing their cloud and SaaS adoption
More than 70% of state government CIOs are “cloud first,” and local government continues to grow adoption of SaaS — and it’s no surprise why. The reasons for the growing adoption of collaboration tools such as G Suite and Office 365 by government are similar to the reasons many business adopt these platforms.
Yefim V. Natis, VP and Gartner Fellow, wrote, “Rigid organizations cannot produce agile IT solutions. As delivery shifts more to the cloud, most IT organizations will have to reorganize to reflect the business realities of cloud computing: continuous innovation and change, pervasive integration, competing with cloud providers for some initiatives, and crucial prevalence of influence over control in ITs relationship with lines of business.”
- Agility: SaaS provides multiple supports for agile IT in ways that on-premises management and maintenance cannot, facilitating the ability to adapt to rapid change in organizational needs and constituent-focused requirements.
- Scalability: SaaS applications provide the ability to rapidly scale up or down as the needs of state and local governments change. For example, post-election budget shifts are easier to accommodate when IT can add or shed subscriptions, rather than being stuck with more (or less) on-premises capacity than is needed..
- Staffing: SaaS applications reduce the need for on-premises management of application storage, updates, patches, and maintenance, freeing IT to do more even if budgets restrict adding staff.
The risks, however, may not be as familiar. And the biggest risks to government organizations do not generally originate from the SaaS vendor’s infrastructure, but from the new division of responsibilities arising from SaaS architecture.
SaaS applications: A new division of responsibilities between vendor and IT
Why? Before the advent of cloud computing and SaaS applications, IT was responsible for managing everything in the technical environment. Now, however, the adoption of SaaS and cloud technologies may obscure areas of risk. SaaS and cloud vendors are secure, and generally protect customer organizations from their own infrastructure failures. But they cannot fully protect organizations from human mistakes, programmatic errors, or malicious activity. Changes initiated by your organization, or external threats, are carried out by the SaaS provider, because they appear to be legitimate, intentional actions.
Regardless of which model of service delivery is in place within an organization, IT is responsible for ensuring data management aligns with regulatory requirements, organizational governance, and defined controls. Ultimately IT must also meet the organization’s need for business continuity – including backing up SaaS data in a way that facilitates a fast return to operational readiness (Recovery Time Objective, or RTO).
The primary risk to your SaaS data comes from you, not your platform vendors
SaaS data loss is rarely caused by a vendor’s infrastructure issues. It is most commonly caused on the customer’s side, in three scenarios:
- Human error (misconfiguration of retention policies, improper data loads that overwrite good data with bad at compute speed, end user accidental deletions). Aberdeen Research notes that 64% of all data loss is caused by human error; in our interviews with G Suite and Office 365 sysadmins, we’ve heard stories confirming how common human error is. For example, one government agency we spoke with told us how setup errors led to the loss of more than 200 tenants in Office 365.
- Programmatic errors (sync errors, integration errors, both of which can overwrite good data with bad, or delete good data). The Register reports, “Sync failures are perhaps the biggest frustration for Office 365 users and those who support them, and when it happens the usual advice is to delete and resync everything, with possible loss of recently changed files.” But it’s not just an issue for Office 365. G Suite sync errors led to the loss of “hundreds of corporate emails,” according to this G Suite Help Forum thread.
- Malicious activity (disgruntled employees or other authorized users, malware including ransomware). Government sysadmins are familiar with the risks posed by disgruntled employees. They may not be as familiar with the rise in government ransomware attacks. The central issue for those using collaboration apps such as G Suite and Office 365 is the “folder grenade” – when a document or email is shared, and the ransomware encryption spreads from one shared folder or document through every shared folder or document, at compute speed. This may have been why the malware lock-out spread so quickly through recent victims’ systems.
What you can do now to mitigate the risks
Your SaaS collaboration providers are likely not a significant source of risk to your SaaS data. Your admins and your end users are.
It’s important to train your end users in being “phishing proof” regarding SaaS data. Beyond training and limiting access to admin rights, however, IT needs to plan to ensure SaaS data is safe, backed up, and quickly restorable for business continuity needs. If your organization has adopted, or is considering adopting, a SaaS collaboration platform such as G Suite or Microsoft Office 365, ensure you can protect against the common issues that can lead to SaaS data loss.
What to look for in a SaaS data protection solution for state and local government
Start with this security checklist, as you begin the process of evaluating SaaS data protection solutions to mitigate the risk of SaaS data loss. Don’t wait until a SaaS data disaster occurs within your government agency or organization.