As Federal government agencies are fast-tracking their secure multi-cloud journeys, experts this week urged agencies to take a “trust, but verify” approach to cloud security, which may require a cultural change across organizations.
At the OutFront: Continuous Agility forum hosted by SAIC and MeriTalk in Arlington, Va., on Nov. 2, one government official said that verifying the contracts between Federal agencies and their cloud providers – otherwise known as service-level agreements (SLAs) – is crucial to a secure cloud strategy.
Jamie Holcombe, chief information officer (CIO) for the U.S. Patent and Trademark Office (USPTO), explained that agencies must ensure their SLAs can be met, and the best way is to take a “trust, but verify” approach.
“I started the journey with a multi, hybrid cloud strategy,” Holcombe said, reflecting on his five years at the USPTO. “And as we walked through that, it was hard as heck to get everyone culturally thinking about how to move forward, because they’re worried about security.”
“I always had the attitude … [of] buyer beware. It’s all about the SLAs. So, you’re as secure as your SLAs are, because the cloud providers are providing services that are ‘best effort,’” he added. “Yes, it will have the security that they say it will, but you have to test. And that’s a big thing – trust, but verify.”
The CIO said that while these may seem like simple concepts, procurement and operations are often at odds.
“You have to get those two units together to ensure your SLAs can be met and don’t accept the base contract,” he said. “Buyer beware, whatever your services are, make sure they fit your requirements.”
Sharon Woods, director for the Defense Information Systems Agency (DISA) J-9 Hosting and Compute Center, noted that part of embracing a trust-but-verify approach involves “a mindset shift.”
However, she noted that while many SLAs are becoming more routine, one area where SLAs are becoming more challenging for her agency is with edge devices.
For instance, Woods said there are a lot of basic questions that can be tough to answer such as what does shipping out devices look like, what happens when something goes wrong, or what is the cloud provider expecting for patching – because the devices are disconnected.
“That’s something we’re still unpacking,” Woods said. “JWCC [the Joint Warfighting Cloud Capability] has been around for less than a year. So, we’re still working through that. But I think that that’s one of the emergent areas where we’re encountering some challenges with SLAs.”
Nevertheless, embracing these challenges and building trust with a provider is critical to a more secure cloud, according to Alan Halachmi, director of solutions architecture for Worldwide Public Sector at Amazon Web Services (AWS).
“A lot of conversations that we have still today start with, ‘Why should I trust the cloud provider?’” Halachmi said. “So, this time that is inevitably spent just to secure the environment itself from us, giving you the confidence that you have the ability to secure your workloads in a way where you have control of who has access to what the content is and so forth, is I think material.”
That peace of mind and sense of security allows Federal agencies to more quickly meet their mission outcomes, added SAIC Chief Technology Officer Bob Ritchie.
“One of the things that I’ve observed … is the inheritable cloud security model – the ability to go fast as a result of that cloud inheritance,” Ritchie said. “And so, you mentioned the timely trivia question on how much is FedRAMP and how much is approved by CC SRG [Cloud Computing Security Requirements Guide] at the different impact levels. That very much helps us go fast and really get the mission outcomes.”