‘Education’ can help overcome agencies’ unease about cloud security, leaders say
A new survey finds that although cloud adoption has come a long way in federal agencies, IT leaders still cite security concerns as a key issue in moving away from on-premises infrastructure. There are ways to get past those hangups, though, according to panelists at a recent cybersecurity event.
The Ponemon Institute study — conducted in partnership with Forcepoint and discussed during the Cybersecurity Leadership Forum on April 4— found that 67 percent of federal IT professionals say concerns about security are holding back cloud adoption at their agency. Guy Cavallo, deputy CIO at the Small Business Administration, and Susie Adams, CTO of federal business at Microsoft, said the results were a bit surprising.
Cavallo said his experience at SBA has shown that much of the unease is unwarranted. His office is “excited about the cybersecurity capabilities we have now through the cloud,” he said, and is willing to share what it has learned with other agencies.
“I think a lot of it is education,” Adams said. Cloud providers “look at security very differently than you look at it traditionally,” in part because of the way they handle data analytics and provide for machine learning.
“Does it mean that we should forget all those things that you learned about best practices and defense in depth and firewalls and multi-factor authentication? Absolutely not,” Adams said. “What it means is that there is a whole new set of tools that can be applied on top of those, that can give you even more information.”
Those tools — like automation and machine learning — even can apply down from the cloud on to existing on-premises infrastructure, the panelists noted.
Cavallo said agency isn’t looking back. “Don’t be afraid of it,” he said. “SBA today is one hundred times more secure than it was six months ago.”
Other findings that stood out included responses to a question about agencies’ relationship with the Federal Risk and Authorization Management Program, or FedRAMP, which certifies federal cloud service providers (CSPs). The Ponemon Institute study asked IT professionals “what percent of cloud service providers used within your agency are FedRAMP authorized,” and the range of answers was quite wide: Twelve percent said less that 10 percent of their CSPs go through FedRAMP, and 9 percent said more than 90 percent do.
The panelists noted that some of the disparity could be related to what actually fits the definition of a CSP. In some cases, agencies might be using commercial, cloud-based software services that wouldn’t fall under FedRAMP, anyway.
Ponemon estimated that an average of 43 percent of cloud service providers across all respondent agencies are FedRAMP authorized.