I’ve worked in IT and information security for the last 18 years, spending a lot of that time as a government contractor and solution provider, as well as participating in organizations focused on private-public partnerships. In that time I have seen a lot of trends come and go. But after all those years working with the U.S. government, I’m happy to say that their focus on leveraging the public cloud has not gone away.
Cloud First, Explained
In December of 2010, the United States’ first Chief Information Officer, Vivek Kundra, released a document titled “25 Point Implementation Plan to Reform Federal Information Technology Management.” The plan focused on the premise that information technology should enable government to better serve the U.S. citizenry, and it included one key concept that still gets used today: cloud first. At the time, “cloud first” meant that agencies would identify three “must-move” services that would be migrated to cloud by June 2012 in addition to leveraging commercial (e.g. public), private, and state/local regional clouds. This included a mix of IaaS and SaaS services, and included many questions about integration and security. Seven years later, embracing cloud first has a whole new meaning in the government sector.
Moving to the Cloud
When government agencies want to move legacy IT services into the cloud today, the landscape has completely changed. Security has historically been seen as the biggest barrier to cloud adoption, but those concerns have now been removed. With the introduction of the Federal Risk Authorization Management Program (FedRAMP), under the management of the Government Service Administration (GSA), agencies now have a framework for holistically measuring effectiveness, enforcing policy, and holding vendors accountable from a security perspective. In short, FedRAMP certification has made vendor evaluation much easier.
Major cloud service providers like Amazon Web Services and Microsoft Azure have FedRAMP authority to operate (ATO) for low and moderate-security workloads, as well as provisional ATOs (P-ATO) for high-security workloads in government-specific cloud environments. These platforms have undergone more scrutiny than many public or private sector IT service offerings, resulting in government-compliant SaaS solutions that have leveraged these advantages. This allows agencies to easily embrace cloud first policies without any major security concerns, so that they can focus on their missions.
To prevent data leaks, cloud solutions also need to provide for granular access controls, capable of enforcing separation of duties. As there is a wide range of regulations governing access to and preservation of government data, a robust solution also needs to be flexible enough to encompass a range of requirements and certifications, while still remaining adaptable to changing needs and the constant growth in overall data volume.
Acquiring cloud services has also been greatly simplified since the original cloud first strategy was outlined. Today, cloud services can be acquired by agencies through government-wide acquisition contracts, such as NASA’s Solutions for Enterprise-Wide Procurement (SEWP), which have an entire catalog of SaaS services.
Getting it Right
Another important thing for agencies to consider when embracing the cloud first policy is finding solutions that are actually leveraging the unique advantages that you should expect from the cloud. Only solutions and services designed from the ground up with the cloud in mind can deliver the increases in speed, reliability, manageability, and affordability that have helped the cloud become such a dominant technology this decade. As the public cloud matures and becomes an ever brighter fixture in the IT firmament, companies would be wise to consider the significant advantages of a cloud-native SaaS solution.
When it comes to protecting and managing information in the cloud, for example, agencies need to be aware that not all data protection solutions that run in the cloud were in the cloud first. As many vendors hastily adapt legacy, on-premises data protection solutions for the cloud, agencies need to take into account that this type of product transition can cause serious issues from an operational and security perspective. When agencies leverage cloud-native offerings, on the other hand, security and operational efficiency are core features out of the box.