Keeping Federal Agencies Safe and Sound in the Cloud

The Obama Administration has made both cloud-based technology and cybersecurity top priorities, so one might be tempted to assume that federal agencies are well protected against cyber-attack even as they embrace the cloud.

But the recent data breach at the federal Office of Personnel Management (OPM) illustrated how reckless such an assumption can be, as nearly 25 million current and former federal employees and government contractors had their personal information stolen. The breach, the largest to hit the government, was so damaging that even fingerprint records on thousands of past and present workers were compromised, along with their full personally identifiably information.

The OPM breach is obviously not an isolated case, and it highlights the challenge for any organization that chooses to move data and applications to the cloud – how to keep them all safe when you’re no longer watching over them.

With that event very much in mind, two top executives from VMware addressed Congress over the past two weeks to stress the need for better cybersecurity policies and practices, especially as more government agencies aggressively take their operations to the cloud. The two appearances were well timed, as we headed into October, National Cyber Security Awareness Month.

Alan Boissy, program director, Government Cloud Services at VMware, appeared on Sept. 22 before the U.S. House Committee on Oversight and Government Reform, Subcommittee on Information Technology to address best practices as the federal government looks to move more to the cloud.

Just a week later, Dominick (Dom) Delfino, vice president of World Wide Systems Engineering, Network and Security Business at VMware delivered his perspective and advice on cybersecurity for the Department of Defense in remarks to the U.S. House Committee on Armed Services.

The Leading Player in Federal Cloud Computing

As the fourth largest software company in the world, Boissy noted that VMware serves all sectors of the U.S. federal government, civilian agencies, Department of Defense, the Intelligence Community and state and local governments. Most importantly, VMware’s virtualization technology is used “in over 90 percent of the government’s data centers and is the most widely deployed foundation for cloud computing.”

The federal government has several mandates that dictate movement to the cloud, as agencies look to work faster and cheaper. With federal IT budgets flat or declining, “the cloud promises to make IT more adaptive, cost effective and accommodating in providing IT services,” Boissy noted.

But there are several challenges that plague government agencies when it comes to cloud adoption, Boissy noted:

  • The ability of many cloud vendors to meet federal security requirements
  • Competition that organizations and vendors face in acquiring the IT security talent and expertise they need
  • Platforms infrastructures used by many cloud service providers that are incompatible with many legacy systems
  • Cultural barriers that still exist at many agencies that inhibit a move to the cloud
  • The challenge of future-proofing data portability and interoperability should an agency change a cloud vendor

Federal Cloud Migration Best Practices

Boissy offered Congressional leaders tips on what VMware considers to be cloud migration best practices that federal agencies should adopt:

  • Assessing first which applications should move to the cloud and basing those decisions on business needs not technology needs
  • The need for cloud platforms “to support diversity in how services are developed, provisioned, consumed and architected across infrastructures”
  • Defining multiple internal parties to involve in determining a cloud strategy since cloud migration changes how the agency conducts its business
  • A hybrid cloud approach to cloud migration, in which agencies combine onsite data storage with offsite cloud storage, with the ability to use a common set of tools to manage both
  • Strict adoption of and adherence to security best practices, since concerns over security remain the number one barrier to cloud adoption today.

Finally, Boissy stressed that “Whether an agency builds out a private cloud or moves directly to a public hybrid cloud, it should be able to run any application or workload, on any operating system, anywhere it best serves its needs. Agencies should be able to leverage the same tools they currently use to manage data and applications, same network configurations and constructs that allow users to access the various networks they need to access the same processes, such as security monitoring and system maintenance.”

Equipping Cyber Warriors for Security Battle

While Boissy advised the Congressional panel on best practices for cloud adoption, Delfino gave his option on the Department of Defense’s new cyber strategy.

He called the DoD’s Cyber Strategy a “good first step towards improving the department’s cyber posture.”

The first goal should be to greatly expand the government’s ranks of IT security experts, or “cyber warriors” as he called them, and to provide them with new tools and technologies to improve cyber defense and threat detection.

The second goal is to go beyond the current “perimeter defense” mentality, an approach which Delfino says is not working.

“The attackers deal strictly with software that is being written, updated, and refined on a daily basis, and this fact puts our agencies at a tactical disadvantage on a daily basis,” Delfino warned. “Government networks that rely on a traditional hardware-based perimeter security strategy will never be able to keep pace with an ever-changing software-defined world.”

Finally, Delfino says the DoD should be prepared to defend against “disruptive or destructive cyberattacks of significant consequence.”

To do this, VMware recommends two approaches:

  1. Automate security features for quicker response and employ additional inside the network measures (such as Zero Trust models)
  2. Use predictive methods to quantify attacks and likely actions based on their early stage (a cyber kill chain)

By empowering “cyber warriors” with the right IT security tools, they will be “more effective at preventing serious consequences by detecting and stopping these early stage attacks or diverting them to specialists for offensive actions.”