Cloud computing has moved into the mainstream, and federal agencies are embracing it along with their private sector counterparts. While there have long been concerns about the security of cloud environments, particularly public cloud which dwells outside an agency’s firewall, big strides in cloud security have been made, increasing its attractiveness for a breadth of requirements. At Forcepoint’s and CyberScoop’s recent Cybersecurity Leadership Forum, a panel of cybersecurity experts with deep federal government experience shared their perspectives on how to deploy secure cloud solutions that meet agency needs.
The discussion started out exploring general business challenges with federal agencies’ shift to cloud. Royce Allen, Enterprise Cybersecurity Architect, Office of Cybersecurity Policy & Compliance at the Department of Veterans Affairs (VA), explained that Cloud First initiatives drive how and what the VA does in improving veterans’ experience while protecting their data. She emphasized the need to understand what an agency does and doesn’t gain from cloud deployments, noting that not every legacy application will or should migrate to a cloud environment. She recommended creating a thorough, well-researched business plan that details why an agency wants to move to the cloud, and factoring how to integrate FedRAMP into current processes and applications. (Note: The FedRAMP program is designed to make security more consistent across agencies, providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services, for example with standardizing the cloud authorizations process.)
Jon Check, Sr. Director of Cyber Protection Solutions at Raytheon, also noted that a shift to the cloud requires a foundational workforce change, along with new architectures, tools, training and risk management methodologies for attaining secure deployment. That includes building a common, consistent vocabulary for use in cross-agency cloud-centric discussions.
Lauren Knausenberger, Director of Cyberspace Innovation for the United States Air Force, explained how the Air Force is leaning forward in cloud, with applications such as Microsoft Office 365 deploying at 25,000 users per week. As with many in the private sector, she noted that her team is struggling with a proliferation of shadow IT brought in by users to avoid network latency often experienced in remote locations and exacerbated by the extra layers of Department of Defense network security: “If bandwidth stinks, moving to the cloud is actually counterproductive. The new generation of airmen is dissatisfied with the timelines; so that will help us change our infrastructure faster.”
Allen reported progress at the VA on the shadow IT challenge. Use of unauthorized systems on their network has been reduced by 94 percent in the last few years due to her team, working with the acquisition office, publishing memos, guidance and education on what users can and can’t do on the network. She encourages branch staff to purchase whatever products or services they want off of the GSA schedule, but to then ask for her team’s help in securing it.
To that end, Claudio Belloli, FedRAMP Program Manager for Cybersecurity at the General Services Administration (GSA), expressed his commitment to helping agencies leverage FedRAMP in finding the right products for Cloud First initiatives.
The panelists also discussed cloud as a net force for change and for improving security architectures. Knausenberger espoused cloud as a forcing function for many initiatives: “When it comes to data handling and standards, cloud is at the forefront of the discussion. Legacy architecture isn’t going to work ― new technologies come with cloud.” Allen affirmed that cloud initiatives mandate relooking at architecture, rethinking processes, and revisiting existing applications and services. A thorough analysis will help the shift from defense-in-depth to expand boundaries and rethink data management from the top down.
According to Check, maintaining security posture as legacy systems move to the cloud is temporarily increasing complexity; agencies need a thoughtful plan that takes advantage of existing IT investment while providing mechanisms for offloading legacy applications as functionality is moved to the new cloud environment.
But, Belloli warned, the cloud won’t solve all agency needs. Educating workers, clearly defining agency-level and department-level responsibilities, and carefully analyzing what fits into an agency’s mission will guide adoption of the most appropriate cloud solutions.
Kathy Stershic, CIPM and CIPP-US, is a Senior Director of Content for W2 Communications.