Federal Government Cloud Security Evolution

In 2011, former federal CIO Vivek Kundra set the stage for federal government agencies to take full advantage of the benefits of cloud computing with through Cloud First initiative, which mandates that agencies consider cloud computing before other options for new IT projects.

And since that time, several agencies – including the General Services Administration (GSA), Department of the Interior, Department of Agriculture and NASA – have embraced the technology.

While Cloud First is designed to enable agencies to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost, they are still faced with challenges – particularly when it comes to security in light of the latest news that more than 5.6 million biometric identifiers from U.S. federal employees were exposed in the breach of Office of Personnel Management (OPM) servers.

Because government servers host so much personal data about Americans, agencies need to have full confidence that when they move to the cloud, security is a top priority. However, by moving infrastructure to a cloud provider, many agencies feel they lose control and visibility into their network resources.

Cloud First is requiring a significant change in the way agencies operate and the culture of IT within them. But agencies don’t need to start from scratch in reinventing the security processes in this new cloud-focused paradigm.

Experience in the private sector is rich and can easily be applied by federal agencies as they more broadly adopt the cloud and seek to apply the proper levels of security.

Here’s a look at six strategies from the private sector that agencies can adopt to ensure success:


Agencies must understand that cloud environments can undergo dramatic changes during deployments or large auto-scaling events, as well as with the natural growth they will experience over time.

The most commonly used security architectures are more than 20 years old, so when agencies move to the cloud, they have a perfect opportunity to adopt new technologies and take a different approach to security.

While the conventional static data centers were generally simple enough to be evaluated by humans for vulnerabilities that are introduced by changes to the environment, cloud environments are dynamic, with rapid and complex changes that are too much for individuals to monitor effectively without the right tools.

Rapid creation and modification of infrastructure renders most traditional data center security solutions ineffective, or at least severely diminishes their capabilities. Agencies should integrate automated security acceptance tests, a subset of the key security controls, directly into the last stage of their functional testing processes.

These automated security validations in functional testing can promote builds with greater confidence at a more rapid pace. Ask yourself: You know your operational tools can deliver continuous monitoring and alerting for efficiency — so why shouldn’t your security suite be automated as well?


Moving critical operations to the cloud is not a solo endeavor — agencies need to build teams with a shared vision by enlisting business owners, engineers, the operations team and other key stakeholders to ensure the migration is secure, because these partners own the end-to-end decisions around direction, capabilities, service management and more.

The marriage of SecOps and DevOps – known as DevSecOps – creates a whole new mentality for driving innovation inside and outside of organizations because it capitalizes on common ground to make it easier for agencies to align security objectives with today’s rapid speed of operations.

A DevSecOps mindset embraces the premise that everyone in the organization – IT, developers, security, and management – are all responsible for security. This cooperative approach leverages tools and processes to assist the decision making processes and enables the distribution of security at speed and scale to keep pace with a dynamic cloud environment.


A recent survey conducted by IDG Research noted that 80 percent of respondents say that conventional data center security tools fall short in the cloud, and the problem will be exacerbated as more services and data are migrated to cloud environments.

Data centers are relatively static, where domain experts can make changes and enhancements generally only in three- to five-year cycles. In the cloud, though, the environment is constantly changing and evolving with monthly enhancement cycles, giving engineers the ability to quickly make changes.

Another reason traditional security tools are not effective in the cloud is because the cloud presents a new attack vector – the API, or control plane – through which all resources are managed.

Traditional solutions rely on being in the path of traffic, being deployed within the application or operating system, or use network scanning techniques. But in the cloud, users run application stacks on abstracted services or PaaS layers, or leverage API-driven processes, which render conventional solutions ineffective.

Agencies need to understand that workload deployment in the cloud will require a new approach to security that can deliver continuous monitoring and alerting while simultaneously scaling effectively as the cloud environment morphs.


In the cloud, agencies can no longer think of security as being a separate step in the launch cycle. Instead, security needs to be integrated into the overall process of development and deployment from the start.

As agencies begin to embrace continuous patterns of development and deployment, the criticality of implementing continuous security through DevSecOps becomes a must.

Agencies also must make sure they are evaluating and investing in a new generation of security products that can natively deliver today’s expected user experience — such as a UI, a RESTful API, and an SDK on which to extend or build customizations for their environments.

They need powerful capabilities, like post-deploy automated security sweeps, which can pass or fail new builds in short order or can reconfigure deployed resources to known good states in near real-time.

Anything is possible when you can utilize a great security product that was developed both for and within the cloud and make it part of their organization’s unique strategy.


APIs are becoming more and more important in the cloud-based environment, and agencies will need to have team members who are proficient in their use.

Integrating applications via code saves months of labor, compared to using the user interfaces that accompany most product son the market. You’ll need to be sure as you use APIs, you’re tying your offense and defense together – because if you don’t, you will be susceptible to security breaches by attackers who do.

And with a good handle on API-enabled security and continuous monitoring tools, agencies can also operationalize security alarms just like any other operations incident, and your team can respond within moments. Continuous security solutions can alert of critical issues in real-time, and the team will have access to all the data they need to address the issue without waiting for backup.


As mentioned above, with the many high profile and extensive data breaches like OPM and Target that are making the news regularly, security has to be top of mind for any agency that is moving or has moved to the cloud. They need to act decisively to ensure that any new operations they’re migrating do not expose them to additional risk.

As with any good security strategy, agencies will need to combine their defenses to create a strong security posture. Layering automated security testing, continuous security assessments, rapid operational responses, and other key aspects discussed here put you in the position to be able to augment existing and anticipated security efforts.

Yet many are still approaching security with solutions that have an antiquated data center-centric mentality, and that runs counter to the flexible infrastructure principles of today’s popular cloud environments, often forcing security professionals to try to retrofit existing solutions to work in the cloud, which simply does not work.

Security need to be a ubiquitous element that pervades an agencies entire cloud integration strategy at every level, as the tactic of bolting it on long after the fact will not serve to protect critical data and processes in the cloud.

As the trend of government agencies moving to the cloud not expecting to wane in regards to the already measurable momentum gained from the Cloud First initiative, the approach to security must evolve. The opportunity is here for true innovators to reinvent security strategies for the blossoming cloud age.

New solutions must be able to be deployed in mere minutes, not months, and must provide agencies with actionable security insights that can be easily understood by the broader team, and they must be able to guide agencies to a robust cloud infrastructure security state of mind and being.


This article was originally prepared for Signal Magazine