Election Cybersecurity 101 Field Guide – Cloud Services

CDT’s Election Cybersecurity 101 Field Guides are a series of short, simple, usable guides intended to help election administrators and staff better understand key concepts in cybersecurity.

What Are Cloud Services?

Cloud services are software-based services delivered via the internet, rather than maintained and managed on-site. They allow organizations, like election agencies, to contract external companies to manage necessary tasks like hosting a website or managing a database.

Why Are Election Entities Using Cloud Services?

Election-related organizations like election administrators and political campaigns have to maintain a number of online services, such as voter portals (where citizens can register to vote and find information like polling places), voter registration databases, voter mailing lists and engagement services, and websites for their campaign or agency. Maintaining and securing the systems and physical hardware required to provide these services can be expensive for election agencies, and requires substantial expertise to ensure that voters and elections are protected. Oftentimes, it may be prohibitively expensive for these agencies to acquire the level of expertise they would need (particularly since building out these services may take a wide variety of expertises, which would either translate to multiple employees, or one employee with difficult-to-find skills). Providers of cloud services typically have this expertise internally, and are able to provide it more cheaply to election customers.

What Are the Concerns or Pitfalls?

One of the key concerns with cloud services is ensuring that they are correctly configured for the high security and privacy needs of the election context. While ideally these cloud services would default to secure configurations, many of them were not designed with an election context in mind and consequently their default settings are not sufficiently secure. Incorrectly configured services can lead to security concerns like exposed voter data or tampered websites, or usability concerns like inaccessible websites. Thus, election agencies will still need to ensure that they have some internal expertise: they will still need someone familiar with using the cloud service selected, even if they are not an expert in each of the things the service provides.

Securing Cloud Configurations

The main component of securing a cloud service is ensuring that access is restricted only to those that need it. There are a number of considerations: The first are standard access control mechanisms, like individual accounts with strong passwords. Although shared organizational accounts are sometimes necessary, they do require extra governance to ensure they are secure. For example, if a staff member who had access to a shared account leaves, the password to that account must be updated. Additionally, individual accounts should have the minimum permissions necessary to do the work. For example, if a staff member is responsible for reading raw data and organizing it into a report, that person should have permission to read the data, but not to update or delete it.

In addition to appropriate access control, organizations using cloud services should take a “defense in depth” approach, and have plans in place in the event that primary security mechanisms fail. For example, ensuring that data is encrypted at rest (meaning that data is encrypted before it is stored, so even if it is breached, the data will be unreadable to the attackers) means that the impact of a data breach can be mitigated. Organizations should also have a response plan in place, to ensure there are clear and comprehensive steps outlined in response to an issue like a data breach or data leak.

For additional takeaways and resources on this topic, check out the full field guide here.

For other field guides, more resources, and info on what CDT is doing to help election officials, check out our Election Security campaign.