‘Gov Clouds’ During COVID-19: The End of the Digital Fortress Era
Simply put, many U.S. government agencies are running on less reliable, less feature-rich, fortressed versions of commercial clouds.
Modern information technology has the ability to fundamentally alter how governments interact with their citizens. It can enable them to communicate with their constituents in new ways, reduce the friction of applying for permitting and benefits, and even make it easier to govern remotely when in-person meetings just aren’t possible.
Federal leaders in this—and in previous administrations—have recognized these opportunities and have worked hard to establish a foundation upon which agencies can build their digital transformation strategies. I was proud to work with many of these leaders in my previous government roles, focused on modernizing federal IT.
The COVID-19 pandemic has, for better or worse, clarified the criticality of modern government technology. As federal and state governments sent their employees home, capacity and accessibility demands quickly overwhelmed IT systems and processes. Many agencies struggled to provide services using newer digital channels. And, unfortunately, new security challenges emerged as well, particularly among agencies whose specialized “government clouds” strained under the load.
We believe there’s a better way. It starts with acknowledging that there really is no need for specialized government clouds that give the illusion of a digital fortress. In fact, these “gov clouds” have actually hindered the federal government’s ability to take full advantage of the security and full capabilities of commercial cloud environments. How did this happen?
Government Clouds vs. Commercial Clouds
To back up a bit, the construct of a government cloud was introduced in 2013, following the introduction of FedRAMP. To meet new FedRAMP security requirements, many cloud providers built separate environments to run government workloads. While this enabled them to more easily achieve compliance, the “gov clouds” didn’t (and still don’t) come with all the benefits that a commercial cloud provides. And their shortcomings have now been exposed under the dynamics in which we’re living.
New features are introduced daily into commercial clouds—and often on-the-fly. But because government clouds are run through specialized, standalone data centers, they can have up to an 18-month lag time in receiving new features. This greatly impacts the government’s access to critical new technologies, whether it’s data analytics, artificial intelligence and machine learning, and even new security protections.
Simply put, many U.S. government agencies are running on less reliable, less feature-rich, fortressed versions of commercial clouds. Government clouds lack the same capacity, scalability, and security of the battle-tested business clouds used in the private sector.
While the original motivation behind creating these clouds was to meet rigorous FedRAMP standards, they also adhere to antiquated, perimeter-based security models that were in vogue nearly a decade ago. Gov clouds are built under the assumption that all employees work exclusively on devices owned by an organization, and these employees are always operating within the company’s private network. In today’s modern work environment, we know this is no longer true. This is especially so during a pandemic, in which remote work is at the forefront.
Nearly ten years ago, Google decided that every employee should be able to work from any network without the use of a VPN. This was not an easy decision, but it has drastically shifted the way Google—and today the technology industry overall—thinks about ensuring security for distributed workers. Dubbed “zero trust,” all participants inside and outside the network’s boundary are treated as suspicious. AI and machine learning considers the user’s IP address, behavior, files accessed, and a host of other factors before granting access. Zero trust removes the requirement of building a perimeter because users aren’t even trusted when they’re inside the fortress. Under perimeter-based models, that’s usually when they do the most damage.
A recent study found that federal government IT executives are now embracing this shift toward a perimeter-less environment, reporting that it greatly improves risk management and their security postures, while also providing a better overall user experience. But as long as government departments continue using limited, perimeter-based “gov clouds,” this modern security model remains out of reach for many agencies.
Reconsidering a ‘Gov Cloud’ Approach
Federal CIO Suzette Kent has been a champion of modernizing the government’s digital infrastructure and the policies that govern them. She said it best on the occasion of the release of the Federal Cloud Computing Strategy in 2017: “The case for using cloud capabilities in government has been clearly proven–to drive savings, to improve security, and to deliver mission-serving solutions faster.”
Her Cloud Smart strategy is a critical step forward, but now it’s time for government agencies to reconsider the use of “government clouds” as a panacea, especially during a pandemic when every IT environment and every channel is facing the strain. (And, as we’ve seen, citizens will find ways to reinvent their lives whether the government does so or not.) Rather than putting the country into more technical debt by investing in outdated clouds based on outmoded security models, it’s time we explored options involving a multi-vendor ecosystem—based on zero-trust security—that allows for flexibility and innovation. The end of the digital fortress era is here.
Jeanette Manfra is the director for Government Security and Compliance within the Google Cloud Office of the CISO and former assistant secretary for cybersecurity and the Cybersecurity and Infrastructure Security Agency.