The move to cloud: It's easier than you think

It’s a common phrase that echoes the mentality that has accompanied large-scale federal IT implementations for decades.  Excited by innovation and  possibilities, agencies and organizations focus on new and sexy IT capabilities rather than on replacing the old technology.

Legacy systems that "ain’t broke" may well continue to operate as intended, but have become overwhelmed by an environment that has matured at light speed by comparison.  The increased costs associated with maintaining this outdated tech have drawn significant attention, but concerns about the security risks unwittingly imposed by these legacy systems deserves even more attention.

Whether it’s the superstition that voicing concerns could invoke a worst-case scenario like a magical incantation, or agencies' outright fear of accountability, we are instead left with silence. In reality, what you don’t know -- or don’t acknowledge -- can hurt most certainly you.

The Government Accountability Office has reported the federal government spends more than 75 percent of its IT budget on operations and maintenance, resulting in a $7.3 billion decrease in investment in development, modernization and enhancement over seven years.  This astounding decline can be attributed to agencies keeping old systems on life support rather than bringing them up to the current generation of technologies. 

Like the decades-old water heater in your home that works just well enough to keep it in service, despite the multiple visits from the plumber every year, the short-term fix is seductive. While being without hot water is typically nothing more than a nuisance, an agency without email due to a denial of service attack -- or, worse yet, a hack that steals all emails -- leaves an entire organization in chaos.

We need to consider the bigger picture. The good news is that the cost of replacing federal legacy technology is much lower than most think. And the best way to leave legacy behind is to embrace the cloud.

The cloud compliance barrier

With the recent signing of President Donald Trump’s Cybersecurity Executive Order and the Modernizing Government Technology Act making it through the House, we are witnessing an unprecedented push for IT transformation for federal agencies. Amazon Web Services, Microsoft's Azure and Google's Cloud Platform have become the preferred public-cloud option for any agency with an eye towards innovation. The public cloud allows agencies to dramatically cut costs while providing better services to citizens and improving efficiency for employees.

Despite the advantages of cloud, there is still a significant hesitation from agencies. In my conversations with agency leaders, compliance is frequently cited as an obstacle to embracing cloud due to issues related to cost, time and complexity. Though the Federal Risk and Authorization Management Program receives the most attention as a standard, the security compliance guidelines for each federal government system outlined in the National Institute of Standards and Technology's Risk Management Framework -- and now the NIST Cybersecurity Framework --  have agency leaders concerned.

Their unease is understandable. Almost all legacy systems had been certified and accredited under older security frameworks that were perceived to be less time-consuming and costly. Of course, those frameworks were also considerably less comprehensive than the NIST's RMF or CSF.

The ROI of automating security compliance

Old compliance regulations requested a validation of security controls once every three years. While this may have lightened the load on agency technology leaders, it simply does not make sense with today’s ever-changing software, applications and sophisticated threats. The goal of updated frameworks, such as the NIST CSF, is to push agencies to continuously monitor security controls so they can determine, instantly, if risk has been introduced to the program or agency.

However, the ability to deliver continuous monitoring is not the unclimbable mountain that it has been made out to be. There are options available for agencies to monitor their IT environments in real time, receive proactive alerts on suspicious activity and become empowered to focus only on the most pressing security and compliance issues at a given moment. This is why the addition of that sixth step of the NIST RMF -- continuous monitoring -- is such a game changer. It’s calling for a fundamental shift in focus for every agency’s cyber posture.

While continuous monitoring sounds overwhelming, complex and expensive, the truth is that in the cloud, automation has the power to simplify and streamline the process.

Automated cloud compliance can save agencies up to 50 percent in time and effort while moving to a cloud environment. As with most technology, increased adoption allows for economies of scale, especially with respect to cybersecurity. That’s time and effort that can be redirected to training, research and innovation.

True modernization in the public cloud

Security has always been the primary reason agency leaders were wary of the public cloud.  Yet as the technology has matured, global cloud providers have strengthened their customized security controls, and the smart decision has become to outsource infrastructure-related elements of security to these experts.

It is highly unlikely that individual agencies have the resources to ensure the same level of security and automated compliance assurance in their own data centers. Rather than continue to  accept the risk of these legacy systems, why not lean on the global leaders to do what they do best, for a fraction of the cost, all the while improving efficiency and service delivery to citizens?

Ultimately, the barrier to entry in the public cloud is not security, compliance or cost -- it’s understanding how easy a move to cloud can be.