Moving to the cloud is inevitable for federal agencies. Cost savings is a primary driver, as well as increased agency efficiency, innovation and enhanced speed of operations. Although the economic and technological benefits are well-understood, a major barrier for many agencies is the security concerns of migrating to cloud services.
Federal agencies tend to handle sensitive or classified data, and the unfortunate reality is they typically have been working with legacy systems that support massive, oftentimes outdated infrastructure. This complicates data migration, especially when it comes to security.
So how do we move past this hurdle?
Today and for the foreseeable future, the use of commercial cloud service providers will be a necessity for federal agencies looking to tap into the efficiency, elasticity and scalability of on-demand storage and data services. Utilizing private sector companies to manage federal data a few years ago would have been a complete non-starter, as keeping sensitive data on-premise had both been considered the most secure method and for some agencies, was a federal mandate.
But times, mindsets and regulations are changing, as cloud service providers continue to prove their expertise reliability and agencies look to find ways to maximize their increasingly limited resources.
Senate praises DHS data center consolidation effort by opening up its wallet for 2019
Even with the new, more progressive federal IT mindset, moving to the cloud is not yet a seamless process. Agency decision makers first need to ask themselves the “why” of moving to the cloud. Not every application or piece of organizational data necessitates a move to the cloud.
Every migration ought to be justified in terms of real versus perceived value. Also, not everything has to be moved at once. A measured, strategic, and systematic approach tends to get better results, especially for the large shifts that federal agencies will experience due to such a massive overhaul.
Having a step-by-step, goal-oriented approach to cloud migrations lets the entire organization have time and prepare for the new mode of operations. For each cloud migration phase, program managers should ask questions like:
What is the incremental benefit to the organization?
What are the short-term and long-term risks of this phase?
Are the right stakeholders aware and accept these changes?
Specifically, federal agencies especially need to consider the security implications of such a change and determine if they meet the appropriate level of preparedness.
One of the main challenges we’ve seen with cloud migration is the lack of communication between the security team, development and operations teams. Application, endpoint, and authorization security are major pillars that need to be addressed for this type of transformation.
Unfortunately, the security team is typically an afterthought when it comes to moving applications and data to the cloud, as many cloud migration initiatives are driven by the primary allure of cutting costs and take little time to dive into the cybersecurity implications. These effects are most prominent when subsequent cloud-based security incidents occur, and security teams discover their existing tools, processes or visibility is insufficient or obsolete.
Application security is especially important, as malicious attacks on the application layers are on the rise. Many software teams are moving toward the Dev/ops models to increase efficiency and agility. In the quest for speed, however, security again is usually left out of the equation. Incorporating security into Dev/ops is a relatively new approach, as well as a cultural and procedural challenge.
Security experts understand how to find application vulnerabilities, yet are not often accustomed to how software development teams operate, especially in a Dev/ops model. And software development teams look at security as a hindrance that blocks them from meeting their already aggressive release timelines. While many commercial firms have started to embed security into a combined Dev/sec/ops model, few federal agencies have yet to fully embrace this approach due to organizational inertia.
Different cloud service agreements have different layers of security needs for application, endpoint, and authorization levels. Throwing security into the mix at the last minute almost always results in increased costs and time for cloud migration, as the security team scrambles to understand each cloud service and figure out equivalent questions they need to ask to quickly triage and remediate security issues. Given the explosion of big data from using scalable cloud services, teams need better tools to easily ask questions of their data, without requiring a degree in data science. Without access to these cloud-native tools, this broken process negates the value of federal agencies moving to the cloud, as costs and likelihood of security vulnerabilities rise.
The most important step for federal agencies planning to move to the cloud, is to create a culture where security teams are ingrained in the development and operation process, from the initial ideation to the technical execution. This includes building and refining cloud-specific threat models that help prioritize where developers and security teams should start improvements, first.
Security can no longer be viewed as a last-minute bolt-on. In today’s environment, where cyber criminals can readily buy a continuously updated library of exploits from the dark web, to the rapidly evolving sophistication of nation-state threat actors — cybersecurity, especially for the cloud, needs to be a top line priority.