Since 2010, the U.S. Executive Office has been encouraging agencies to leverage the cloud to improve citizen services. Now, according to the new “Cloud Smart” strategy, a group of federal agencies are taking the lead to identify the best way to make that happen. Relying on input from industry and the broader federal IT community, OMB, DHS, GSA and others are putting together “a work plan of actions and targeted policy updates” to advance the strategy over the next 18 months. After digesting the strategy’s initial overview, I was impressed. The government appears to have a good grasp on the shortcomings of the prior “Cloud First” initiative, and in the new Cloud Smart strategy, it has identified security as one of the top three key areas requiring “serious consideration and investment…” Several recommendations made in the document resemble best practices used by some of the more adept commercial cloud adopters and are worth noting:
- The plan acknowledges that moving from on-premise to the cloud does not necessarily take advantage of cloud capabilities and emphasizes that agency adopters must have the right REASONS for moving to the cloud.
- To achieve the government’s desired outcomes, agency adopters must take advantage of the auto-scaling and auto-provisioning capabilities that the cloud offers.
- The government recognizes that DHS’s CDM program “must continue to evolve” and emphasizes that monitoring tools and capabilities are needed to understand cyber risks in the cloud.
Of the three key areas of focus (security, procurement and workforce), I believe that security will pose the greatest challenge to the federal government. When it comes to tacking the security challenges, the government should consider addressing the following in the final draft of its Cloud Smart strategy:
- Can an agency’s security product handle things that are auto-provisioned and auto-scaled? This is an important capability that does not currently exist in many of the government’s existing security solutions.
- While agencies are moving to the cloud, they will still have on-premise applications that need to be monitored. Do they have a single tool that can monitor both in the cloud and on-premise?
- Have agencies prioritized their ability to securely monitor their cloud management account configurations -- making sure configurations are set properly AND that they will be made aware of any changes? If not, this is a must.
- Cloud providers are not solely responsible for security; it’s a dual responsibility between provider and agency. This strategy must further delineate where one ends and the other begins.
Finally, as I state in my response to the government’s request for public feedback, there should be greater emphasis on secure configuration management for cloud. When securing a cloud service, whether it's an IaaS, PaaS or SaaS, continuous monitoring of configuration is even more important in a cloud environment than it is in an on-premise environment. For my security peers, I would encourage you to review the Cloud Smart strategy at https://cloud.cio.gov/strategy/#cloud-smart and add your insights by the October 24th deadline.
