Government cloud adoption may make security easier

As the cybersecurity environment becomes more complicated, federal IT professionals are seeing the cloud as more of an ally than a potential threat. The biggest challenge is to make sure that security training keeps pace with cloud technology adoption.

This past May, a breakfast briefing on cybersecurity was held at the International Spy Museum in D.C. The briefing brought together a panel of speakers from various agencies: 

• Leslie Perkins, deputy chief technology officer, Air Force;
• Sally Holcomb, deputy chief information officer, National Security Agency/Central Security Agency (NSA/CSS); and
• Mark Kneidinger, director, Federal Network Resilience, U.S. Department of Homeland Security (DHS)

These government IT leaders revealed how they’re safeguarding their agencies in an era of emerging threats, and also shared success stories and their biggest challenges for staying ahead of the threats.

Security is easier in the cloud

According to NSA’s Holcomb, security is easier to manage in the cloud, especially with the advent of attribute-based access control (ABAC) procedures. ABAC, Holcomb said, can protect data down to a tiny granularity, sharing it with only certain individuals. This type of control isn’t possible in a normal data repository and legacy environment.

“You gain that precision of security that enables better discipline and practice. We embraced the cloud eagerly because of that,” Holcomb said.

NSA is also using the cloud for data analysis. “We have far better visibility on humans and machines and what’s happening in our world because we’re using the power of the cloud to understand what’s happening and to define these anomalies and act on them. We’ve never been able to do that before,” said Holcomb.

That’s not necessarily true across the board, however; skill sets still need to be developed to properly implement cybersecurity in the cloud.

The Air Force’s Perkins commented that she doesn’t have enough people who know how to implement cybersecurity in a program for a cloud environment. She wants to be able to give them the tools that incorporate not only the differences in the cloud environment but in getting those cybersecurity measures built-in “without having them get PhDs in cybersecurity. We want them to focus on the things that they’re supposed to be doing,” Perkins said.

In terms of best practices, Perkins said the Air Force is investing brainpower into identity management and access management in a way that’s not dependent on one factor.

“For example,” she said, “how do I use biometric information, regardless of what platform I’m on?” The service is also looking at how applications interact with platforms, to ensure that applications are accessing the data they need to and being provided to the people who need it.

These changes across agencies represent a “mindset shift” from cybersecurity as the sole responsibility of the CIO or CISO, said DHS’ Kneidinger. “It’s really the entire workforce” that’s responsible, he said.

DHS is working with mission owners and new political appointees — especially deputy secretaries — across government, because these executives often control the IT budgets, Kneidinger said. The education process extends not only to why cybersecurity is important but where it needs to be applied and the implications for when it’s not being applied. “Awareness is critical and we’re really pushing that aggressively,” he said.

Future investments focus on shared services

In terms of how government must work with industry, the next four or so years will include major investment in leveraging shared services applications in the cloud. Government needs to be smart in assessing and moving those applications forward. At the same time, the panelists agreed, it’s important not to forget about risk, transparency and responsibility at the CIO and CISO level.

“As we’re moving closer to the cloud and shared services, I still think there’s a maturity that we need to work together on to achieve,” said Kneidinger.

It’s challenging for agencies to move forward to the cloud and shared services, given staff freezes and budget constraints. Agencies need to look at prioritizing items that are duplicative and legacy applications. Are there opportunities for small agencies with stretched IT staffs to move applications to the cloud? “It’s a balancing act for agencies but there’s an opportunity to also look at where they can be more efficient and make major changes given the various executive orders and things coming down so we can leverage what we do have more effectively,” Kneidinger said.

Perkins noted that spending money comes down to where colleagues are making investments, and whether they’re willing to share. “One of the big problems is spending $1 million on a solution for a $10 threat,” she said. If military branches each take a piece of an overall IT issue, they can utilize leveraged resources to the best effect for all.

Successful implementation of the cloud in the government is a complicated balancing act that combines knowing the environment, knowing technology, and knowing what people can do with that technology — both in terms of capability and secure authorization.

As Perkins put it, “It’s not one thing; it’s a layered approach.”