It’s been almost a decade since former U.S. Chief Information Officer Vivek Kundra promoted a “cloud-first” policy for federal agencies. But as of May 2019, the Government Accountability Office found that only about 11% of federal IT systems were running in the cloud. That represents around 17% of civilian agency IT investments and only 3% for the Defense Department (DoD).
The rapid surge in remote work due to the current pandemic is putting a spotlight on the need to make the transition happen much more quickly. However, the quick movement to the cloud is not without complication; the traditional design of federal networks does not allow users to recognize all of cloud computing’s benefits.
Specifically, backhauling cloud-bound traffic to federal data centers creates bottlenecks that can hurt the user experience. Equally important is the need for federal organizations to gain visibility into and control of their activities and data in cloud environments.
There’s a big difference between what much of federal cloud adoption has been to date — cloud-based infrastructure for file storage and extra computing power — and actually empowering users to access their work-dependent applications and tools on-demand from anywhere. Yet that access is what is suddenly needed for workers en masse to remain productive.
Realistically, most every application that the federal government has used for decades runs in on-premises infrastructure. Because each agency (mostly) maintains its own data center, the security controls for any sort of remote access to that infrastructure are backhauled through a single virtual private network (VPN) gateway that the agency manages. Every transaction, regardless of destination, passes through it.
This model works fine when only some of an agency’s workforce seek remote access — perhaps even as much as 50% of the team, for short durations. But it was never intended to support the dramatically increased number of personnel now working remotely for the long term.
The situation is accelerating the urgency for agencies to adopt more distributed and secure cloud services. It’s the reason why the Department of Homeland Security (DHS) recently updated its Trusted Internet Connection (TIC) 3.0 guidelines with interim guidance. Agencies must quickly create an environment in which remote workers can meet their mission from wherever they are.
The solution cannot be adding more and more on-premises hardware or software. Even with all the hardware one could purchase, remote users are still consuming more internet access than they did before the pandemic. That, in turn, requires more bandwidth to be procured from the agency’s internet service provider. The result? Agencies would spend continually more to deliver the same capability in the same way it’s been done for decades. That is the antithesis of IT modernization.
Security is not optional
Beyond the bandwidth and user experience issue, remote access security is paramount. Today, it is possible for agencies to host their remote access gateways in public cloud environments without sacrificing their security postures. However, this new approach requires agencies to adopt a new mindset that decouples remote access from the traditional data center. TIC 3.0 is an example of this new approach. Under TIC 3.0 guidance, remote users and remote branch connectivity can leverage cloud-hosted secure access service edge (SASE) solutions to optimize cloud access while maintaining the resilience and strength of their secure posture.
The increased focus on cloud computing also creates an imperative to strengthen cloud security practices. Securing access is the first step, but securing the cloud environment itself should not be forgotten. To do that, visibility and control of the resources in agency-managed cloud environments is critical. Industry research shows that the leading risk in a cloud environment is misconfigurations. Proper security monitoring is essential to protecting data and other high-value assets. The federal government has invested significant resources to create enterprise visibility platforms. The dynamic nature of cloud computing makes visibility even more important.
Silver lining in the stimulus
We are seeing that the pandemic is serving as a catalyst for accelerating the meaningful shift to cloud that agencies have long known they need to make. The recent economic stimulus CARES Act provides funding for agencies to provide new tools and readiness provisions to help employees continue their missions while working at home. For example, it provides significant funding to support telework capabilities for many agencies, including $300 million for the Defense Department, $300 million for the Social Security Administration, $453 million for the Department of the Interior and more. It also directs $3.1 billion for the Department of Veterans Affairs to expand telehealth services.
Consequently, it may be possible for many agencies to obtain emergency relief funding that can be applied toward more organizations fully adopting and embracing cloud security solutions that will keep missions moving.
Across the industry, we’ve been on a journey to the cloud for the past decade. The moment that we are currently in is showing organizations that business can be just as effective in a distributed work model; it can actually even improve operational efficiencies. But gaining the benefits requires that remote workers can seamlessly access the workplace tools and resources they rely on while working in the home. It’s times like these that remind us that innovation is born from disruption and we will successfully achieve this transformation.
John Davis is vice president of Public Sector at Palo Alto Networks.