Nothing in recent memory has roused so much excitement or apprehension among government IT professionals as cloud computing.
Today, you’d be hard-pressed to find anyone in federal, state, or local government circles who’s unwilling to concede the potential cost and efficiency benefits of migrating to the cloud. But you’d be equally hard-pressed to find anyone who isn’t concerned—on some level—that the open accessibility of the cloud platform makes government operations inherently more complicated.
Certainly, data assurance in the cloud raises several new questions and technological considerations. To complicate matters, there’s been a torrent of conflicting, misleading, and even downright false information flooding the public sector.
The truth is, should you find yourself in need of government-level cloud security, you’d do well to ask a security company. Cloud providers are essential, but few have the specialization needed to help you truly control, defend, and optimize critical data pathways inside a government cloud environment.
To set the record straight, here are four key data assurance principles—direct from one of the world’s foremost information security companies—for federal, state, and local government entities migrating to the cloud.
Principle #1: Fill the Gaps
As I’ve already mentioned, top-tier cloud providers can be essential, capable government partners. But the fact remains that their core competencies probably have little to do with data protection.
That’s why most government cloud requirements written today are calling for three distinct components:
- a core solution
- a systems integrator to facilitate the migration; and
- separate APIs to deliver capabilities either absent or incomplete in the core offering.
When it comes to data assurance, companies that specialize in protecting information are best equipped to fill the gaps—by offering new or augmented capabilities like FedRAMP, SEC 17a-4 compliance, retention policy management, recording of multiple data types, E-Discovery cost reduction and workflow, and supervisory review (FINRA 3010 and 3011 compliance).
Principle #2: Pick the Right First Moves
In December of 2010, OMB introduced its “Cloud First” initiative, compelling all federal agencies to migrate an initial application to the cloud by the end of 2011, and two others within 18 months.
At the time, a number of agencies selected email-as-a-service to be their inaugural cloud-based technology. But upon further study, many found email to be a challenging candidate for Cloud migration and subsequently peer agencies have moved in favor of more service-oriented solutions like Compute as a Service, Storage as a Service, IT Service Management, CRM, and Front End Java Web applications.
For the purposes of information protection, it’s paramount that agencies select the right initial projects for cloud implementation. These pilot projects will set the stage for an organization’s long-term success in the cloud—but only if the migrated data can be securely kept, managed, and organized.
Agencies that pick the wrong cloud pilots—and then fail to control their data’s integrity—will most certainly face an uphill battle accommodating OMB’s ambitious future mandates.
Principle #3: Follow the Standards
NIST released two draft special publications on cloud computing in February of this year—NIST Draft SP 800-144 (Security & Privacy in the Cloud), and NIST Draft SP 800-145 (Definition of Cloud Computing).
These documents (which provide an overview of public cloud computing’s security and privacy challenges, as well as its attributes and underlying rationale) — along with other cloud standards in concurrent development — will form a crucial, collaborative toolset for government agencies adopting cloud technology.
By studying the threats, technology risks, and safeguards endemic to public cloud environments and by gathering the insight needed to make informed IT decisions, federal, state, and local entities can help to standardize best practices. All of this will information protection throughout the government enterprise.
Principle #4: Ask the Right Questions
Success in the cloud hinges on knowledge—specifically a commitment to evaluating the technical and business factors that influence better management of public, cloud-based content and better control of federal processes like, FISMA, FedRAMP, E-Discovery, electronic records management, and FOIA compliance.
As problem solvers, we must remember to ask the critical questions concerning proper data protection: What are our goals? What are our stipulations? How can we achieve shared resources, elasticity, and security at minimal cost? In addition, how can we build strong service level agreements into the acquisition process?
In Vivek Kundra’s updated Federal Cloud Computing Strategy, he writes that $20 billion of the federal government’s $80 billion in IT spending this year is a potential target for migration to cloud computing solutions. Perhaps such a large investment means two things:
- we’re never going back to the fragmented, duplicative, inefficient IT models of the past; and
- the transformation will be swift and massive in scope.
Hence, government must actively question and scrutinize the specific security requirements for information housed in the cloud, while determining which data in their possession are most critical.
To be clear: Protecting information in the cloud is no small task, and there’s no substitute for an IT partner with data assurance specialization.
However, it is our hope that by using these four principles as a foundation, your agency may begin the cloud migration process with more confidence and intelligence—more excitement, and less apprehension.