Tips for secure data migration for agencies

The Department of Defense faces an immense challenge this year when the agency plans to move data for more than 1 million users from its own virtual work environment to a Microsoft 365 U.S. Government Community Cloud (GCC) environment. With the high volume of sensitive data that needs to be protected and preserved during the migration process, there is a lot at stake. While this project and others like it are sure to be complex, there are steps that can be taken to ensure successful cloud migrations for government agencies.

Unique considerations and common challenges

At its core, the process of migrating to the cloud is the same for a government agency as it is for a private company. However, there are some important considerations for government migrations. Managed service providers (MSPs) and internal migration owners engaging in a government migration will have to be aware of strict approval processes, authorizations and requirements. These may vary depending on whether the project is for a local or federal government agency.

For example, everyone involved in a GCC migration or offering support must be a U.S. citizen and data cannot pass through data centers outside of the U.S. during the migration. Team members are subject to intensive background checks on their work history, education verification, criminal record, a social security search and more. The tools being used on the project, including all software and connectors, must be authorized and certified as compliant with the Federal Risk and Authorization Management Program (FedRAMP), which provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

It’s important to ensure that everyone working on the project is fully aware of the finer details, as the contracts are based on a detailed request for proposals (RFP) process. When migrating sensitive data in a government setting, individuals can become personally liable for errors and missteps, and at the federal level, that could result in federal charges. For example, sensitive data that is pertinent to the site cannot be stored on any type of removable media or taken offsite. Should that data be lost or made public, the individual responsible could be subject to criminal charges.

Migration best practices

Two of the most important factors to ensure a successful government migration are preparation and communication. Many government IT leaders often feel pressure to get to the cloud as quickly as possible, and they may propose workaround scenarios to accelerate project completion. But that approach often results in downstream problems. Any type of change in a government setting is going to be a long process and IT teams often need help adapting to the changes brought about by a cloud migration. Bringing in an MSP partner to help them adapt their mindset and practices can be critical to successful implementation.

Of particular importance is ensuring proper security is included right from the start and that all requirements in the contract are being addressed. It must be understood if the data is being encrypted and specifically how the data is getting transported.

Another imperative for success is to plan and execute an effective change management campaign. This can vary by organization but should include frequent communication with staff and other impacted parties about what is changing, why, and how it will impact their work. An important piece of this is proper communication about new security protocols and ensuring there is a process in place to confirm that everyone knows and understands the changes.

In addition, a pre-migration assessment provides the information needed to put an effective migration plan in place. It offers greater insight into how many users will be migrated, what systems are in place, potential points of failure, and provides an estimate on the project cost and timeline. Completing an assessment of the migration project can help identify the different versions of software being used and necessary upgrades to ensure seamless integration of new applications and technologies. For example, the single sign-on process being implementing may work on Outlook 2016 and above, but a particular department may still use Windows 7 and run Outlook 2013. Without upgrades, the migration will fail.

Finally, proper documentation of the entire process – tools used, steps taken, security protocols implemented, communication with users – will help ensure success. Any decision around the project must be fully documented and recorded. For instance, a project may initially call for implementing “Solution A” for its two-factor authentication setup. However, the IT manager may later decide they want to use “Solution B” because it aligns better with their preferred applications. Therefore, the entire change of process must be recorded, documented and signed off by all management parties. With the complex requirements in a government setting, it’s critical to have this record to fall back on if problems or questions arise.

Common mistakes to avoid

As with any complex process, migrating massive amounts of data comes with pitfalls. These are a few of the most common mistakes to avoid.

  • Lack of communication with end users. A comprehensive communication plan is necessary to manage expectations for moving data into the new environment. Let end users know when this will happen, what the effects will be, and what training is available. An often-overlooked aspect of the communications plan is selling the migration to the users. Let them know what’s in it for them and why this change is going to make their lives easier. The more invested users are in the migration, the more successful it will be.
  • Underestimating time. Every migration comes with its own problems to solve, and not all of them are easily foreseen. Ideally, migration jobs will run overnight or on the weekends, times when the potential to disrupt users is the lowest. But migrations don’t always move in a straight line. That’s why it’s important to factor in extra time to account for the unexpected. The negative effects of underestimating time can be disastrous. Rushing to complete a job with an unrealistic timeline increases the potential for missing data. In the rush to meet a compressed timeline, there may not be enough time to find and fix issues and then validate the process. Speeding through a migration can hurt end users as well. Without the necessary communication and training, they could be walking into a new environment unprepared, resulting in confusion and lost productivity.

Helpful tools and capabilities

Employing software-as-a-service (SaaS)-based automation tools to support the migration can help ensure a smooth process and positive outcome. These IT tools can automate a pre-migration assessment to ensure compliance and then automate the process of moving data sets to the cloud. The automation not only reduces time-consuming, costly manual labor that would be required to achieve similar results, but also reduces the chance for mistakes being introduced through human error. Assessment tools can also be used ongoing to ensure that compliance is maintained over time, an important requirement in a government setting.

Having the proper mindset can influence a successful outcome. It’s important for people on the migration team to think about the project in human terms and not just bits and bytes of anonymous data. Understanding that they are migrating people – their professional identity, work products and entire work life – helps infuse a greater sense of responsibility to get it right.

While the stakes are high in a government cloud migration, following best practices, understanding the unique requirements, and leveraging automation tools can help ensure the project is as smooth as possible and a great success.

Mark Rochester is the principal product architect at BitTitan, where he works closely with the product management, sales and marketing teams to build market-leading products and features that address real-world problems. Mark specializes in cloud and infrastructure, SaaS, and Microsoft Azure, Exchange and Office 365 systems and environments.

Related Stories

    Army wants to lock soldiers’ biometrics in with machines to create sci-fi-like effects

    Read more

    EPA wants to build cybersecurity-aware culture along with IT modernization

    Read more

    Navy, Coast Guard consider network tech to hedge against illegal fishing

    Read more

Comments

Sign up for breaking news alerts