Government officials nationwide had to accelerate modernization initiatives to ensure that teleworking employees could access networks and data from remote locations. For many agencies, that meant a higher reliance on cloud technology and a possible expansion of their cybersecurity vulnerabilities in an environment already attractive to hackers. In response to the security challenges raised by the cloud, the federal government has provided myriad foundational documents, guidelines and strategies to help agencies create a strong security posture, including the Cloud Smart strategy and Federal Risk and Authorization Management Program (FedRAMP). Cloud technology has a crucial role to play in agencies’ ability to modernize IT systems and take advantage of the latest technological innovations. Given this importance, cloud adoption must keep pace with security efforts. Read the latest insights from industry thought leaders in government cloud security and FedRAMP in Carahsoft’s Innovation in Government® report.
“The emphasis on user-centered design is changing the way applications are created. In the past, many government applications were built from the perspective of the agency rather than from the perspective of the end user. The flexible, innovative nature of cloud technology makes it easier for agencies to improve the efficacy of their applications and what they ultimately deliver. In addition, cloud technologies can help agencies start getting a 360-degree view of how they interact with citizens, business partners and other agencies and even begin personalizing those experiences. In addition, software that manages, authenticates and verifies people’s credentials can ensure privacy while streamlining the customer experience. IDEA codifies the use of secure credentials across platforms and therefore will accelerate the use of trusted credentials in multiple environments so that people will be even more willing to conduct online transactions with the government.”
Read more insights from Acquia’s Vice President of Federal Sector, Peter Durand.
“The coronavirus pandemic has underscored the government’s need to offer a secure cloud environment that allows employees to access their data and applications anywhere, anytime and at virtually infinite scale. Many agencies found themselves unprepared to support the sudden move to telework in response to the pandemic. Some didn’t have enough VPNs or smart-card readers for their employees’ remote devices, for example. Google Cloud customers that were already using G Suite or Cloud Identity were able to make the transition to telework smoothly without the need for VPNs or other special technology. That was due in part to G Suite’s reliance on a zero trust architecture, which shifts access control from the network’s perimeter to individual users and devices.”
Read more insights from Google Cloud’s Director of Federal, Shannon Sullivan.
“SASE and CNAP pull together a number of different technologies and categories. But those are point-in-time definitions. Technologies evolve and their functions change over time, so rather than think about what category of product they need, agencies should focus on what they’re trying to accomplish and the business outcomes they want to achieve. Agencies should look for a platform that was built natively in the cloud. It should apply persistent protection to sensitive information no matter where it goes; offer complete visibility into data, context and user behavior across the entire environment; and take real-time action to correct policy violations and stop security threats.”
Read more insights from McAfee’s Senior Vice President of the Cloud Security Business Unit, Rajiv Gupta.
“Moving to the cloud requires a considerable level of effort and expense. Ensuring the security of applications or services running in a cloud adds another layer of complexity. When choosing a cloud service provider, organizations need to understand what security controls they will effectively inherit from that provider and what controls they will have to build and deploy on their own. For government agencies, FedRAMP provides a host of security levels and a robust number of security controls in a well-documented package, but Defense Department agencies also need to understand if they have any additional impact-level requirements for their applications and mission-critical data. As mission partners move to the cloud, they need to make sure that approved cloud providers can meet those baseline security and impact-level requirements.”
Read more insights from GDIT’s milCloud® 2.0 Cloud Services Portfolio Lead, Jeffrey Phelan.
“Under TIC 3.0, agencies can still use network proxies, cloud access security brokers, and security information and event management (SIEM) tools to build a strong security framework, but they don’t have to run everything through a TIC. And users don’t have to struggle with increased latency and network complexity. Instead, the end-user experience is streamlined because cloud-native tools are handling processes and workloads. Agencies end up with a clean omnichannel experience for employees because their location no longer matters. Whether they are working on an iPad at home or a desktop computer at a government office, the security level and user experience are the same.”
Read more insights from Okta’s Solution Engineer, Habib Hourani.
“Cloud is not a one-size-fits-all solution. Instead, finding the right fit depends on knowing agencies’ customers, the type of information they’re processing and their user base. Then it’s a question of aligning what the customer needs with the cloud offerings that are available. FedRAMP has been very successful at making that fit easier. The program brings transparency and consistency to the government’s use of cloud technology. Agencies know that an authorized company’s product or service has been rigorously reviewed under FedRAMP and that the government’s continuous monitoring program will provide information about how vulnerabilities are mitigated during the term of service.
Read more insights from SAP National Security Services’ Vice President and CISO, Ted Wagner.
“Smartsheet Gov enables employees to complete tasks more easily, efficiently and securely by working with systems on an automated or integrated basis. In addition, employees can access Smartsheet from wherever they are. They can share information and the results of their work via dashboards that multiple employees can view at one time and continue that seamless collaboration with their colleagues even when everyone is working from home. Smartsheet datasets are housed in a secure, FedRAMP-authorized cloud environment, which assures agencies that they can adhere to the same security protocols from outside the office. For example, if an agency needs to conduct a yearly audit that would normally take place with all the participants at a physical location, they can do the work remotely using Smartsheet Gov to run the same playbook, the same audit and the same workflow regardless of where those employees reside. Such borderless teams can reduce costs while increasing employee satisfaction and productivity.”
Read more insights from Smartsheet’s Vice President of Security, Risk and Compliance, Ignacio Martinez.
“The nature of an agency’s mission, data protection needs and other requirements suggest that multi-cloud and hybrid environments will be the norm. As we migrate to these new locales, there is an exponential deluge of data scattered across multiple systems and endpoints. It is critical that agencies have granular visibility into all the devices, workloads and applications running across these environments so that they can gain operational and security insights. The fidelity of data is another crucial factor because without it any technology has its limits and decisions may not ensure successful outcomes. To allay any fears about security, FedRAMP, a standardized framework for security assessments, was introduced. It has grown to be the gold standard for cloud security today.
Read more insights from Splunk’s Director of Industry Marketing for Public Sector and Education, Ashok Sankar.
“The Trusted Internet Connections Initiative was created in 2007 after the Office of Management and Budget conducted a study that found thousands of unprotected internet connections at agencies. Back then, we were using the internet mainly for email and web browsing, so when the government mandated that all internet traffic must go through a trusted connection, it made sense. But over the years, agencies have moved workloads to the cloud, and now employees’ activities rarely travel through an agency’s data center. As a result, TIC became a barrier to cloud adoption. The TIC 3.0 draft guidance, however, is a crucial step toward removing those obstacles.”
Read more insights from Zscaler’s Vice President of Global Government, Stephen Kovac.
Download the full Innovation in Government® report for more insights from these government cloud security thought leaders and additional industry research from FCW.