As governments across the country take on the hard work of transforming their IT operations to better support the growing demands and expectations of their citizens, they are increasing their investments in cloud infrastructure, platform and productivity services. And as any government IT leader will tell you, the whole process poses more than a few challenges.
Whether it’s meeting regulatory requirements, dealing with outdated systems or figuring out how to manage the gigabytes of data generated each day by new technologies, these efforts require significant resources and unique security and compliance standards.
If you’ve already begun investing in cloud services, or doing the due diligence to select the right cloud, it may be time for a check-up to make sure your investments not only support your needs today, but will continue to scale into the future. And if you are still moving toward cloud adoption, it’s important to make sure you know exactly what you are getting, because not all clouds are created equal.
Researching cloud options for government is like reading alphabet soup. You’ll see a lot of “me too” checklists among cloud service providers with no differentiation. Government is trying to break through the clutter and understand what they need to look for to have a secure, government-only cloud, with comprehensive compliance, ready for their mission-critical workloads. But asking a handful of deeper questions will help you see how the government clouds standard apart. Here are just a few:
1) How safe is your data?
- Will your data reside solely in government-only datacenters with at least 500-mile geo-redundancy for continuity and reliability? Most governments require data to reside in government-only data centers. Only a cloud provider with multiple, widely dispersed, government-only hardened datacenter regions can offer you adequate data replication in case of a regional disaster. Understanding a cloud provider’s capacity, redundancy and continuity capabilities is essential.
2) How secure is your data?
- If you’re a Department of Defense agency, is your cloud provider Defense Information Systems Agency (DISA) Impact Level 5-ready for infrastructure, platform and productivity services? This covers Controlled Unclassified Information (CUI) that requires a higher level of protection, including unclassified National Security Systems.
- Does your cloud provider offer a physically isolated version of their cloud solution, as required by for the Department of Defense (DoD) and DoD partners? For example, DoD Impact Level 5 data can only be processed in a dedicated infrastructure that ensures physical separation of DoD customers from non-DoD tenants.
- How does your cloud provider deal with cybersecurity threats? Does it have a proven history of protecting against cybersecurity threats and responding to them as these threats evolve? Is security built in or does it require additional services, such as encryption, from other vendors at additional cost? Does your cloud service provider operate government-only datacenters by screened U.S. persons?
3) How does your cloud vendor support your regulatory compliance obligations?
- Is your cloud provider willing to put their compliance commitments in writing? Here’s a checklist of just a few of your regulatory compliance obligations for which your cloud vendor’s support is critical:
- Criminal Justice Information Services (CJIS) Security Policy regarding protection of criminal justice information
- IRS Publication 1075 regarding protection of federal tax information
- International Traffic in Arms Regulations (ITAR)
- Family Educational Rights and Privacy Act (FERPA) regarding protection of student privacy
- Health Insurance Portability and Accountability Act (HIPAA) regarding protection of private health information
- Federal Risk and Authorization Management Program (FedRAMP — including FedRAMP High, FedRAMP Moderate and FedRAMP Accelerated) — to meet U.S. government cloud security requirements
- BCDR ISO 22301 to meet U.S. government business continuity and disaster recovery requirements
- If your provider claims CJIS compliance, how many states do they have signed CJIS agreements with and what exactly do they agree to? Is your state on the list? And is your provider willing to put it in writing that they have the required cloud security controls that go across IaaS, PaaS and SaaS, to help you meet FBI requirements, help protect the full lifecycle of data, and ensure appropriate background screening of operating personnel with access to CJIS data?
4) How does your cloud provider manage document retention and e-discovery? Does it manage and store all your data, including email and documents, in a way that enables discovery, and supports your data retention and public disclosure obligations. Are you required to purchase any third-party products at additional cost in order to satisfy your document retention and e-discovery requirements Do they store your data on their terms or your terms?
5) Does your cloud provider offer hybrid capabilities? Does your cloud provider give you the flexibility to integrate your on-premises application components and services with the cloud to work your way, help you reduce costs and simplify administration?
With so much at stake in making a decision about your government cloud provider, it pays to check the facts. At Microsoft, we have made significant investments to ensure government customers have the trusted, complete and secure cloud solution you expect and deserve, with industry-leading support for your regulatory compliance obligations. In fact, in a recent survey conducted by Penn Schoen Berland, government customers rated Microsoft as the most trusted cloud service provider, over AWS, Google and Salesforce. We also announced a few new investments this week and launched a Check the Facts site to help you make sense of the marketing as you make your cloud investments.
When you’re checking the facts, I invite you to take a deeper look at Microsoft Cloud for Government and ask the tough questions. And no matter who you choose — or have chosen — as your government cloud provider, I hope the questions offered here will help you ensure your cloud services fully support your critical governmental functions and regulatory obligations, so the transformative power of the cloud can truly be a force for good.
For more information about the Microsoft Cloud for Government, go to https://info.microsoft.com/GovernmentContactMe.html