Many federal government IT managers used to be wary of the shortcomings of migrating to cloud technology because of potential data security problems affecting email, business systems, personal data records and, especially, national security operations.
However, after the federal “cloud first” initiative’s six-year effort to promote the technology, there are signs that federal IT managers gradually have changed their assessment.
Federal IT managers have concluded that cloud technology will meet — and even exceed — government data protection requirements, two recent reports indicate.
Importantly, there also is an emerging trend among agencies toward using cloud technology by itself, either as a complete cyberprotection system, or as a tool to provide both specialized and comprehensive cybersecurity capabilities.
“Concerns about the security of data in the cloud have largely disappeared in the wake of events like the hack of the Office of Personnel Management a few years ago,” Alex Rossino, senior analyst at Deltek, wrote in comments published this summer. “Agencies now realize that they cannot possibly maintain cyberdefenses strong enough to defeat many cyberattacks. They therefore need to leverage the capabilities built into commercial clouds.”
The OPM breach involved more than 20 million records.
“With a mandate from the White House to migrate to the cloud, federal agencies are feeling the pressure for a timely, secure shift, with minimal disruption,” said Phil Quade, chief information security officer at Fortinet.
The current level of federal agency cyberprotection is inadequate, according to federal IT managers who took part in a recent survey supported by Fortinet and conducted by MeriTalk.
However, data protection will improve significantly in the future as a result of greater use of cloud platforms, the respondents also said.
The percentage of agency IT managers who rated their current security level as “excellent” in cloud environments was very low: only 35 percent for private cloud; 21 percent for public cloud; and 27 percent for moving between physical and virtual environments.
In addition, 85 percent of those managers described their current infrastructure environment as “complex,” and only 34 percent said they had a high level of visibility into that environment.
As a result, their IT operations were at a significant risk of a security breach, respondents said.
Still, those same managers were much more optimistic that cloud eventually will be a substantially effective IT security mechanism. Of the 150 survey respondents, 70 percent said that hybrid cloud adoption would reduce their agency’s security expenses and strengthen their agency’s overall security posture.
The ideal hybrid cloud environment would utilize a mix of physical servers, at 39 percent, along with cloud-based operations, at 61-percent, survey respondents indicated. Further, 41 percent said their cloud-based operations would be public cloud resources, while 20 percent said they would be private cloud platforms.
Greater confidence in cloud security should help accelerate the pace of adoption in the federal market.
Annual federal spending on cloud technology amounted to US$2.38 billion in total contract value in fiscal 2016, Deltek reported this fall. Adoption has reached something of an inflection point, as agencies have observed the cloud-first initiative and have recognized the efficiency benefits of the technology.
Annual federal spending on cloud technology will grow from $3.7 billion in 2017 to $6.6 billion in 2022, Deltek predicted, reflecting a compound annual growth rate of 12 percent. Greater reliance on cloud related cybersecurity capabilities could enhance the level of investments in the technology.
Cloud-Based Security Market
Another emerging trend is that federal agencies have started using the cloud as a cybersecurity system in and of itself, in addition to the conventional use of the technology as a more efficient data processing and storage tool, the Deltek research found.
For example, federal agencies spent $142 million between fiscal years 2014 and 2016 on cloud-based cybersecurity solutions, according to the Deltek report. The pace of such spending declined between 2015 and 2016, as the Obama administration drew to an end.
However, what appears most significant at this point is the recognition that the cloud can provide viable cybersecurity capabilities — and with that recognition, additional opportunities for vendors should materialize in the future.
Compared with the annual federal IT spending level of more than $85 billion, such a market may seem small. But a small slice of a very big pie provides a potentially significant niche market for cloud IT providers.
Cloud-based cybersecurity investment types embrace the full range of protection objectives. Most of the government spending for cloud-based security purposes in the three-year period analyzed by Deltek was for continuous monitoring, amounting to $74 million in total contract value, followed by identity and access management at $38 million.
Lesser amounts were spent on deep packet processing, data loss prevention, malware and threat protection, endpoint protection, technical support and vulnerability management.
“We do not think the intersection of cyber and cloud will be a primary market driver necessarily. Rather, in most cases better security will be a value-added benefit of moving to the cloud since commercial providers are able to throw more money at securing their ecosystems than are agencies,” Rossino said.
“To be sure, however, as cloud-based cyber capabilities become more widespread we believe agencies will utilize them more often,” he noted.
Commerce Explores Cloud Security Project
A telling development is a current U.S. Department of Commerce effort dealing with cyberprotection, Rossino observed. The department has focused its attention on the performance of its Enterprise Security Operations Center, Enterprise Cybersecurity Monitoring and Operations, and components of its Continuous Diagnostic and Mitigation programs.
Those functions are hosted by two different agencies within the department whose primary missions are not security-related. In addition, the operations are performed at two separate locations.
Those arrangements do not constitute an ideal response to the need for effective security, the DoC concluded. As a result, it has been seeking to migrate cybersecurity functions to a FedRAMP-approved high impact level cloud service provider. FedRAMP is the government-wide cloud security certification program.
“The cloud hosting environment would have the flexibility to easily scale in order to accommodate additional functionality and data log feeds as needed, and would offer a transparent pricing model to make costs predictable,” reads a request for information the DoC issued to commercial vendors.
Industry responses were due by early August. Since then there have been “no status updates, decisions or timelines” regarding the RFI, Anthony Kram, an acquisition official at the department, told the E-Commerce Times.
While federal agency sentiment regarding cloud security issues has changed, the unique nature of federal requirements still poses challenges to adoption. The availability of cloud platforms has facilitated a long-term goal of operating IT on a shared-services basis within or among agencies — but that objective brings with it another set of security concerns.
“We are seeing the federal government adopting the idea of shared applications or services for multiple agencies, which in and of itself will require unique controls to segment administrative access, and data at rest and in motion for each agency, said Felipe Fernandez, system engineering manager at Fortinet.
“Federal agencies require cloud environments to meet the same or sometimes stricter security controls as on-premises infrastructure in order to remain in compliance with federal regulations,” he told the E-Commerce Times.
In that context, the Commerce Department’s proposal could be a harbinger for other federal agencies for utilizing the capabilities of cloud for cybersecurity goals, Quade suggested.
“Without getting into addressable market goals and details too much, what I can say is that since the government’s foreign adversaries come at its networks at speed and scale, federal defenses must be based on automation and integration,” he pointed out, “which requires many of the attributes that cloud computing and digital transformation can provide.”
Some great points in this article.
I just want to add my spin on it.
First off, let’s not forget that no matter where you put your data you are responsible for it. When security is out of your control then you have to implement sound contracts with your vendors and you have to make sure they are living up to whatever security measures they say they are providing. You also have to do your part and make sure you are testing your security regularly. Do unsecured Amazon S3 buckets sound familiar to anyone?
I think part of the push for moving things to the "Cloud" is it is a perceived cost savings measure for many in management and it can often simplify standing up servers, rolling out apps, etc. Of course, sometimes there are fees for bandwidth that you have to take into consideration such as that Amazon charges to transfer data between your S3 buckets and your on-prem network. I used the word "perceived" savings because there are other factors that every entity must consider.
I know of many early adopters of the Cloud that are now migrating back to on-prem solutions for a variety of reasons. One reason is for regulation/compliance issues and another is for more control over systems to include logging and investigative controls.
By the way, is everyone making sure the vendor’s IT staff are having background checks on a regular basis and they are not stealing or modifying your data? Just something to consider, especially for government entities that are charged with protecting citizen data such as HIPAA, PCI, etc.
I’m not sure Cloud adoption is always done for the right reasons and I don’t think it is the solution for every entity. Like anything, you need to evaluate all your options and do those things that make sense for your business model. Just because someone else is doing something doesn’t mean you should. I think we tell this to our children from an early age and definitely something we should remember as professionals in IT.
Happy New Year everyone!