Since 2010, the U.S. Executive Office has implemented strategies focused on the cloud. The Obama Administration developed the Cloud First strategy, and now eight years later, that strategy is being updated by the Trump Administration to the Cloud Smart strategy. And they want your input!
In a continuation of the May 2017 Presidential Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, to modernize Federal I.T. infrastructure in the face of evolving cybersecurity threats, the Cloud Smart strategy seeks to define an integrated approach for agencies to leverage cloud technologies and capabilities more quickly, deliver services faster, and protect high value assets.
Building on federal government and private sector best practices, and related to the Data Center Optimization Initiative (DCOI) and the Federal IT Acquisition Reform Act (FITARA), the Office of Management and Budget (OMB), Department of Homeland Security (DHS), the General Services Administration (GSA) and other agency partners have contributed to the Cloud Smart draft that encompasses three key pillars around IT modernization: security, procurement and workforce.
Their draft shows a keen awareness of the fast-moving cloud technology landscape and places a premium on security. It's refreshing to see government’s embrace of cloud technologies instead of falling back on the outdated and disproven statement that the cloud is not secure.
Here are some of the interesting highlights:
The intended outcome dictates the cloud choice
Migration for migration sake or good ol’ lift-and-shift applications from on-premise datacenters to a cloud based virtual instance isn’t good enough. The outcome and goal must dictate the right application or service for the right cloud computing option.
This point alone should help realize considerable cost savings. I’ve seen too many instances of organizations taking a cloud first approach that turns into a cloud-at-any-cost approach – and it's just that! They simply port crufty old applications into the cloud without re-architecting it to take advantages of the services of the underlying cloud infrastructure. Then one year later they still have a crufty old application and a bigger bill than expected.
In terms of flexibility, this draft gives more leeway to choose IaaS, PaaS or SaaS to serve the desired outcome of the application or service. And certainly the Federal Risk and Authorization Management Program (FedRAMP) and strategies to accelerate common Authorization to Operation (ATO) agreements will continue to help improve the pace of authorizing new cloud providers.
Given the OMB is asking for public input, here’s my recommendations on their approach to cloud migration, management, and sustainability:
- To reduce complexity of the IT estate, any third party solutions for migration, monitoring and management must support hybrid deployments, especially in support of those applications that span on-premise and the cloud (i.e., Active Directory and Azure Active Directory).
- When moving from an on-premise application to its SaaS equivalent (like any Microsoft productivity tool), agencies should take a COTS-first (commercial off-the-shelf solutions) approach to reduce the impact on the end users, speed migration time, and leverage the support of the commercial vendor.
Protect the data layer
Data is king, and unstructured data is proliferating across agencies quickly with the adoption of cloud based productivity tools (just think Exchange Online, SharePoint Online, OneDrive, Teams). With that comes increased security risk at the data layer instead of relying solely on network and physical infrastructure layers.
While FedRAMP helps to ensure that cloud service providers meet a baseline for the security, authorization, and monitoring for where the data is stored and who on their end can see it, humans are still a thing on the government side of the cloud. The human firewall is incredibly porous, and its humans who are accessing the data itself. Just this week we learned about the UK Ministry of Defence (MoD) potentially exposing highly sensitive data through 37 breaches of security protocol due to poor human judgement (i.e., unsecured devices, documents and even rooms).
Here’s my input to the OMB around data security:
- In order to bring protection down to the data layer, data access reporting must employ the use of machine learning capabilities to monitor for abnormal user behavior around sensitive data and applications.
- To help prioritize the protection of sensitive data, the government should look to solutions that identify, classify, and redact sensitive data as well as provide continual monitoring of its access and attestation reviews of who should have access based on effective permission levels.
Talent is paramount to success
A talented, skilled workforce must be hired, retained and continually offered training opportunities to understand all the considerations in planning a migration, maintaining and supporting the cloud environment(s).
I’m glad to see the government looking at ways to reduce the barriers to hiring the best talent. The IT estate is growing more complex and changing rapidly with the advent of new cloud services offered by the big three vendors (i.e., kubernetes, containers as a service, serverless computing). Even just deciding between IaaS and a SaaS offering requires specific expertise and knowledge.
But talent does shift, no matter how many perks and Cadillac insurance plans an agency can offer. Here’s my recommendations to ease the on-boarding of new talent and provide assurances when key employees change roles/jobs:
- In an effort to retain, attract, and protect against productivity and security losses in the event of workforce attrition, COTS solutions should be explored first in place of wholesale management via custom scripts (owned by a single person, prone to error, unable to enforce desired state configurations).
- The government needs to continue taking a FedRAMP approach to their own privilege user access, monitoring and review standards, ensuring automated processes for access controls, including understanding effective permissions of IT admins leaving or moving within an agency.
It’s great to see the government refreshing its approach to cloud deployments with so many excellent best practices built into the existing draft. If you have an opinion, leave a comment here or send your feedback directly to the OMB.
To dive deeper into specifics around data layer security, see how Active Directory is central to this initiative for the Federal government.