It’s no secret that cloud computing has fundamentally changed the way that government does business. It’s revolutionized employees’ ability to access data, software, computing power and collaboration strategies, disrupting the traditional notions of information technology.
But with these transformations comes a challenge for the public sector: How can you fully capitalize on the cloud and ensure security to advance your agency’s mission while respecting compliance and security?
At a recent GovLoop training created in partnership with Cisco, “Cloud and Cyber Combine to Protect Gov Data,” the topic of how cloud security teams can still meet mission needs of end users was explored. John Conner, Cloud Security Professional, National Institutes of Standards and Technology (NIST), and Rich West, Security Architect, Cisco Systems, teamed up to discuss how security teams can understand business and mission need while still keeping cloud operations and data secure.
Conner pointed out that particularly at NIST, he works with an uncommon set of end users — scientists who often need to collaborate with folks at research institutions and universities outside of government. Oftentimes they need the latest, greatest and easiest technologies to do their job of keeping up with breaking research and science. Conner explained that the security teams must be able to enable this, not prevent this.
“The role of the CIO side and our job working with our customers — aka scientists at NIST — is to enable them to use the technologies out there to do their best work for NIST, no matter what those technologies are,” Conner said.
That’s not always so easy, though, particularly in government where sensitive data must be secured and where compliances like FISMA must be followed. “As a cloud team you want to work with the people on their missions and not immediately say no,” Conner said, “but that can be difficult.”
“If IT and security aren’t solving the business problem people will go find their own solutions and then you run into reach security issues,” West pointed out, giving context to the rise of shadow IT in government.
So how can agencies enable mission need for their end users while still keeping their cloud technologies secure? Conner and West said it comes down to having IT and security properly understand the use case for technologies; training users on security; and partnering with a trusted vendor who works with you as a peer.
“You must work to identify the solution and the mission need at the start,” West pointed out. Only then he noted you can work backwards to identify the technology and the security that can enable what teams and agencies need to do.
“You also have to get your users the tools they need but they MUST be trained on security,” Conner emphasized. “Additionally, getting your procurement folks involved at the beginning so you can work with the security requirements and having them as your ally is key.”
Finally, partnering with a secure vendor who understands business mission, the tools end users need, and works with you as a partner is critical.
“I’m not just a vendor,” West of Cisco said. “I’m your peer. My job is to help you secure your technology.”