Moving to cloud-based systems has become an inevitable step for Federal agencies and maintaining a secure cloud environment is paramount – especially for the military services and other defense organizations.
During MeriTalk’s DoD ICAM and IL5: Mission-Critical Cloud Security webinar on June 29, Federal and industry cloud technology experts explored the potential risks associated with unprotected and unsecured cloud environments, including the potential consequences if mission-critical systems or data are compromised.
The Department of Defense (DoD) has fully embraced cloud systems as vital to the Pentagon’s core missions. During fiscal year (FY) 2022 the DoD requested $1.1 billion for cloud computing services and migration and that number continues to increase today – for FY 2024 the department has requested $1.2 billion to enhance cloud computing efforts with a goal of eliminating obsolete IT infrastructure and improving end-user experience.
“We have millions of users, the Air Force alone operates in 180 different locations in several different jurisdictions and countries, and having cloud means that we have the survivability, the resilience, and the flexibility to rapidly iterate to progress and develop,” said Jason Bonci, chief technology officer for the Department of the Air Force.
However, in the rush to try to work with cloud providers and deploy multiple platforms, Federal agencies can’t forget the need for implementing security controls into their cloud environment.
“There is this rush to try to use multiple cloud providers and multiple platforms,” Bonci said. “What about security controls? What about thinking about the hardware and the trust that’s built there to make sure that someone doesn’t come in from the back end,” he asked. “I don’t see a lot of other agencies focusing on that,”
For the DoD, cloud security is especially important for the Department’s IL5 environment, which is the highest level of security controls required for unclassified data deemed mission critical.
“There’s been a ton of work going on at the Air Force with really attesting to the workloads and making sure they’re not being qualified and building a blast radius that no matter where that moves, you’ve been built into a protected box,” Bonci said. He added it continues to be a challenge to maintain flexibility and ease of integration while simultaneously having those controls for that IL5 environment.
Matt Topper, president and Solutions Catalyst at UberEther, added that another area of concern in securing the cloud is “understanding the sheer volume of data and empowering an operator to understand what’s going on.” The silver lining, he said, is the ongoing technological progress that happens every day, giving agencies the ability to understand the data they are securing in the cloud.
“As we learn more about best practices and clouds as the industry matures, we do see the best ways for agencies to manage a very sophisticated model of the cloud,” he said.
Topper added that agencies also “need to be laser-focused on training in automation and increasing the capabilities of their workforce and understanding the complexity of the cloud environment because operating is going to take both [industry and government].”
Bryan Rosensteel, the U.S. Federal CTO at Ping Identity, explained that another challenge outside of cybersecurity that agencies may face has to do with interoperability.
He explained that when agencies ran all their applications on-prem they could customize an application if the commercial solutions they deployed failed to meet all their needs. However, in deploying cloud services, agencies could potentially give up that customization.
According to Rosensteel, the cloud is a multi-tenant infrastructure with general settings, which could mean that agencies lack full flexibility to go in and tweak and fully customize for what they need.
“That’s something you could be losing. And I think that’s an area that as we go to adopt as quickly as possible for all the benefits that we get from the cloud, we must be careful and mindful of that,” Rosensteel said.
“The last thing we should be doing is architecting ourselves into something more rigid and less flexible, that we may end up compromising on our ability to deliver what we need to for the mission for the sake of simplicity of deployment and administration,” he said.
Register today to watch the full webinar on demand.