In Cloud We (Should) Trust
Storing data in the cloud will help your agency, not hurt it.
In January 2016, the Federal Risk and Authorization Management Program released a draft of its high-impact baseline for moving federal data to the cloud. Not long after, Amazon Web Services (AWS) accepted an offer to pilot the new security threshold.
AWS worked with FedRAMP to develop a set of standards under which highly sensitive government data could securely migrate into cloud environments.
If ever you doubted that cloud computing was the new frontier for federal data and software management, look around.
Over 2,300 government agencies worldwide have already migrated to the AWS Cloud. And in the U.S., this will only increase with the release of FedRAMP’s high baseline standards. Previously, CSPs could only become certified at a low or moderate baseline under FedRAMP, meaning agencies had no security baseline from which to spring their sensitive data into the cloud.
These new standards effectively represent the fall of the final formal barrier to federal cloud computing. Terabytes of government data will soon have a pathway to more efficient storage.
But before embarking on that path, many government leaders seek answers to long-held beliefs about cloud security that, in reality, may be myth.
Busting the Myths
Let’s talk about cloud security. Naturally, federal leaders are concerned about the implications of cloud for their applications and the data within them, so security is a top-of-mind issue. Compound that with compliance and regulatory pressures, and you have a recipe for federal IT stress.
Broadly, the phrase “cloud security” refers to the cloud versions of security controls generally available on premises. One of the greatest misunderstandings within government IT is that cloud security is less reliable than on-prem security, says Bill Murray, senior manager of security programs at AWS.
“The idea that cloud is less secure comes from a perceived loss of control,” he explains. “However with AWS you actually gain more control over your data than you have in your own on-premises environment.”
Control is inevitably married to peace of mind when it comes to security, and Murray says the idea that cloud takes away a user’s control over their data is a total misconception.
In the cloud, federal agencies gain more comprehensive pictures of their data. Cloud administrators can view not only what their networks look like at a high level, but also precisely how network components are behaving.
“With the click of a mouse, you can determine who launched an instance, where it was launched from, how long it’s been running, what it’s running on and with what data,” Murray says.
Supporting this advantage are a myriad of tools like Amazon CloudWatch, a monitoring solution that allows network mapping in near real-time. In an age when network maps become outdated in mere minutes, Murray stresses the importance of this solution, which paints operators invaluably intimate and timely portraits of their data networks.
“You can picture it as the Windows OS function Task Manager, but on steroids,” Murray says.
“The idea that cloud is less secure comes from a perceived loss of control. However with AWS you actually gain more control over your data than you have in your own on-premises environment.”
So when it comes to control, cloud can become an IT operator’s most powerful asset. By better understanding networks through heightened visibility, agencies can also increase agility and streamline the auditing process, even further strengthening security.
Another major misperception is that spinning data up into the cloud makes it easily accessible by unqualified parties, which Murray says is simply untrue.
A data technician having physical access to a machine doesn’t equate to logical access to that machine’s data. At AWS, Murray says, programmatic and procedural preclusions keep data off-limits.
The cloud can often feel overwhelming because of words like “migration,” which suggest a kind of mass exodus and replacement of information from the Earth to the cloud without changing any processes, something Murray refers to as forklifting.
The misconception here is that agencies must, or even should, forklift into the cloud.
Cloud technology comprises an immensity of resources — AWS utilizes over 70 different services and offered 722 new enhancements in 2015 alone, Murray says — and forklifting denies users the ability to take advantages of what cloud computing has to offer.
This assumption is rooted in the false idea that cloud environments behave identically to on-prem environments. Not so. Cloud allows agencies to take the approach in a much more piecemeal, iterative way, Murray says. By migrating applications strategically, agencies will also make their cloud environments safer.
If agencies first plan the migration, Murray says they can create “tiny bubbles” of applications, little enclaves that won’t create a ripple effect in the event of a breach or malfunction.
“This means the ‘blast radius’ within cloud computing can be managed very minutely,” he says.
Click the clouds to bust each myth about storing data in the cloud:
After realizing the benefits of cloud, agencies must then lock in an understanding of how to operate their security controls within it.
Murray says AWS has a very clear method for understanding what controls agencies must heed and what the CSP covers, something they call the Shared Responsibility Model.
“At a very high level, it’s the notion that AWS is responsible for everything from the concrete in the data center floor up through the host operating system of the virtual machine,” he says.
From there, agencies take the wheel, keeping an eye on the guest operating system of their virtual machines, the applications at the top of the stack, and everything in between. But that’s not to say government is left at sea without a paddle.
“We work hand-in-hand with our customers to ensure that the entire stack is secure,” Murray says.
For any agency IT leaders intimidated by this thought, Murray says not to fear; you have at your disposal a cornucopia of resources to prepare and sustain data security.
In the context of AWS, for example, it may at first seem difficult to keep track of 70 different services and constant updates. But the company makes its own consulting arm available to customers. With the ubiquity of cloud, there’s never a dearth of valuable and accessible information.
From free classes and online training to huge conventions and special summits all over the world, Murray says that agencies would be remiss not to take advantage of the opportunity to educate themselves at every level.
Get Started Already!
The first steps can be the hardest.
Government leaders are often primarily concerned with regulations like FISMA and FedRAMP when evaluating service providers. By adhering to these baseline policies, agencies ensure legal compliance.
But with such a compelling value proposition and the ability to move increasingly sensitive data to the cloud, compliance must be the start, not the finish line. When working with CSPs, Murray says leaders ought to take care to architect the migration deliberately, to make sure that their solution and game plan make the most sense for their needs.
To get that help along the way, agencies should seek a team of seasoned cloud professionals who know what they’re doing.
“AWS has been doing cloud computing for over 10 years. When it comes to cloud, there’s no compression algorithm for experience,” Murray says.
So you’ve educated yourself and found tried and trustworthy guidance. What’s next?
"There's no one-size-fits-all solution for companies and government agencies moving into cloud,” Murray says. “But we see a few major patterns emerging with some of our bigger enterprise customers, which translate well to government."
Often, when enterprises are starting out, they dip their toes in the pool by spinning up test instances into the cloud to gain a better understanding of how familiar processes operate in a new environment.
Murray says agencies might follow by taking off the water wings of the dev world and moving specific digital properties into the cloud, like websites or mobile applications.
From there, agencies start to get the hang of it. After witnessing real benefits with less sensitive data, operators can feel more comfortable moving more business-critical applications, like legal or HR functions, to the cloud.
They then eventually reach a tipping point from which to dive toward an all-in cloud strategy.
The New Inevitable
Moving forward, cloud literacy will become second nature to government agencies, especially in the wake of government directives like the Cloud First policy.
“Cloud is becoming the new normal,” Murray says. “And I would say that cloud is becoming the new inevitable.”
And the federal government’s next move must be to embrace it — confidently, strategically and with a firm understanding of where they’re headed.
As legislation and security protocols continue to support cloud deployments, the nation’s most important data assets will find a more secure and more powerful home. In the cloud, government is leaner, more secure and ultimately more focused on serving citizens.