A report by the Center for Strategic and International Studies (CSIS) Commission on Federal Cloud Policy, titled “Faster to the Cloud,” highlights strategies for the federal government to accelerate cloud adoption and bolster data security and backup recovery.
However, the report points out that cloud adoption across the federal government has slowed. This analysis examines the critical reasons why federal agencies must expedite their transition to cloud-based systems to build cyber resilience.
Federal cloud adoption was supposed to be much more ubiquitous than it is today.
Over the years, the government’s strategy has evolved: First, it was “Cloud First,” then “Cloud Smart” and, for the last four years, there hasn’t been a heavy focus on the cloud at all. In examining why government efforts have stalled, the commission’s analysis identified several trends affecting the adoption of cloud computing:
- Resistance to Change: Federal agencies exhibit a natural resistance to change, exacerbated by stringent compliance requirements and the daunting task of migrating from entrenched legacy systems.
- Security Concerns: The shared responsibility model in cloud environments means that federal agencies are wary of potential security breaches.
- Cost and Complexity: The initial cost of migration and the complexities of managing hybrid environments are significant barriers. Organizations often migrate their existing systems to the cloud without making any changes, a practice known as “lift and shift,” which can be both inefficient and expensive.
- Slow FedRAMP Approvals: Further, the slow pace of FedRAMP hinders federal agencies’ ability to secure private-sector partnerships, which is another area of concern, along with incentivization, governance, and architectural considerations.
- Lock-in Risks: Moreover, when moving to a cloud service provider (CSP), there’s a potential risk for lock-in, where federal leaders become stuck indefinitely and may be surprised by the bill they receive.
Having a cloud adoption strategy that includes a plan for fail-safes and redundancies is essential.
Fundamentally, federal agencies prefer not to rely solely on a single cloud environment. If connectivity to the cloud is lost or a catastrophic event occurs, moving to a different region, data center or cloud environment can mitigate some problems. However, this tactic doesn’t address internal issues or blind spots like software supply chain attacks or insider threats. Failing over across regions won’t solve these fundamental issues.
Risk and compliance components often lag behind these concerns. It’s important for federal agencies to proactively avoid cloud lock-in and maintain the ability to move to other environments, including on-premise data centers. This flexibility is crucial in case of outages, performance issues or other reasons that render cloud environments unsuitable.
When it comes to meeting government missions, federal agencies might need to disconnect from the internet, making self-owned and operated data centers advantageous. As with AI adoption, having a meticulous plan for fail-safes and redundancies is essential. This strategy should aim to encompass all scenarios to ensure acquisition priorities and processes can reap the cloud’s benefits successfully without increasing cyber risk.
AI’s success in government will heavily depend on cloud usage and computing resources.
From a global and national security perspective, federal agencies are at a pivotal point where technological innovation, the adoption of AI, building cyber resilience, and economic innovation are all decisive factors in global and military superiority. As a result, I believe federal agencies must figure out how to embrace, transition, adopt, develop and invest in emerging technologies, such as AI, faster than ever.
Legacy data centers aren’t going to have the capacity to meet the demands of AI within the government. Therefore, cloud adoption is essentially going to be a prerequisite for the widespread adoption and use of AI. Underpinning all of that are security, design and resiliency considerations, among other factors.
Federal agencies must also consider developing and implementing robust contingency plans to mitigate data security risks in cloud environments.
According to the most recent data, there are more than 5,000 data centers in the U.S. facing different kinds of cyber risks, such as those related to the shared responsibility model, supply chain attacks, insider risks and others. As a result, moving to the cloud has many advantages.
Still, there are many complexities that must be planned for and factored into cloud adoption decision-making in government, including: What should federal agencies exclude from the cloud? How do federal agencies ensure cyber resiliency during cloud migration?
I believe federal agencies must adopt proactive defense strategies, incident management and third-party data backup and recovery to improve cyber resilience. Cloud migration should include contingency plans to ensure a rapid recovery from catastrophic events. Further, rolling out a zero-trust architecture — a goal of various federal directives — requires an “assume breach” mentality, which is crucial for protecting and quickly restoring government data.
Considering the evolution of cyber threat actors and the importance of data protection, the shared responsibility model has also become crucial in this endeavor. If there’s an issue with a service provider or cloud service provider, federal security teams will want to ensure data is protected and backed up in an environment outside the “blast radius” of a cyberattack.
If a catastrophic network event occurs, such as an outage, a lack of connectivity or a destructive cyberattack, federal agencies must be prepared for data recovery. This example is related to the commission’s cyber deterrent strategy, which says that federal data security teams should plan for the worst-case scenarios by rolling out their zero-trust architectures faster.
Ultimately, the CSIS report underscores the urgent need for federal agencies to accelerate cloud adoption and data security capabilities to build cyber resilience.
I believe the capabilities outlined in this article are the building blocks of a stronger and safer government cloud environment. They will be catalysts to protect data integrity and availability even when there are cyber threats or system failures.
The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of Rubrik. This article is for informational purposes only and does not constitute business or legal advice. Organizations should consult with legal and compliance professionals to ensure their cybersecurity strategies meet all applicable federal, state, and international requirements.
Travis Rosiek currently serves as public sector chief technology officer (CTO) at Rubrik, helping government agencies become more cyber and data resilient. Rosiek is an accomplished cybersecurity executive with more than 20 years in the industry. His experience spans driving innovation as a cybersecurity leader for global organizations and CISOs to corporate executives building products and services. He has built and grown cybersecurity companies and led large cybersecurity programs within the Department of Defense (DoD). As a cyber leader at the DoD, he was awarded the Annual Individual Award for Defending the DoD’s Networks.
Prior to Rubrik, Travis held several leadership roles, including chief technology and strategy officer at BluVector, CTO at Tychon, federal CTO at FireEye, a principal at Intel Security/McAfee, and leader at the Defense Information Systems Agency (DISA). He has served on the National Security Telecommunications Advisory Committee (NSTAC) as an ICIT fellow and on multiple advisory boards.
Leave a Reply
You must be logged in to post a comment.