Moving to the cloud may be necessary, but that doesn’t mean it’s easy for agencies, which have to train their workforces, undergo lengthy acquisitions and enter into entirely different IT environments.
The transition, and all that goes into it, can be draining, so easy wins and time-saving opportunities are big pluses when possible.
“The ease of work is as important as other aspects,” Guru Sarma, Federal Cloud Director at SAP, said in a recent interview with GovLoop. SAP can tailor cloud solutions to agencies’ mission needs while ensuring compliance, security and privacy.
“Recently, we helped migrate the Navy’s Enterprise Resource Planning (ERP) program that is responsible for managing more than half the Navy’s finances to the SAP secure cloud environment, 10 months ahead of schedule,” Sarma continued. “During the tech refresh, Navy ERP upgraded to SAP’s high-performance analytic appliance (HANA) cloud-based platform. The transition enhanced resilience, visibility and survivability, in turn strengthening Navy readiness and supply chain visibility.”
As agencies grapple with how to manage the change of cloud environments, they should look for solutions that can shoulder their workloads. By identifying privacy, security and implementation as windows of opportunity, agencies can advance and improve their cloud journeys.
Privacy starts at the data layer. And here, there are several important questions to ask. First, what type of cloud is best for agencies? And second, who is responsible for cloud security?
To answer the first question, agencies have several options. In some cases, a FedRAMP-approved out-of-the-box software option will do just fine – as it’s the cheapest and easiest. Sarma noted that government clouds are more secure, because of stricter controls, than private sector equivalents.
“With respect to the cloud security controls that are required for federal agencies, it is significantly different from commercial customers,” Sarma said.
However, when agencies still worry about overall access, in addition to protecting data, they can install their own private clouds that run in vendor data centers. These private clouds are kept physically separate and have agency tools attached, so agencies have full control.
After deciding on the right cloud model, agencies must enforce the segregation of duties. This means that someone at the data level should not be able to pair the information with identifiers or have access to accounts. Otherwise, privacy could be compromised.
The default agreement for agencies is an authority to operate (ATO) contract reached with vendors. ATOs signify that security is set and authorizes an IT system or product to operate on government networks.
The trouble is that too often, these ATOs can take months or years to finalize. When agencies realize that cloud is necessary, they might not be able to wait that long.
Therefore, federal agencies should take advantage of FedRAMP authorizations, which assign a security level for cloud providers through a central governmental office. FedRAMP was designed to do the painstaking work of providing provisional authorizations to vendors so agencies don’t need to perform duplicative work.
Moreover, agencies should search for cloud solutions that let them carry over security controls from their pre-cloud environments. That way, instead of tearing down existing operations and starting from scratch, agencies can have the cloud accommodate the same security measures that staff and employees are familiar with. These can complement new security capabilities that are available in the cloud.
Although procurement processes can still take a considerable amount of time even if agencies use FedRAMP, the hiatus should not be spent in limbo. Agencies should look for authority to test (ATT) agreements to precede the actual ATO.
With ATTs in place, agencies can begin pilots and testing before signing a contract. Then, they’ll figure out all the quirks and nuances before officially launching the cloud.
“They are able to get their ATO completed so that these activities are ready to go at the right moment,” Sarma said.