It’s time to add security as a reason for, not against, moving federal applications to the commercial cloud.
Roger Baker, former chief information officer for the departments of Veterans Affairs (2009-13) and Commerce (1998-2001), is currently the chief strategy officer at Agilex.
Ever since the Office of Management and Budget issued its cloud first strategy in 2010, the security of cloud offerings has been a major concern for federal IT managers. It is the primary reason the largest share of cloud expenditures in government has been on private clouds.
These dedicated offerings are viewed as providing a better fit to existing information security models, as agencies can exert more control over the internal architectures and processes of the private cloud.
In contrast, agencies have believed that commercial cloud offerings were not secure enough for their applications, especially those requiring "high" protections under the Federal Information Security Management Act.
But time and investment by the private sector have turned that belief into a canard. The government’s own FISMA audits provide the primary proof. These audits observe widespread issues with configuration control, patch management, unsupported versions of hardware and software, disaster recovery and numerous other vulnerabilities.
Commercial cloud vendors aggressively avoid these problems as a fundamental part of their business model. They must constantly update their offerings to remain competitive in the commercial marketplace, supporting a wide variety of sensitive applications for commercial (particularly an increasing number of financial) customers. As a result, their security posture already far surpasses that of most of the 6,000-plus legacy federal data centers.
Six key aspects of commercial cloud offerings drive this high level of security:
- New and sometimes purpose-built equipment and software, constantly updated;
- System configurations are standardized and automatically created to eliminate variances, and for maximum efficiency;
- Security patches are automatically applied to all systems on a timely basis;
- Cloud environments are certified to multiple different national and international security standards;
- The private sector can hire high-level system engineering and security talent more readily; and
- The company’s brand is at risk should security be compromised, ensuring full alignment to addressing security issues.
Driven by vibrant competition and increasingly critical data holdings, cloud vendors will continue to invest in hardening their systems and automating their processes to provide even better security. While reduced cost and “modernization” have been the primary reasons federal agencies have considered a move to the cloud in the past, it’s time to add security as a reason for, not against, moving federal applications to the commercial cloud.