This article originally appeared on SteelCloud’s official blog, HERE.
It takes a great deal of planning to avoid the pitfalls of cloud migration. The pace of innovation, security, and, quite frankly, the technological threat is quickening. Updating legacy processes and systems has become a more immediate challenge than ever before for the federal government. As a result, agencies are investing more heavily in areas that will allow them to take full advantage of new technologies and processes in 2022 and beyond. And among the top priorities for CIOs? Cloud migration.
In preparation to migrate to the cloud, 80% of CIOs still have not reached the level of agility and benefits they were aiming for initially. With numerous federal mandates such as the President’s EO and the Software Bill of Materials pushing agencies to the cloud, developing the institutional knowledge to get there will be critical, and knowing “how” will be essential.
IT leaders need to continue to mature their agency’s cloud strategies, ensuring that they have the right organizational design, skill development, and processes to realize value. They also need a way to address labor shortages at a particularly labor-intensive time.
Choose your cloud and tools.
Imagine that determining the tools needed for your new environment is like deciding on the exterior and interior space requirements and bells and whistles when purchasing a new refrigerator… But it may not be plug-and-play as you shift environments. For example, you may find out the space in your new refrigerator no longer accommodates your favorite pizza. Your old Brita dispenser may not fit. You may have to move some shelves around. And you’ll have to get the temperature calibrated.
The commercial cloud is similar. It provides tools to make your transition more manageable, but it’s up to you to successfully bring the capabilities, software, and strategies you need to migrate from one platform to another. The cloud is empty and counts on you to build and sustain your network environment.
So, with most cloud environments being equal in terms of big emptiness, the differentiator to focus is on the tools. Whether you choose AWS, Microsoft, Azure, Google Cloud or a hybrid or SaaS solution, determine which tools best suit your agency’s needs and work best with your system. Do that if you need to hire a third-party for in-depth assessment and objective insight.
The foundation you build at the outset of your cloud migration needs to be solid and strategic enough to support the challenge of migration and ongoing maintenance. And the tools and capabilities you work within the cloud are essential to creating that foundation, establishing your Risk Management Framework (RMF), and achieving authority to operate (ATO).
Avoid pitfalls on the road to RMF.
Before deploying on-premise, remotely, or in the cloud, every operating system, device and software solution must meet Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) or CIS benchmark requirements. NIST 800-171 guides private organizations in hardening many of the same endpoints before doing business with the government. Together, these security mandates represent much of the RMF.
Traditionally, STIG/CIS/NIST compliance is a long and laborious, manual process that needs to be done for each implementation of a classified system. So, as you can imagine, tackling the STIG process across 100s of DoD systems can be daunting. And once you come into compliance, you need to monitor your security controls constantly. In addition, your mission may evolve, and you may get new software or devices. No matter how minor, you need to update your security controls or suffer drift with each change.
As MITRE reports, the number of possible controls and their relative merits “is too much for any human being” to manage. It’s not just the workforce shortage, either. It’s the density and cumbersome nature of the job. So even if you could find the people, keeping them happy for any length of time would be difficult. And if a cybersecurity workforce shortage hobbles you, your infrastructure is vulnerable to attack.
In such circumstances, automated tools are essential. Cloud automation defines the deployment and management of tasks to be automated, and cloud orchestration arranges and coordinates those defined tasks into a unified approach to accomplish intended goals. “It takes a lot of time and effort for someone to do all these scans, analyze them, and publish those results,” he said. “If we leverage automation, I can get a complete risk picture, and I can do it more often,” says Kevin Dulany, chief of the Risk Management Framework Division in the Office of the Secretary of Defense. “I can get a more up-to-date picture and I can be more efficient in finding my major problems and allocating my resources.”
Start implementing a forward-thinking cyber policy now.
“Moving to the cloud is supposed to be relatively quick and easy, but addressing system security in the cloud is no faster or easier than for an on-premise environment,” explains Brian Hajost, COO of SteelCloud. He continues to say that, even considering the slow pace of cloud migration—whether you’re talking 100s of systems or just a handful of applications—most still underestimate the expertise and time required. A shortage of trained personnel impacts your ability to modernize in any environment. But that shortage is even more acute in classified environments.
Automation is a powerful tool for combating the shortage of cybersecurity personnel you need to harden your systems and lock down data, but there is another benefit. When you free your people to do the things humans do best—addressing those backlogs that take critical thinking skills to complete, for example—everyone is happier, quality goes up, and people stay longer in their jobs. Now, that’s a security policy everyone can rally around!
From automating compliance to automating migration processes, it’s time to rethink your processes, retrain your people, and embrace time- and money-saving when you can get it. We no longer have the luxury of an adequate workforce. Cybersecurity compliance and IT modernization require automation to be feasible and effective. The longer you wait, the further behind you will get.
