IRS cloud security is lacking: TIGTA

The Treasury Inspector General, in a recent report, faulted the Internal Revenue Service for lacking a fully implemented security control infrastructure for its cloud services, putting taxpayer data at risk.

TIGTA said that, as of the end of 2020, the IRS had 56 cloud services, 12 of which contained taxpayer data. While the agency had discussed a cloud security control infrastructure that covers all cloud services, it has yet to fully implement such a system. Despite this, TIGTA said the IRS has continued with cloud deployments, which could put taxpayer data at risk.

While a broad picture is difficult to piece together given the many redactions in the report, some issues shared by TIGTA include:

• No integration of authorized cloud-based applications with Active Directory Federation Services.
• No implementation of short-term identity architecture and design.
• No fully implemented incident management processes.
• No fully defined and implemented plan to integrate native cloud services with on-premise tools for network monitoring.
• No defined and implemented clear key escrow and recovery processes to mitigate data loss risks.
• No defined roles and responsibilities for management of encryption key life cycle.
• No roadmaps for implementation of core cloud security solutions.
• No training or hiring plans to fill cybersecurity function cloud workforce gaps.

"The acceleration of cloud deployments coupled with not having a fully implemented cloud security control infrastructure in place prior to turning over control of taxpayer data to the [cloud service provider] limits management's ability to fully provide the necessary assurance to protect taxpayer data," said the report.
TIGTA said the IRS should expedite full implementation of the cloud security control infrastructure, and develop an implementation plan for selected cloud capability gaps relating to identity and access management, data and infrastructure protection, continuous security monitoring, and program management. There was another part of the recommendation, but it was redacted.

The IRS agreed with the second recommendation, but only partially agreed with the first, saying that it has a robust and comprehensive security control infrastructure documented within Internal Revenue Manuals for cloud implementations and will continue to ensure compliance with the documented cloud security control infrastructure.