Federal Agencies Square with Cloud Security

Like organizations across virtually all sectors, federal agencies increasingly rely on public cloud resources to improve IT resource utilization, consolidate data centers and rapidly scale resources up and down to meet dynamic demand patterns. And federal agencies have the added incentive of federal policies that encourage expanded use of the public cloud.

Trust in the cloud has come a long way in just a few short years. In the early days of the public cloud, it was common for agencies and other organizations to immediately reject the idea of placing workloads outside of their own data centers, for fear that cloud vendors would put their sensitive data at risk. Since then, though, public cloud vendors have proven themselves through years of providing largely incident-free service and earning a raft of security and compliance certifications, and many of these initial worries have been shown to be overblown.

But that doesn’t mean federal agencies can turn a blind eye toward cloud security, according to Gregory Wilshusen, director of information security issues at the Government Accountability Office (GAO).

“As more and more federal agencies go to the cloud to provide services, it is really important that agencies take care in assuring that the information they give to cloud service providers is adequately protected,” said Wilshusen in a recent webinar titled Automating Cloud Security: Eliminating Human Error and Protecting Data.

“Just because our data is out of sight — and perhaps security is out of sight, too — we sometimes think it is the responsibility of the cloud service provider. It isn't. It is really a federal agency’s responsibility to protect their data.”

Wilshusen was joined in the webinar by Larry Crosland, an assistant director on the IT and cybersecurity team at GAO, along with Dan Fallon, Senior Director of Systems Engineering for the federal team at Nutanix. The trio discussed what’s driving federal agencies to the cloud, the security risks posed by cloud environments and tools to help agencies keep their data secure.

Cloud Drivers & Benefits

“There are a number of federal policy drivers” pushing agencies to the public cloud, Crosland noted. These include the Office of Management and Budget’s (OMB) “cloud-first” policy, which requires agencies to consider cloud services when sourcing new IT investments.

These policies aren’t merely bureaucratic mandates but were implemented to encourage agencies to take advantage of the tangible benefits of migrating resources to the cloud.

“One, of course, is just to obtain some greater efficiency in managing their IT resources,” said Wilshusen. “Often, federal agencies have a lot of IT assets that are underutilized.”

Pushing resources to the public cloud can also help to accelerate data center consolidation, a major push in the federal sector in recent years.

Cost savings are another important driver. Crosland and Wilshusen cited a GAO report, which stated 16 agencies that increased cloud spending since 2015 saw a total corresponding savings of hundreds of millions of dollars as of April 2019 (as well as other benefits, such as improved customer service).

And, like many organizations, federal agencies are chasing perhaps the most celebrated benefit of the public cloud: increased agility and flexibility.

“If demand for services increases or spikes, it is easy for agencies to try to obtain those increased services from the cloud service provider,” Wilshusen noted. “And when the demand doesn't exist, it is easy to reduce that level of service.”

Security Concerns

Although public cloud data no longer resides within an agency’s physical security perimeter, Wilshusen noted, many key security issues and considerations remain the same.

“Agencies have to assess and manage the risk of their IT environment, and with cloud computing, they also have to assess and manage the risks associated with the cloud environment,” he said. “And that includes identifying threats, as well as the sufficiency of the security controls that are implemented by the cloud provider.”

Additionally, agencies must define statutory and regulatory data safety rules, monitor the performance of cloud service providers and ensure that cloud providers’ data portability and deletion policies meet their requirements.

Addressing Cloud Security Challenges

Federal agencies have a number of resources to lean on when it comes to cloud security. Wilshusen explained that the National Institute of Standards and Technology (NIST) collaborates with various agencies to identify and prioritize data security standards and provide guidance on how to protect federal information.

The General Services Administration (GSA) is also a key resource, developing government-wide procurement vehicles and cloud-based solutions. And the Department of Homeland Security (DHS) is responsible for monitoring operational security across the federal government.

Several of these agencies came together with the Department of Defense to develop FedRAMP, a standardized approach to assessing and monitoring the security controls of cloud services, Crosland noted.

Ultimately, though, agencies will also need to implement tools to help them manage cloud sprawl, monitor cloud environments and detect security vulnerabilities in real-time. Fallon noted that software-as-a-service (SaaS) tools from vendors like Nutanix can help federal agencies to automate security and compliance tasks.

Ideally, Fallon said, such SaaS tools will feature the following:

Rapid Deployment — Because SaaS tools are hosted in the cloud, themselves, they can be deployed practically instantly, Fallon explained. “You don’t want to have to set up a whole back-end infrastructure just for your monitoring tools,” he said. “You don't want to create more work for your organization.”

Holistic Security & Compliance — The cloud, Fallon noted, is supposed to make things simpler for agencies — and cloud security tools should be no exception. “We need to standardize governance and operations across cloud environments,” he said. “Agencies need to be able to monitor those environments, continuously and in real-time. And they require tools that span from on-premise out to the public cloud in a hybrid architecture.”

Risk-Free Trial — Because SaaS security tools don’t require supporting infrastructure, Nutanix can offer them to agencies for free on a trial basis, Fallon said. “The beauty of a SaaS delivery platform is there is nothing to download and nothing to set up. So we offer a free trial where you can try it out online. You can actually plug in your public cloud credentials and get full support of not only security controls but also cost controls.” 

Automated Reporting & Remediation — Cloud security tools need to adapt to changing environments – not only detecting threats but also remediating vulnerabilities in real-time, with a heavy reliance on automation. “Agencies need to be able to report an incident and then remediate it,” Fallon said. “And they need to be able to do that in as few manual clicks as possible.”

“Security is a shared responsibility between cloud provider and Federal agencies,” said Fallon. “Utilization of the correct tool set can decrease the security compliance and monitoring burden for the agency.”

Calvin Hennick is a contributing writer. His work appears in BizTech, Engineering Inc., The Boston Globe Magazine and elsewhere. He is also the author of Once More to the Rodeo: A Memoir. Follow him on Twitter @CalvinHennick.

© 2020 Nutanix, Inc. All rights reserved. For additional legal information, please go here.