Securing the Cloud of Today

This blog post is an excerpt from GovLoop’s recent guide, Forecasting the Cloud: Eight Ways the Technology is Changing Government. To download the full guide, head here.

It’s widely agreed that 2014 was the year of the cloud in the federal government. More and more agencies and organizations tested moving data to the cloud, learned about deployment, and worked through security and compliance issues related to cloud computing.

If 2014 was the year of testing the cloud, though, it looks like 2015 will be the year of full implementation – and of large migrations of data and services to the cloud, especially in the Department of Defense and the intelligence community. To learn more about what cloud adoption will look like in 2015 – and the new methods of security – GovLoop sat down with Aaron Faulkner, Chief Strategy Officer at InfoReliance, and Ken Kartsen, Vice President of Federal Sales at Intel Security (formerly McAfee).

“What we saw in 2014 on the federal side,” said Faulkner, “was agencies starting to get that first crack in the ice. The typical pattern for a first-timer has been migrating a public facing web site or implementing a disaster recovery strategy using the cloud instead of an on-premise SAN or tapes. Once they begin leveraging the cloud and get that first authority to operate in-place from their CISSO, we have seen time and again an unprecedented adoption of technology throughout an agency with ever increasing complexity of workloads.”

With the big leaps that happened in 2014, Faulkner predicted that what agencies will be dealing with in the coming year is the work of learning how to migrate and optimize applications and data in the cloud.

“The cloud conversation is finally shifting from the philosophical and ‘what if’s?’ to the pragmatic approach and business considerations that departments and agencies need to make as they transition from on-premise computing to fully managed cloud services that are delivered on a consumption basis,” Faulkner added.

This move from testing cloud services and discussing their benefits, to more practical deployments of cloud computing, means that agencies need to focus more on the pragmatic aspects of adopting cloud computing With those services, Faulkner added, security is still a primary concern. “Our perspective is, we always make sure that the same exact security capabilities and security topology that the customer has on premise today is available to them in their cloud environment. That is the simple bottom line.”

Kartsen agreed that the conversation around cloud has changed and now needs to focus on security.

I think the dynamics around what the cloud provides end users and customers, its capabilities to deliver applications on demand and systematically move or enable infrastructure in the cloud and what that means for security, has changed over time,” Kartsen explained.

“What people are discovering is your security is only as good in the cloud as the security, policies and procedures in configuration management that you apply to your cloud infrastructure,” Kartsen added.

“The GSA FedRAMP program in particular has done an outstanding job of providing assurances to departments and agencies, including the DoD, that certified cloud service providers have met rigorous security standards and controls,” Kartsen said. “In fact, from the physical security of the datacenter itself, all the way through and to the hypervisor, government customers can count on having a highly secure, highly available, and highly auditable infrastructure. However, the moment that they migrate their data, their applications, their network configurations, etc., the accountability and the responsibility for security shifts from being solely that of the cloud service provider to that of both the provider and the agency – a shared responsibility security model.”


Kartsen continued by stating that Intel Security recognized early on the criticality of ensuring that their customers have the ability to secure their cloud environments in the same manner they have done on-premise. Beginning in 2014 a series of new products, such as the Public Cloud Server Security Suite, as well as engineering efforts for key tools such as SIEM, IPS, and DLP, have all been underway in order to support all major platforms, to include Azure and Amazon Web Services, with certain products even being made available on a consumption basis.


Finally, both Kartsen and Faulkner stressed the need for the government to look at updating its contract vehicles and acquisition process so that users can really see the full advantages of cloud.

Faulkner advised that vendors need to have a partnership with the government to come up with more of a commercially driven acquisition and procurement strategy to be able to buy, use, and report the use, consumption and cost of cloud the same way a private sector company would.

“That’s the only way the government’s going get the true benefit of the cloud services and capabilities that are so incredible and moving so fast,” Faulkner said.


Leave a Comment

One Comment

Leave a Reply