How cloud can bolster security
- By Stephen Horvath
If it ain't broke, don't fix it.
That common phrase describes many agencies' attitude toward large-scale federal IT implementations. Organizations would rather focus on new and sexy IT capabilities than on replacing the old technology.
Although systems that "ain’t broke" may still operate as intended, they are essentially standing still in an environment that has matured at light speed around them. Significant attention has been paid to the increasing operation and maintenance costs of legacy equipment, but the security risks unwittingly imposed by these legacy systems deserves even more consideration.
Like the decades-old water heater in your home that works just well enough to keep it in service, despite the multiple visits from the plumber every year, the short-term fix is seductive. While being without hot water is typically nothing more than a nuisance, an agency without email due to a denial of service attack -- or, worse yet, a hack that steals all emails -- leaves an entire organization in chaos.
We need to consider the bigger picture. The good news is that the cost of replacing federal legacy technology is much lower than most think. And the best way to leave legacy behind is to embrace the cloud.
The cloud compliance barrier
With the recent signing of President Donald Trump’s Cybersecurity Executive Order and the Modernizing Government Technology Act making it through the House, we are witnessing an unprecedented push for IT transformation for federal agencies. Amazon Web Services, Microsoft's Azure and Google's Cloud Platform have become the preferred public-cloud option for any agency with an eye towards innovation. The public cloud allows agencies to dramatically cut costs while providing better services to citizens and improving efficiency for employees.
Despite the advantages of cloud, there is still a significant hesitation from agencies. In my conversations with agency leaders, compliance is frequently cited as an obstacle to embracing cloud due to issues related to cost, time and complexity. Though the Federal Risk and Authorization Management Program receives the most attention as a standard, the security compliance guidelines for each federal government system outlined in the National Institute of Standards and Technology's Risk Management Framework -- and now the NIST Cybersecurity Framework -- have agency leaders concerned.
Their unease is understandable. Almost all legacy systems had been certified and accredited under older security frameworks that were perceived to be less time-consuming and costly. Of course, those frameworks were also considerably less comprehensive than the NIST's RMF or CSF.
The ROI of automating security compliance
Old compliance regulations requested a validation of security controls once every three years. While this may have lightened the load on agency technology leaders, it simply does not make sense with today’s ever-changing software, applications and sophisticated threats. The goal of updated frameworks, such as the NIST CSF, is to push agencies to continuously monitor security controls so they can determine, instantly, if risk has been introduced to the program or agency.
However, the ability to deliver continuous monitoring is not the unclimbable mountain that it has been made out to be. There are options available for agencies to monitor their IT environments in real time, receive proactive alerts on suspicious activity and become empowered to focus only on the most pressing security and compliance issues at a given moment. This is why the addition of that sixth step of the NIST RMF -- continuous monitoring -- is such a game changer. It’s calling for a fundamental shift in focus for every agency’s cyber posture.
While continuous monitoring sounds overwhelming, complex and expensive, the truth is that in the cloud, automation has the power to simplify and streamline the process.
Automated cloud compliance can save agencies up to 50 percent in time and effort while moving to a cloud environment. As with most technology, increased adoption allows for economies of scale, especially with respect to cybersecurity. That’s time and effort that can be redirected to training, research and innovation.
True modernization in the public cloud
Security has always been the primary reason agency leaders were wary of the public cloud. Yet as the technology has matured, global cloud providers have strengthened their customized security controls, and the smart decision has become to outsource infrastructure-related elements of security to these experts.
It is highly unlikely that individual agencies have the resources to ensure the same level of security and automated compliance assurance in their own data centers. Rather than continue to accept the risk of these legacy systems, why not lean on the global leaders to do what they do best, for a fraction of the cost, all the while improving efficiency and service delivery to citizens?
Ultimately, the barrier to entry in the public cloud is not security, compliance or cost -- it’s understanding how easy a move to cloud can be.
Stephen Horvath is vice president of strategy and cloud at Telos Corporation.