Cloud first to cloud smart: 3 tips to smooth the transition

As the government moves from cloud first to cloud smart, agencies must get their arms around some basic elements to make sure their continued shift to the cloud is both cost-effective and secure. This may mean reconsidering how to think about the cloud, improve security and leverage acquisition options.

This past September, the Office of Management and Budget published its Cloud Smart Strategy proposal -- the first cloud policy update in seven years -- to create a way for agencies to migrate to a more safe and secure cloud network. As agencies assess cloud strategies, it’s important they have operational parity across both public and private-cloud based resources.

Here are a few effective ways to start becoming cloud smart.

1. Re-educating the workforce: Think outside “the box”

Just as there is a shortage of cyber professionals in government, there’s also a scarcity of professionals who understand cloud dynamics.

The biggest misapprehension about the cloud is that it is about the network. If it were, public cloud providers  would allow cloud customers to bring their own network devices. The cloud (public or private) is less about the boxes that cloud infrastructure requires, and more about applications, services delivery, automation and operational parity. Unfortunately, the government seems to be stuck on the notion of a box- or hardware-defined network.

The federal networking workforce must shift its focus from a network-centric, device-based infrastructure to an application-centric approach for service delivery.

Take for instance the trends toward what’s known as “service chaining” -- the alignment of critical services to manage and protect network boundaries -- or tenant-focused infrastructure services such as load balancing. These traditional deployment scenarios typically use a box- or net-centric approach. A simpler and more cost-effective method would be to employ a public or enterprise virtual private cloud to create operational parity.

2. Defining your perimeters: Security in an elastic environment

With the cloud's growing acceptance, hackers are increasingly attempting to disrupt cloud-based citizen services, government operations and defense-related activities.  Meanwhile, agencies are starting to routinely automate on-demand services for a better user experience.

To improve security by taking advantage of automation, agencies need a cost-effective visibility strategy that combines capabilities of both public and on-premise cloud resources.

Here’s the catch: Today’s threat landscape is a complex multidimensional domain, comprised of common attack vectors combined with sophisticated methods that mask more lethal  targeted attacks. These higher-impact attacks include so-called “living off the land” tactics, which use trusted and approved infrastructure applications to launch hacking activity that bypass static security stacks.

In the cloud, cyber risk increases with insertion of new tools and applications. Software development and delivery are rapidly changing, and applications are routinely added, deleted or changed, which drives the need for secure source code.  

Because of the cloud's elasticity and constant changes, cybersecurity software must be continually updated to detect possible areas of vulnerability and to make sure files are not corrupted by hackers.

One approach to minimize security threats is to use dynamic software-defined perimeters, which build on the capability of Trusted Internet Connections as risk management aggregation points.

Software-defined perimeters evolved from work done at the Defense Information Systems Agency in 2007, under the Global Information Grid Black Core Network initiative. This approach renders an application infrastructure undetectable, with no visible DNS information or IP addresses.

With software-defined perimeter technology, an agency can address the most common network-based attacks, such as server scanning, distributed denial of service and exploitation of operating system and application vulnerabilities.

Fortunately, visibility and monitoring strategies for security have matured greatly with advances from large-scale cloud fabric solutions for analysis, collection and surveillance that account for the dynamic elasticity of cloud environments.

Therefore, a cost-effective solution for security in the cloud should use a consistent operational model that repurposes and extends the capability of existing tools, creating a glide path for automation and improved functionality.

3. Understanding your real needs: Streamlining acquisition

Cloud acquisition decisions provide a great opportunity for agencies to rethink and adjust their procurement strategies to better focus on performance, transition cycles and key performance indicators for services delivery.

Because the cloud leverages massive scale infrastructure, agencies can develop cost models based on the type of service offerings they need. And because the public cloud de-emphasizes the physical aspect of connectivity, agencies can now focus on the criticality of applications and service provisioning.

This opens the door for deciding which type of service to use and how to transfer software applications to the cloud. In some cases, a vendor will cut a deal by purchasing applications directly. If agencies are forced to use the marketplace, software costs can add up quickly. Software applications not natively built for the cloud and instead “ported over” can vary in performance and even features, with headaches waiting in the shadows.

Remember that today’s on-premise or public clouds leverage integration extensively. Keeping integration at the core of decision-making enables rapid, flexible development of long-lasting solutions, and can lead to better implementation decisions whether using the cloud on-premise or off.

Cloud smart will help government agencies make sound decisions that will drive modernization. Thinking through the sometimes painfully myopic details will help agencies create better and more flexible strategies for implementation, security and acquisition.