A Key Questions as U.S. Federal Government Agencies Move Further Into the Cloud: How to Manage and Secure Their New Hybrid Environments

U.S. federal government agencies today are among the biggest users of cloud services. This is a result of years of effort to shift data and workloads to the cloud in order to reduce spending and increase efficiency.

A key question is how are government entities managing and securing these new environments, and particularly hybrid cloud infrastructures that encompass both private and public cloud services as well as on-premises data centers?

MeriTalk, a public-private partnership focused on improving the outcomes of government IT, provides some insights about cloud security among government users in a recent report entitled “To Cloud or Not to Cloud? That Isn’t the Question.”

The research, based on an online survey of 150 federal IT managers familiar with their agency’s security efforts in the cloud, conducted in September 2017, certainly supports the premise that agencies are aiming to use more cloud services. The federal IT managers surveyed said their ideal infrastructure mix is 39% physical servers and 61% cloud. And a majority of the government IT professionals (70%), think that in 10 years most federal agencies will rely on hybrid cloud environments to power core applications.

Keeping data safe in the cloud is a big concern. In fact, the federal IT professionals said their number one cloud challenge is expanding security measures and policies to cover cloud environments.

The percentage of agencies IT managers who consider their security to be “excellent” in these environments is quite low: only 35% for private cloud; 21% for public cloud; and 27% for moving between physical and virtual environments.

Making matters even more challenging is the fact that IT environments are growing in complexity. A majority of the agencies (85%) describe their current infrastructure environment as “complex,” and just 34% report having a high level of visibility into that environment. They said this level of complexity (54%) and lack of visibility (53%) puts them at significant risk for a security breach.

In the long run, federal IT managers said successful hybrid cloud adoption will reduce their agency’s security spending (70%) and strengthen their agency’s overall security posture (69%).

But not all are experiencing these benefits today. Agencies report split experiences on whether hybrid cloud environments have positively or negatively impacted their visibility (40% positive versus 38% negative); complexity (35% versus 47%); and security (42% versus 42%).

There are some good practices underway at agencies and others that need to be adopted. For example, a majority of federal agencies (87%) employ formal governance policies while collaborating with other departments, agencies, and external cloud providers.

The study said agencies are almost twice as likely to say hybrid cloud adoption has made a positive impact on their agency’s infrastructure complexity if they employ two or more of the following governance strategies: Known systems of record, defined/identified data owners, quality, documented metadata, or well-understood data integration process.

In addition, agencies with “excellent” security integration between their physical and virtual environments are significantly more likely than those without to apply a third-party security fabric (46% versus 15%); integrate security into a security information and event management (SIEM) or other analytic tool (46% versus 17%), and centralize management to enable automation (46% versus 33%).

In its report, MeriTalk makes several recommendations for agencies as they continue to shift to a hybrid cloud environment.

One is to first address infrastructure complexities and visibility issues in order to experience the full benefits of a successful hybrid environment. Many agencies see hybrid cloud environments as core to their future applications, but without addressing complexity and visibility, success is not guaranteed.

Another is to leverage automation wherever possible. While agencies see securing the cloud environment as a daunting task, automation can help ease the workload. By centralizing management and considering third-party tools, the report said, agencies can improve efficiencies and outcomes.

Finally, agencies should adhere to the strong governance policies and recent federal mandates that are helping move hybrid environments in the right direction. They should lean on both of these efforts to maintain authority over physical and virtual appliances, and ensure top-down support, the report said.

It’s clear that the pressure is on for agencies to move to the cloud whenever possible. As MeriTalk noted in a December 2017 post, the White House wants to clear the way for agencies to adopt commercial cloud computing, even if that means tweaking acquisition rules. The final Federal IT Modernization plan released Dec. 13 by the White House American Technology Council (ACT) emphasizes security technology upgrades, the post said, and focuses on hastening the move to cloud computing models.