Cost savings are another important driver. Crosland and Wilshusen cited a GAO report, which stated 16 agencies that increased cloud spending since 2015 saw a total corresponding savings of hundreds of millions of dollars as of April 2019 (as well as other benefits, such as improved customer service).
And, like many organizations, federal agencies are chasing perhaps the most celebrated benefit of the public cloud: increased agility and flexibility.
“If demand for services increases or spikes, it is easy for agencies to try to obtain those increased services from the cloud service provider,” Wilshusen noted. “And when the demand doesn't exist, it is easy to reduce that level of service.”
Although public cloud data no longer resides within an agency’s physical security perimeter, Wilshusen noted, many key security issues and considerations remain the same.
“Agencies have to assess and manage the risk of their IT environment, and with cloud computing, they also have to assess and manage the risks associated with the cloud environment,” he said. “And that includes identifying threats, as well as the sufficiency of the security controls that are implemented by the cloud provider.”
Additionally, agencies must define statutory and regulatory data safety rules, monitor the performance of cloud service providers and ensure that cloud providers’ data portability and deletion policies meet their requirements.
Addressing Cloud Security Challenges
Federal agencies have a number of resources to lean on when it comes to cloud security. Wilshusen explained that the National Institute of Standards and Technology (NIST) collaborates with various agencies to identify and prioritize data security standards and provide guidance on how to protect federal information.
The General Services Administration (GSA) is also a key resource, developing government-wide procurement vehicles and cloud-based solutions. And the Department of Homeland Security (DHS) is responsible for monitoring operational security across the federal government.
Several of these agencies came together with the Department of Defense to develop FedRAMP, a standardized approach to assessing and monitoring the security controls of cloud services, Crosland noted.
Ultimately, though, agencies will also need to implement tools to help them manage cloud sprawl, monitor cloud environments and detect security vulnerabilities in real-time. Fallon noted that software-as-a-service (SaaS) tools from vendors like Nutanix can help federal agencies to automate security and compliance tasks.
Ideally, Fallon said, such SaaS tools will feature the following:
Rapid Deployment — Because SaaS tools are hosted in the cloud, themselves, they can be deployed practically instantly, Fallon explained. “You don’t want to have to set up a whole back-end infrastructure just for your monitoring tools,” he said. “You don't want to create more work for your organization.”
Holistic Security & Compliance — The cloud, Fallon noted, is supposed to make things simpler for agencies — and cloud security tools should be no exception. “We need to standardize governance and operations across cloud environments,” he said. “Agencies need to be able to monitor those environments, continuously and in real-time. And they require tools that span from on-premise out to the public cloud in a hybrid architecture.”
Risk-Free Trial — Because SaaS security tools don’t require supporting infrastructure, Nutanix can offer them to agencies for free on a trial basis, Fallon said. “The beauty of a SaaS delivery platform is there is nothing to download and nothing to set up. So we offer a free trial where you can try it out online. You can actually plug in your public cloud credentials and get full support of not only security controls but also cost controls.”
Automated Reporting & Remediation — Cloud security tools need to adapt to changing environments – not only detecting threats but also remediating vulnerabilities in real-time, with a heavy reliance on automation. “Agencies need to be able to report an incident and then remediate it,” Fallon said. “And they need to be able to do that in as few manual clicks as possible.”
“Security is a shared responsibility between cloud provider and Federal agencies,” said Fallon. “Utilization of the correct tool set can decrease the security compliance and monitoring burden for the agency.”