President Donald Trump's executive order mandating a "cloud first" federal IT policy has drawn both criticism and praise. Few people, however, disagree that it's time for a change.
The federal government has long been bogged down by antiquated IT systems, processes, and modalities. Unlike scrappy startups and ambitious enterprises that embraced cost-effective cloud technologies at the get-go, federal agencies have resisted the switch — and they've paid a hefty price.
Not only do outdated IT systems waste resources and curtail productivity, as homeland security advisor Tom Bossert was quick to point out, but they also limit agencies' ability to focus on their core competencies and missions.
Although the agency-specific feasibility reports requested by President Trump's EO have yet to be publicly released (if, in fact, they're already completed), it's easy to see how agencies benefit. Cloud-based infrastructure offers unparalleled scalability, expanding or contracting alongside changing initiatives and regulations. With rare exceptions, the cloud is "always on," meaning government workers will be able to access non-sensitive systems from anywhere. And because updates are pushed automatically to cloud platforms, keeping IT systems up-to-date will become much less burdensome.
Despite the cloud's benefits, shouldn't policymakers be concerned about data security? Naysayers who claim cloud-based IT is inherently insecure may not realize that certifications such as FedRAMP hold cloud service partners to strict security standards.
This isn't to suggest, of course, that risks don't exist when it comes to the cloud mandate. One of the greatest is the 90-day reporting deadline. Will just under 13 weeks be long enough for agencies to perform adequate risk assessments? Moreover, the initiative could lead to a pantheon of cloud service providers, which could be as time-consuming to manage as legacy systems.
A Safe, Speedy Migration
Still, the most resourceful, powerful government on the planet can safely and effectively migrate its IT to the cloud. It simply needs a four-step plan to do so:
1. Don’t just hire consultants.
If federal agencies can learn anything from the Healthcare.gov snafu, it's this: Don't blindly trust third-party consultants to get the job done. Although consultants might be initially helpful to predict system traffic and hiring needs, agencies need internal talent and accountability to properly manage their cloud systems.
For outside help, agencies can turn to managed service providers. MSPs have expertise with Amazon Web Services and Microsoft Azure, as well as more niche players. Because these organizations offer a variety of cloud solutions, they're in an ideal position to advise on implementation, data migration, security, and ongoing management.
2. Use a cloud access security broker (CASB).
Unlike fixed infrastructure, most cloud service providers charge utilization rates. Agencies deal in terabytes and even petabytes of data, which employees will be constantly uploading and downloading from the cloud. If that usage goes unchecked, costs could skyrocket.
This is where CASBs come into play. By acting as a data middleman between the cloud service provider and the user, CASBs can monitor cloud usage for budgeting purposes. Absent a CASB or other asset management program, employees will need to roll up their sleeves to inventory technologies, monitor data usage, and enforce governing policies.
3. Rethink IT and security requirements.
Moving to a new system means accepting that old requirements may no longer make sense. Agency leaders should start by reviewing Gartner's "Five Rs" to understand the migration options available to them. Those who choose the cloud will need to collaborate with their cloud service provider to delineate security responsibilities and understand the security tools available to them.
4. Build a flexible road map.
For some agencies, full-scale public cloud deployment may not be immediately possible. An intermediate solution could be a private cloud, which technically meets the mandate but can't offer the full array of cloud benefits.
Again, agencies can partner with MSPs to determine the best cloud solution for their needs — be it public, private, or a hybrid of the two. For security and control considerations, the Cloud Security Alliance, COBIT's "Controls and Assurance in the Cloud," and the NIST cybersecurity framework are great resources.
All in all, President Trump's EO may mean a critical modernization of the U.S. government's IT infrastructure. Every change comes with risk, but holding onto old and insecure information technologies is riskier still. Stemming the spate of federal data breaches is paramount to our national security and continued prosperity.
In any case, the clock is ticking: In a few weeks, we'll know how our federal agencies plan to handle this monumental (and much-needed) change.