Federal agencies are fast moving toward a cloud-first model which means sensitive data that can compromise national security are moving to the cloud. This places the data at the mercy of private companies. Thus, the agencies need to take specific steps to mitigate the risk of data or service loss.
It’s challenging to build the existing IT architecture from scratch on the cloud. But, the traditional architectures can be deployed in the cloud for the development of specific use cases where the administrator dictates the security controls in the architecture. Though there’s a reduced grip of an agency once it moves its functionalities to the cloud environments, the agency can minimize the risk by looking into the security specifics of each cloud platform.
Why are Federal Agencies Moving toward the Cloud?
The primary motivation behind this is cost cutting. Though using virtual machines are profitable, but the maximum savings comes by re-architecting the infrastructure as per the clouds to leverage the services. Further, in the case of overlapping services, the IT leaders need to understand the working of the services as well as their dependency so that the services can be quickly resumed in case of a disaster. The agencies can also choose to distribute their services across different cloud infrastructures. Better gains are achieved through the vendor specific services but doing so can lock the agency with the vendor, especially if the vendor dictates his terms for rate hikes. And this will work against the agency’s purpose of cost-cutting.
Better Strategies for Cloud Security
Accreditation of entire cloud service components works better than accrediting the individual systems. This can be achieved by developing mechanisms through which the system owners can “self-verify” while keeping a tab on exceptions. Later, the security teams need to focus on those exceptions to decide on the risk factors.
Conventionally, the security teams do not track their cloud services spend and billing. Working closely with their business units will help them to uncover dark IT as well as have a better understanding of the overall security systems.