Agencies across the U.S. government are increasingly looking to migrate their data into the cloud to cut costs, but doing so has also introduced new cybersecurity challenges, federal executives said Wednesday during Verizon’s Government of the Future conference produced by FedScoop.
Each government agency is defined by a very specific mission set, explained Census Bureau IT Security Chief Tim Ruland, which naturally guides that organization’s information technology needs and procurement decisions. For example, the Defense Department employs “a hybrid cloud environment — that combines off-premise and on-premise storage solutions,” described Marianne Bailey, deputy chief information officer for cybersecurity at the Defense Department.
Numerous cloud computing products and services are purchased by the government from firms like Verizon, Amazon, Microsoft and Google. Dependent on the product, the business contract and the team managing those technologies, however, each agency holds different security and network monitoring capabilities, said Federal Aviation Administration Deputy CISO Larry Grossman.
The FAA, for example, has greater visibility into its private cloud environment than does the Health and Human Services agency, Grossman said in a discussion with Maggie Amato, deputy director of security design and innovation for HHS, during a conference panel.
“The cloud basically just translates to ‘someone else’s data center’ … and so our pain points at HHS come largely from a lack of [network] visibility and because very few people are good at code analysis,” Amato said.
While both the FAA and HHS similarly have employed cloud solutions that are compliant with the General Services Administration’s Federal Risk and Authorization Management Program, the agencies themselves have also added their own risk-based frameworks, known as ATOs, which help guide operational strategy. FedRAMP sets security standards for cloud applications used by federal agencies.
Grossman, for instance, said that the FAA has yet to migrate any sensitive or classified file systems to the cloud. That trend will probably change eventually, said FedRAMP Program Manager Claudio Belloli.
“We’ve seen it with the cloud and I think we’ll be seeing it more and more in the government, the future will likely involve agencies shifting towards managed services, rather than in-house hardware, because it provides greater budget flexibility in the longterm,” Belloli said.
Belloli added: “What I would recommend is that you [agency IT heads] read these acquisition contracts very, very carefully to know what coverage you’ll receive if a breach occurs.”