It is a well-known fact that the majority of federal government agencies utilize on-premise Active Directory (AD) as the primary directory service for their IT infrastructures. But with the federal government encouraging agencies to follow aspirational federal IT initiatives like the Cloud Smart and Cloud First strategies to guide them into modernized operating environments, organizations are beginning to see both the benefits and challenges that accompany a full migration to the cloud.
For a majority of tenured, federal IT workforces, working in on-prem AD environments has been the operating norm for decades, creating the need for a slower transition to the cloud. As a result, federal agencies are shifting from solely on-prem to hybrid environments that also leverage cloud technologies. In contrast, the majority of fresh IT hires that are just now entering the federal workforce are finding themselves with an AD skills gap on their hands, as they have been primarily educated and trained in a fully-cloud, Azure environment. This has produced a critical need for agencies to skill and train new IT hires in federal, legacy AD systems.
To learn more about this growing IT skills gap between AD and Azure, how federal agencies can prepare to ramp tenured workforces for Azure and bridge the legacy gap for the new IT generation, and to also get a clear picture of how much progress the federal government has actually made in its transition to the cloud, the GovCybersecurityHub sat down with Quest Software’s Chris Roberts.
Here is what he had to say:
GovCybersecurityHub (GCH): The Cloud First strategy was released over a decade ago, but federal agencies have been slow to make the transition from on-prem operating environments to the cloud? Why is this? What holds them back from fully embracing the cloud?
Chris Roberts: First let’s look at the desired outcomes for the Cloud First strategy in the first place, which were things like cost reduction, improving security, increasing agility, and user experiences. Keeping those broad goals in mind, let’s look at what a cloud strategy would mean for a federal government agency. Given those goals, an all-or-nothing cloud strategy means breaking a lot of glass along the way, hence the reality of the rise of hybrid environments to meet those aspirations from Cloud First.
The first waves of cloud were low hanging applications at the user level. So think user experience improvement where you had a wave of user adoption for Office 365, Google Suite, or even Amazon WorkSpaces. Agencies followed up with the obvious lift-and-shift candidates like file, web, and database servers, because you had a one-per-one operating platform in the cloud for those solutions.
Then there was the re-platforming of more complex enterprise and mission systems that leverage industry service layers, like Oracle, ERP, SAP, and other complex platforms. Once they were supported in the cloud, that migration got easier. By no means was it complete, but it did get a little better.
“I believe the Cloud First strategy was an aspiration, but in reality, when boots hit the ground, you still have a lot of infrastructure that’s dependent on on-prem resources…”
We also have a breadth of applications or systems that use those old-fashioned, proven, and robust APIs for on-premise infrastructure. For example, that would be anything that runs on a Windows server or Linux box, and even operational technology. And it’s not just IoT, but also those specialized missions that translate to dependencies which will stretch beyond any fixed milestone for full cloud adoption.
The salient factor to me is the desired outcome of Cloud First. Can it be achieved by embracing a best-of-breed or model approach that preserves the mission, keeps the agency ready, but also allows them to adopt cloud-native operations while simultaneously preserving that current on-prem infrastructure investment?
I believe the Cloud First strategy was an aspiration, but in reality, when boots hit the ground, you still have a lot of infrastructure that’s dependent on on-prem resources, and to move those to the cloud will be either prohibitively expensive, or break too much glass. That will cause too much of a disruption to the mission within an agency.
GCH: One challenge that federal agencies are facing is getting their tenured, IT workforces to shift away from legacy AD and move towards Azure. What advice would you give to federal IT department heads who need help in cultivating a cloud-centric IT culture?
Chris Roberts: Look no further than the end-user experience for most of the planet today, which are cloud-based applications, systems, and services. No one hosts an email, web, or application server in their garage. Nor do they store all those photos they take on their phones on local drives either. We have become used to service availability on-demand in every facet of our personal lives. Imagine pulling out a paper map in the car to plan a route. I’m glad I know how to do it, but I wouldn’t want to do it in traffic. We have voice assistants and applications that automate that for us.
Now apply the same level of expectations to those in IT who straddle both the modern cloud world and legacy information architectures, tools, and processes. Successful agencies find ways to incorporate those modern applications on devices while leveraging cloud services. AD will be with us for some time to come, so the best approach is to enable hybrid capabilities for security, management, auditing, logging, protection, and recovery workflows that use these more modern platforms, but still give that end-user or the IT administrator a way to manage the existing infrastructure that they have.
For instance, you can use cloud-based multi-factor authentication (MFA) in conjunction with AD. You can use Azure AD as a secondary authentication option for remote users, which most of us now have gotten used to while working remotely. But to me, in truth, people fear the unknown. Making it easy for them to get exposure to our services via educational opportunities, and actually providing career advancement for embracing this brave new world, will go a long way to getting around the culture issues. Because until people embrace it personally at work, not just at home, they will start to see the benefits of cloud technologies and how it can help them enable better sets of IT services within that agency.
GCH: Realistically, it seems that the federal government will be operating in a hybrid, on-prem/cloud environment until the cloud is fully embraced. To pose the previous question in reverse: Pertaining to the next generation of new, federal IT hires who have been solely trained in Azure— how can IT departments successfully bridge their new hires’ Azure/on-prem AD skills gap in order for them to operate successfully in hybrid environments?
Chris Roberts: This can definitely be a challenge as a fully cloud-aware generation is currently entering the workforce. I’m witnessing this personally, as I have a generation that’s coming up behind me in my home that was raised entirely on the internet. They have had access to a fast and capable internet in terms of speed and services. So, expecting someone with user experiences like that on robust mobile apps like iOS and Android, to now manage physical machines with ageing user interfaces is a recipe for trouble. It is critical that there be some pre-thought to how agencies segment and skill those individuals into that legacy infrastructure.
“Not having extensive training across all available personnel, both for on-premise and potential cloud-based services, would be a mistake.” -Chris Roberts
That skills class, as I call it, is a potential issue for a lot of IT shops across the government. Embracing new options for managing existing infrastructure is a good start. I would suggest starting to use more web-based consoles to manage legacy resources, such as storage, networking, provision, etc. I would also look at using things like low code or no code environments on Microsoft Power Apps and other platforms to create new mobile or web application experiences to migrate older UIs to improve that user experience.
Because I believe that agencies are going to have this hybrid environment, they’re going to have people coming into the workforce who really have a totally different experience about the internet. This new wave in the workforce is going to be fully expecting an automated and well-orchestrated environment for them to work in. Not having extensive training across all available personnel, both for on-premise and potential cloud-based services, would be a mistake. Federal agencies are going to need a long time to ramp people who are coming in, but also ramp those who are already in the environment, to actually collaborate and be able to sync together to actually create a cohesive team to deliver on cloud services.
GCH: For the federal agencies who have embraced cloud-based services like Azure, what benefits are they seeing? What advantages do they get from Azure that they cannot get from their legacy AD?
Chris Roberts: Cloud adoption offers a unique opportunity to experience IT operations securely and at scale. This was difficult to do in a pure on-premise environment, as a number of disparate systems, interfaces, and even geographies made that a challenge. Cloud offers opportunities to automate in so many aspects of systems, applications, and service management.
“Quest Software secures Active Directory against unwanted intrusions.” -Chris Roberts
The ability to instrument in code can be automated using the console and the command line interfaces of the Azure platform. All that needs to happen when a user or endpoint is provisioned can be automated. With cloud, you have a standardized central console to manage every aspect of what we in zero trust call potential attack surfaces. Full governance becomes easier to attain since information resides in cloud, thus simplifying not just the management, but also securing all that information across your entire cloud infrastructure.
GCH: What solutions and products are available to federal government agencies that could make their transitions to Azure happen smoothly?
Chris Roberts: Keeping in mind that identity represents the uniqueness of every person, location, or device accessing federal information networks today, Quest Software develops some of the world’s most comprehensive sets of software solutions that deliver on zero trust.
Active Directory is probably the most recognized trusted source for identities, with greater than 90 percent of federal agencies using it as their primary method for providing reliable authentication and authorization. Quest Software secures Active Directory against unwanted intrusions. We provide advanced solutions for managing those privileged access points, and we offer protections toward fully recovering Active Directory in the event of failures.
This speaks to the robustness of delivering on a zero trust framework. We provide that state-of-the-art tooling also for governance in complex AD environments. We’ve proven this out by being an award-winning provider for enterprise directory service management solutions. And I believe we are uniquely qualified to assist federal agencies dependent on identity security to protect their missions, in a world of both persistent and advanced threats to stop it.