Election Security Spotlight – Cloud Computing
What it is:
Cloud computing is the storing, accessing and delivering of data, programs, and other computing services on the internet rather than directly on a local network or system. Cloud computing allows for access to networks, servers, and other services on demand, as long as there is an internet connection.
There are three architectures of cloud computing that are available to organizations.
Public Clouds are the most common form of cloud computing. Public cloud resources are owned and operated by a third party, and are used by multiple organizations – similar to multiple people renting space in an apartment building. The information put in a public cloud is still private to the organization.
Private Clouds are used by a single organization or group of select users. The physical infrastructure (i.e. servers, storage, etc.) for a private cloud can be located at an organization’s datacenter, or provided by a third-party service. Organizations that have sensitive information they need stored, and want increased control over isolated infrastructure, would use a private cloud.
Hybrid Clouds combine functions of both public and private clouds. Hybrid clouds allow for greater flexibility if there is a fluctuation in computing and processing demands. This eliminates the need for an organization to invest heavily due to a short-term spike in demand (ex: increased web traffic during tax season). Hybrid clouds can also be used by organizations that need to keep sensitive data separate – using the public portion for data that is not sensitive, and the private portion for sensitive data like financial records.
Within the overall architecture of cloud computing, there are three main services that can be provided by third parties. All three services are available in both public and private clouds.
*Software as a Service (SaaS)* involves an organization using a software application that is delivered over the internet, typically on a subscription basis. The organization would not have direct control over the underlying infrastructure or operating service.
*Platform as a Service (PaaS)* supplies an environment for an organization to develop, test, deliver, and manage software applications. Organizations would be able to develop and deploy an application without having to invest in all of the underlying infrastructure.
*Infrastructure as a Service (IaaS)* allows an organization to rent infrastructure from a cloud provider. In this model, the organization does not have physical control over the infrastructure, but does have control over operating systems, applications and possibly networking components (e.g. firewalls).
The diagram below shows how SaaS, PaaS, and IaaS build on each other, along with examples of each model.
Why does it matter:
Cloud services are widely used by election offices to store information such as voter registration rolls and ballot data, as well as run their websites. In many cases, common applications for both desktops and mobile devices leverage SaaS, PaaS, and IaaS, increasing the chances that an organization is already using the cloud.
Cloud computing can provide flexibility and efficiency for organizations with a limited IT budget. Depending on the implementation, cloud computing can be easier to manage and reduce investments in hardware or maintenance. For example, cloud computing could allow an election office to temporarily increase the available bandwidth to meet increased demand during high volume registration and voting periods. Rather than upgrading an existing system, which can be an expensive and time-consuming endeavor, the election office pays for the temporary extra bandwidth, and the organization hosting the cloud takes care of the rest. Additionally, election offices can use cloud-stored backups and web applications for increased redundancy and security.
Cloud storage also presents challenges to organizations that need to ensure the confidentiality, integrity, and availability of their data. Many of the risks associated with cloud computing are common in traditional technology architectures, but are more apparent due to the possibility of public exposure over the internet. The Cloud Security Alliance (CSA)’s top eleven threats to cloud computing in 2019 included data breaches, misconfiguration, lack of security architecture and strategy, account hijacking, insider threats, and insecure interfaces. Many of these concerns arise from organizations treating the cloud as a ready-made solution. Cloud implementations still require organizations to consider security and maintain a level of active management to help mitigate these risks. Organizations would also need to ensure there is a constant internet connection to ensure information is available.
What you can do:
When incorporating cloud computing into day-to-day operations, an election office should take steps to ensure their data is secure and accessible in the event of a cyberattack or system outage. Election offices that are considering cloud computing should first determine if the same result could be achieved with a local (physical) storage option. Election offices should assess the data and risks when deciding whether their needs are appropriate for the cloud.
Don’t assume moving to the cloud eliminates the need to manage technical configurations. Just as with local solutions, proper configuration is critical to safeguarding information. Transferring weak security policies and practices from a local environment to the cloud will propagate those weaknesses, not mitigate them. For more information on cloud storage configuration, refer to the Center for Internet Security’s "Security Best Practices for Non-Voting Election Technology” guide.
Important data that is stored in a cloud environment should be backed up using a physical storage option, and election offices are encouraged to formulate a disaster recovery plan (DRP). Cloud services can act as a backup, but should not be the only location where information is stored. Preparing for a disruption in service will allow election officials to recover quickly and ensure election-day activities, or access to important data, can continue.
Election offices should ensure that their cloud vendors comply with all federal and industry regulations and best practices. When contracting with a cloud vendor, election offices should identify and mandate information security controls to specifically address supplier access to the organization’s information in a written policy, if possible. Election offices should also explore the underlying services of the products they use to identify cloud dependencies. For more guidance on procuring election technology, election officials are encouraged to reference “ A Guide for Ensuring Security in Election Technology Procurements” by CIS.
The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact firstname.lastname@example.org .