As the federal government continues to ride the waves of digital transformation and network modernization, one decision that many agencies have decided to make has been to migrate their applications, workloads, and services – which have been traditionally managed on-prem – to the commercial cloud. But choosing to move to the cloud has not been an undertaking agencies have taken lightly, as such IT migrations can be quite costly and time-consuming.
So, what are the benefits of commercial cloud? How does it outperform the legacy processes and systems federal agencies have employed in the past? What will it require for government agencies to begin their transition to cloud services? And are there solutions available to the federal government that can help facilitate application re-authorizations and ensure that agencies are STIG compliant?
To answer these questions and to learn about how the cloud is bolstering federal cybersecurity postures, the GovCyberHub sat down with the COO of one of the top cloud security solutions provider, SteelCloud’s Brian Hajost.
Here is what he had to say:
GovCyberHub (GCH): What is the commercial cloud? And how is it different from the legacy systems and processes that federal government agencies have adopted in the past?
Brian Hajost: In the simplest sense, the commercial cloud is basically a shared datacenter, or shared datacenters. What distinguishes the commercial cloud for a typical shared data center is that it is “software-driven.” Since users of the commercial cloud do not have physical access to the facility, everything from standing up new workloads to engaging new services, is done through software. Typically, a commercial cloud will have a comprehensive set of security and operational capabilities that the user can select/control.
GCH: What benefits does the cloud deliver to government agencies? How can the cloud advance agency capabilities, missions, and goals?
Brian Hajost: Although there are many more, below are the four primary advantages to highlight that the commercial cloud provides to government users.
The first, and many times the most overlooked, is acquisition simplicity. The government organization can potentially have a single contract that could encompass all the cloud capabilities that they consume. This reduces the acquisition lead-time and turnaround substantially.
“Since the commercial cloud starts as a ‘greenfield,’ customers have the ability to innovate, automate, and improve their compliance operations.” – Brian Hajost
The second is agility. Everything the organization needs has already been implemented/available. This gives the user the ability to add new workloads or services within minutes without the need to physically buy or install new capabilities. Typically referred as the “elastic” nature of the commercial cloud, users can stand up and tear-down workloads automatically to meet their immediate computing needs.
The third advantage is security. Commercial cloud providers have invested in the creation and testing of superior secure computing environments. The users take advantage of tremendous investments in security without the burden of creating and testing them.
The fourth is cost savings. Savings is achieved through two primary advantages of the cloud. The first is the burden-sharing of expenses by a broad group of cloud customers, making the cost per compute cycle less for each. Just as important is the elastic nature of the commercial cloud where the user only pays for what they need in the minute, without the need to fund over-capacity continuously.
GCH: Why would federal agencies be hesitant to migrate to the commercial cloud?
Brian Hajost: Any IT migration is a lot of work and expense. Moving to the commercial cloud requires a significant expense in the current budget year for benefits that will accrue to the government customer in future years. The cloud is different, and taking full advantage of its benefits will require a different skill set than a traditional on-premise environment. Customers will also have to go through a new accreditation for the cloud formation, the workloads, and applications needed for their unique cloud implementation.
GCH: Before making the move to the cloud, government agencies must still go through the Risk Management Framework (RMF) process to achieve authority to operate (ATO) in the cloud, which can include cumbersome, manual processes to complete. Are there solutions or products that can automate and speed up these time-consuming processes?
Brian Hajost: As mentioned above, customers will have to re-accredit/re-authorize their applications in the cloud. Since the commercial cloud starts as a “greenfield,” customers have the ability to innovate, automate, and improve their compliance operations.
“…Zero trust will be easier to implement in a pure cloud environment.” – Brian Hajost
One of the huge burdens during the RMF process, and more importantly in ongoing production operations, is STIG compliance. Automating this function can shorten the authorization process by months with the added advantage of creating tight compliance automation once applications are authorized. SteelCloud’s ConfigOS software has been helping government customers and their mission partners automate STIG compliance in the cloud for more than a decade.
GCH: Implementing zero trust cybersecurity frameworks is quickly becoming the new precedent for government agency networks. How do zero trust architectures and the cloud affect and/or complement each other? Is it easier or more difficult for agencies to implement both?
Brian Hajost: Clearly, zero trust will be easier to implement in a pure cloud environment. But the reality is every organization will operate in a hybrid environment for the foreseeable future. Therefore, users will have to deal with the complexities of implementing zero trust in a combination of on-prem and cloud infrastructures. The other complexity that gets thrown into the zero trust mix is the fact that over the last three years, workforces have become more mobile, working outside of government-controlled facilities. This adds another dimension to zero trust implementation complexity.
GCH: For government agencies that are just beginning their cloud journey, what advice would you impart when it pertains to preparing their networks for cloud adoption? And what common pitfalls should they look out for and avoid?
Brian Hajost: Agencies must first define specific, detailed outcomes and benefits of moving to the cloud for an application and/or to the affected group of users. They also need to ensure that there is the proper budget support to build a team of all the requisite skill sets that will be necessary. And lastly, they should create a realistic project plan and timeline, considering appropriate scheduling risks.
For more considerations, check out this “Making Your Move to the Commercial Cloud” eBook to learn how to secure systems at cloud speed.
