By Felipe Fernandez
For the past seven years, the U.S. Office of Management and Budget has been pushing Federal agencies to move much of their computing workloads to the cloud. And yet, progress has been slow, with only about $2 billion of the Federal government’s $80 billion in annual IT spending going to cloud services as of 2016.
Years after OMB began its cloud push, Federal agencies still face significant challenges to adoption, with security identified as one of the main issues holding back cloud adoption. In fact, the number one concern of Federal IT managers is how to expand their security measures and policies to cover the cloud, according to a recent survey by MeriTalk.
In the meantime, pressure on agencies to move to the cloud isn’t going away. The U.S. Department of Homeland Security’s new Continuous Diagnostics and Mitigation cybersecurity program is pushing small agencies to use cloud-based security tools. Cloud security doesn’t get the highest marks from the Federal IT managers who responded to the MeriTalk survey, sponsored by Fortinet. A minority of them rate their security as excellent in cloud environments; only 35 percent for the private cloud; 21 percent for the public cloud; and 27 percent when moving between physical and virtual environments in a hybrid cloud arrangement.
Even so, many of the survey respondents see a mix of physical infrastructure and cloud computing in their future. The ideal mix, they said, includes 39 percent physical servers and 61 percent cloud.
But even as Federal IT managers seek to deploy the hybrid cloud, they feel unprepared, with security. Control and compliance are again coming to the forefront. A big part of the cloud adoption woes is the complexity of Federal IT environments. Eighty-five percent of the surveyed Federal IT managers described their current infrastructure as “complex,” and only 34 percent said they have a high level of visibility into their IT environment.
This complexity and lack of visibility put agencies at significant risk of a security breach, the survey respondents said. More than half agreed that the complexity adds to the risk, and nearly the same percentage said the same thing about the lack of visibility.
Still, many Federal IT managers see value in a move to the cloud, including a significant security benefit. Seven out of ten said they believe a successful hybrid cloud adoption will reduce their agencies’ security spending, and 69 percent said they believe it will improve their overall security posture.
Even with the challenges of complexity and a lack of visibility, there is a path forward to the cloud.
Take it slow: While there’s mounting pressure for agencies to move IT workloads to the cloud, that doesn’t mean it needs to be an all-or-nothing transition. Agencies can – and probably should – make a slow transition to the cloud by running a few select workloads in a cloud service. By moving slow, agencies can test the applications on a cloud service, while ensuring the proper security is in place.
Plan the journey to the cloud, don’t just jump in.
Some security products are now designed to enable a strategic migration to the cloud.
Careful planning and use of security tools that enforce security rules across hybrid cloud environments allow agencies to avoid taking an all-at-once or an all-or-nothing approach to migrations.
Increase the visibility first: Before moving to the cloud, agencies should get their IT houses in order. With major concerns about visibility voiced by survey respondents, one of the first steps should be to increase the visibility into their applications, using security information and event management (SIEM) or similar product.
There’s an old saying, “If it can’t be measured, it can’t be managed,” and software security isn’t exempt from the rule. Agencies worried about visibility should look for ways to measure their critical assets.
If agencies have the visibility they need, they can keep a close eye on their workloads as they move to the cloud. And if the cloud transition is done right, agencies can increase visibility into their IT infrastructure through new tools available in the cloud. Federal agencies can move into hybrid cloud environments with broad visibility and granular controls that weren’t available with traditionally isolated security resources.
Use a trusted partner: As more companies move workloads to the cloud, third-party consultants and technology vendors can assist with the transition. Cloud providers have certified partners, including security vendors, that specialize in assisting with the transition.
It’s important for agencies to contract the right folks to get the job done.
Security is an important element of this transition, and a trusted security partner can help agencies establish effective security integration between their physical and virtual environments.
About the Author
Felipe Fernandez is a new guest writer to CDM and is a Systems Engineering Manager at Fortinet. In addition to his role as a team manager, Felipe also oversees the US Federal product strategy and certification process at Fortinet, such as the UC APL. Felipe has over 16 years’ experience deploying, operating, and auditing security solutions, the majority of which were spent at the DoD in various roles both CONUS and abroad. Visit him online at http://www.fortinet.com