Presented by Booz Allen Hamilton
Federal agencies are tasked with delivering mission-critical services to constituents. To stay resilient, leaders need to rethink traditional cloud implementation.
It’s been a decade since the first cabinet-level agency migrated its flagship of properties to the cloud, followed by nearly every agency under the sun. And thanks to their migrations off-premises, agencies have brought new capabilities to their respective missions, innovated more quickly, and done more with less while also reducing their technical and security risk.
But at a time when the word resilience has dominated most conversations about agency IT amid the pandemic, it’s important to understand that traditional cloud implementation models that were successful in the past may not translate to what matters most when enabling mission programs, says Delie Minaie, principal at Booz Allen Hamilton, who leads cloud transformation and management for large-scale civilian agencies.
High-stakes national systems and infrastructure can’t afford to be disrupted or compromised, and critical services must be delivered to constituents around the clock. In theory, cloud opens the door for more scalable and efficient operations, enhanced security, and modern applications that are in line with the services constituents expect. But in practice, realizing these benefits requires a purposeful enterprise cloud strategy that’s focused on mission outcomes—with a clear vision that zooms out from the technical and everyday weeds.
“Many organizations assume that just by being in the cloud, everything is taken care of. However, that can't be further from the truth. Without a real strategy for cloud that’s built around mission assurance, organizations end up with a stovepiped approach that creates new and different challenges from what they faced in legacy environments,” Minaie notes.
Done the right way, agencies can leverage cloud to stay agile, bring in new capabilities quickly, and scale efficiently. Leadership at agencies that operate in high-risk, rapidly changing environments, can then focus on investments and programs where the benefits matter most to mission resilience, rather than obscuring the forest for the trees.
Federal Agencies Are Already Unifying their Approach
More agencies on this journey are starting to examine their whole application portfolio and how it enables mission delivery. Rather than developing, maintaining, and funding program by program, application by application, IT system by IT system — they are shifting focus to a centralized and common cloud platform, to ensure mission resilience across the holistic application portfolio.
During the pandemic, one of Booz Allen’s clients — a cabinet-level civilian agency — had to develop new capabilities overnight to support public needs related to COVID-19. One advantage they had was an established and FedRAMP-accredited cloud hosting environment that was already available across the agency’s bureaus.
Users across this organization’s network have access to a centralized platform for public-facing and mission-critical sensitive applications. This cloud environment accelerates application migration from months to days and cuts waiting time for change requests from weeks to hours. And it facilitates advanced analytics and continuous security through shared services.
“This enterprise model for cloud facilitated a rapid and agile response when the public needed it, during a very challenging period,” shares Minaie.
The organization benefits from a resilient, reliable, multi-tenant platform that provides agile, cost-effective and secure hosting services for internal, public and extranet applications at the FISMA and FedRAMP levels. Tenants can share computing resources while each of their data is isolated and remains invisible to other tenants. The environment also helps scale innovation and capabilities through embedded reusability.
But it took a deliberate approach to understand what consumers and tenants really needed from a shared cloud model — and ongoing communications and engagement to ensure the platform is adding value in the right areas.
“This agency needed to change the game for their constituents and ask, ‘What's really in it for them?’” Minaie says.
Other agencies have taken note of this accredited cloud environment.
“Increasingly, other larger federated agencies are coming together for this type of holistic thought approach,” Minaie says. “Transitioning to a shared services model for cloud really moves the goal posts of what agencies can do to accomplish ‘more with less’ so organizations can start to operate more efficiently and create visibility across the enterprise. Rather than needing to develop, maintain, and fund individual security protocols and enhancements for standalone applications, this approach enables agencies to look at mission assurance broadly for their whole portfolio.”
Adopting a Critical Security-first Mindset with Cloud Architecture
With the influx of platform-as-a-service and software-as-a-service capabilities, there are also new and evolving entry points for adversaries to infiltrate. An enterprise cloud approach opens the door to intelligent security that’s integrated across multi-cloud environments and automates common security practices throughout the network.
That is especially key in the wake of the recent vulnerability that affected a Java logging package, Minaie notes.
“What we're seeing with the current exploit of Log4J, having that intelligent security and visibility across the enterprise has been afforded to various agencies because of their cloud adoption,” she says. In the cloud, organizations can more holistically identify anomalies, threats, and vulnerabilities to cloud-native and cloud-hosted environments using streaming data.
But to leverage the multi-billion dollar investment cloud service providers have made in security operations — and to meet the recent cybersecurity Executive Order — requires a reevaluation of traditional security approaches. To protect government networks, infrastructure, and data from growing digital threats, agencies are moving toward a Zero Trust network architecture based on a verify-and-never-trust approach. That includes automatically embedding robust standardization authentication and hardening agency infrastructure and resiliency across the interconnected data center.
The Zero Trust model is guided by a single principle: that security must extend throughout the network and not just at the external perimeter, Minaie says.
“On the operation side, organizations should also start to integrate their engineering and compliance teams to ensure that architectures are built with a security-first mindset,” she adds.
Finally, be deliberate about third-party network and security services that are integrated with your infrastructure.
“It's important that while a shiny new tool may save you money or help you move more quickly, new partners and products also may introduce inherent risks to your enterprise,” Minaie says.
Innovation in government today relies heavily on partnering with third-party vendors, [so] underlying architecture needs to be designed to manage that risk,” Minaie says. “With a strong security posture, and ingrained guardrails to automate security controls, organizations can continue to push innovation.”
Successful Cloud Journeys Begin with Aligned Strategy
Each of the major CSPs offers hundreds of cloud-native services and marketplaces that provide access to third-party ecosystems with thousands more. These services rapidly evolve and grow and provide not only basic infrastructure capabilities but also advanced functionality such as facial recognition, natural language processing, quantum computing and data aggregation.
But with all the options, it’s not always clear what the best investments are for an IT organization. And agencies have heard a similar refrain for years: Do more with less. So many organizations are balancing tighter purse strings amid expanding missions — while heeding the call to modernize or enhance legacy applications.
Done right, cloud offers agencies a way to navigate this — creating the conditions for innovation but also increasing operational efficiency across the organization. Done haphazardly, an agency won’t have the visibility it needs across environments — and will end up paying for bells and whistles that don’t provide mission value, Minaie warns.
She underscores that IT leadership needs to establish and align on an enterprise cloud strategy that informs investments, operations and policies. With a clear strategic vision and central oversight of the cloud portfolio, organizations can then design, integrate, test and operate the tools the CSPs provide to ensure secure and resilient operations.
Establishing this oversight also allows organizations to better connect multi-cloud capabilities and, importantly, know what’s happening across the network in real time to react at the speed of relevance.
A cloud strategy should trickle down to a diverse group of stakeholders across the agency so that internal and external stakeholders and potential customers are appropriately educated and bought in, and changes are made in a controlled fashion.
“This is certainly true for phasing out manual processes — which often introduce risk, but there’s often a strategic balance between automation and autonomy,” notes Minaie. She adds that with stakeholder engagement, and enough time for testing, automation mechanisms can be confidently scaled. Without the upfront effort to test new automation tools and involve users, deployment may actually decrease trust and increase risk across the enterprise.
In legacy environments, the infrastructure to support resilient operations and disaster recovery had to be in place and maintained even when not in use; realistically, very few enterprises could afford this. Now, with cloud, organizations can automatically meet surge demands and scale new services in minutes — if they have an articulated and holistic approach to cloud.
“We’ve seen a lot of successful cloud migrations and implementations, and it's so important that you have a plan and sponsorship,” Minaie says. “The people and process are as equally important as the technology.”
Delie Minaie is principal at Booz Allen, with expertise deploying cloud capabilities for organizations to deliver modern, secure, scalable, and digital-first solutions for their end users and customers.
This is part of Booz Allen Hamilton's "Government Cloud" series. Click the links below for other articles in the series:
This content is made possible by our sponsor, Booz Allen Hamilton. The editorial staff was not involved in its preparation.
NEXT STORY: The Cyber Future for Government Agencies