'Think different' about your agency's cloud migration
Connecting state and local government leaders
Adopting a DevSecOps approach as the foundation of cloud initiatives lets application, security and operations teams work together as a collaborative team.
The federal government is in a pivotal transition period for cloud adoption. The White House has replaced the prior administration’s Cloud First policy -- which required agencies to evaluate secure cloud computing options before pursuing any new investments -- with what it calls Cloud Smart. As described in the Trump administration’s Federal Cloud Computing Strategy, Cloud Smart brings “guidance for (government) missions to fully actualize the promise and potential of cloud-based technologies while ensuring thoughtful execution that incorporates practical realities.”
This approach arrives as agencies are making notable progress in cloud adoption. Some 47% are reporting that they are either at an advanced stage of estimating costs/establishing governance, provisioning/automating services or operating cloud environments at scale for their infrastructure-as-a-service projects, and 44% are at comparable stages for platform-as-a-service projects, according to IBM's research. Agencies are benefiting most by modernizing legacy IT systems (as cited by 47% of agency and IT decision-makers), improving security (as cited by 42%), lowering operating costs (34%) and enhancing mission-critical services (31%).
Yet as agencies proceed with the transition, they frequently frame much of their strategic planning on technology goals and requirements, treating the human side of the equation as an afterthought. This is a mistake. Too often, agencies approach a migration as if the people-managed, on-premise policies and procedures that worked for application, infrastructure and cybersecurity teams – i.e., the “Big Three” of IT – will work in the cloud. And that is when agencies run into problems.
Why? Because in the on-premise world, the Big Three teams can work against each other because of the stovepiped, hierarchical and even somewhat tribal nature of their structure and operations. What’s more, both the perceived promise and peril of a migration only amplifies these dynamics: The application teams wants to get to the cloud as quickly as possible, eager to rapidly develop and launch products without infrastructure and security people slowing them down. The infrastructure teams resist change; they run everything using the on-premise playbook and don’t want to come up with another one for the cloud. The security teams are understandably risk-adverse, and they struggle to bridge the two worlds of on-premise and cloud protection.
Without a significant change of mindsets, the three teams will collide within the cloud, resulting in project/deployment delays, unmet expectations and/or outright failure – and discouraging agencies from future migrations.
This is why agencies must establish a DevSecOps culture as the foundation of any cloud initiative. DevSecOps brings all three teams to the same table, with what the General Services Administration describes as more “cohesive collaboration” among development, security and operations teams as they “work towards continuous integration and delivery.”
Through its Centers of Excellence initiative, the White House is encouraging this collaborative approach to cloud migration, among other IT modernization efforts. Partnering with the private sector to implement the latest technologies and best practices, five such centers are operating at the Departments of Agriculture and Housing and Urban Development. In 2018, USDA reported $26 million in “cost avoidance and savings” due to the CoE.
In 1997, Steve Jobs and Apple inspired the world with the now-iconic “Think different” ad campaign, celebrating those who have “no respect for the status quo.”
Nearly a quarter-century later, this message remains as relevant as ever for agencies as they migrate operations to the cloud. They must “think different” and abandon status quo policies and procedures from the very start of the process. Their application, infrastructure and cybersecurity teams must stop considering themselves as separate, stovepiped “parts” and work together as a collaborative whole. With this approach, agencies can take full advantage of everything the cloud has to offer -- a Cloud Smart approach, completely fulfilled.