The 7 most common challenges to cloud computing Pt. I
Earlier this month the Government Accountability Office (GAO) released the results of their study on the Office of Management and Budget’s (OMB) Cloud First policy. The GAO assessed the progress selected agencies made and identified challenges they are facing in implementing the policy.
In response to the findings, Shamun Mahmud, DLT Cloud Advisory Group team member and a contributor to NIST Cloud Computing Working Groups shares some additional thoughts on the seven implementation challenges identified in the study. In the first of a three-part series, Mahmud tackles the first of the challenges. The remaining six will be covered in two upcoming posts.
• Meeting federal security requirements: Cloud vendors may not be familiar with security requirements that are unique to government agencies, such as continuous monitoring and maintaining an inventory of systems. For example, State [Department] officials described their ability to monitor their systems in real time, which they said cloud service providers were unable to match. [U.S.] Treasury officials also explained that the Federal Information Security Management Act's requirement of maintaining a physical inventory is challenging in a cloud environment because the agency does not have insight into the provider's infrastructure and assets.
As a review, FedRAMP (Federal Risk and Authorization Management Program) serves as the primary program for federal acquisition of cloud computing services. In order to sell Cloud services, a Cloud Service Provider (CSP) must become FedRAMP authorized. Risk management is a fundamental challenge and must be addressed appropriately for an agency to successfully complete its mission. FedRAMP is designed to streamline agencies’ efforts expended on all phases of risk management.
Information security continuous monitoring is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
NIST SP 800-37 identifies the following as elements essential to a successful organization-wide continuous monitoring program:
• Configuration management and change control – develop processes for organizational information systems, throughout their SDLCs, and with consideration of their operating environments and their role(s) in supporting the organization’s missions and core business processes
• Security impact analyses – develop security impact analysis and conduct analyses to monitor for changes to organizational information systems and their environments of operation for any adverse security impact to systems, mission/business and/or organizational functions which said systems support
• Ongoing assessment of system security controls – assessment frequencies based on an organization-wide continuous monitoring strategy and individual system authorization strategies
• Security status monitoring and reporting – communicate accurate and up-to-date security-related information to support ongoing management of information security risks and to enable data-driven risk mitigation decisions with minimal response times and acceptable data latencies
• Active involvement of organizational officials
FedRAMP PMO requires that Third Party Assessment Organizations transparently audit the security controls (including continuous monitoring) as implemented by CSPs. CSPs must leverage the information readily found in the Program Management (PM) family of security controls (see NIST SP 800-53r3). The PM controls are a special type of common controls that are implemented at Tier 2 and are uniquely important to a continuous monitoring strategy. The associated metrics provide insight into the ongoing effectiveness of the security program, thus supporting risk management decisions. Consequently, Tier 1 has a role in determining these controls.
NOTE: Tier 1- Risk management activities address high-level information security governance policy as it relates to risk to the organization as a whole, to its core missions, and to its business functions. Tier 2- Organizational officials that are accountable for one or more missions or business processes are also responsible for overseeing the associated risk management activities for those processes.
On the subject of asset inventory, organizations must first establish information owners and asset owners, deciding and documenting which organizations and individuals are responsible for each component of information and each device. In particular, when effective organizations acquire new systems, they record the owner and features of each new asset, including its network interface media access control (MAC) address, a unique identifier hard-coded into most network interface cards and devices. This mapping of asset attributes and owner-to-MAC address can be stored in a free or commercial database management system. Thus, it is not the asset inventory, but the actual mapping to (system) owners is important to establishing baselines within the construct of configuration management (CM). CM is the 800-53r3 family (name) of security controls that most directly addresses asset inventory.
In the past, the first step towards improving a FISMA compliance rating was to make an IT asset inventory that stored all hardware and software assets in a database. Given the abstractional nature of Cloud computing, physical inventories of IT assets will be admittedly difficult (to manage/ interact with?). With FedRAMP, logical assets (aka ‘systems’) shall get mapped back to their respective owners. Let’s get some historical perspective.
There was a somewhat limited amount of attack vectors in the datacenter. That is the good news. Unfortunately, there also were (still are) less resources in the form of an IT security team. As a numerical example: Many agencies have less than 10 personnel devoted to IT security on a full-time basis. They are stretched thinly, spending 80% of their time on hygiene issues like patching and updates. Whereas, some of the larger CSPs employ over 100 folks exclusively dedicated to security. Simply put, there is a more coordinated security effort provided by CSPs.
Physical inventories are a requirement long based upon datacenter-oriented perspectives. That perspective, whilst prevalent, shall evolve. Some folks, including me, would argue that Cloud Computing is actually more secure than premises-based computing.
Cloud computing is a paradigm shift in IT resourcing. Yes, there will be bumps along the road to Cloud adoption. We can liken it to when society switched from horse and buggy to automobiles. It wasn’t a perfect transition, but it was necessary for the betterment of society.
Furthermore, the FedRAMP initiative requires that 3PAOs transparently audit the security controls (including asset inventory) as implemented by CSPs. CSPs must leverage the information readily found in Configuration Management (CM) family of security controls (see NIST SP 800-53r3), prior to receiving FedRAMP ATOs.
Parts two and three will post over the next few days. In the meantime, check out Shamun’s whitepaper on The Benefits of FedRamp.
H/T Network World
Images courtesy of Cloud Tweaks, Tech ProgressRelated Blog Posts
Cloud Computing, Cybersecurity, Market Intelligence
Originally passed in 2014, the Federal Information Technology Acquisition Reform Act (FITARA) was designed to improve the management of all-things-IT across federal agencies. It essentially realigned how the government purchases and updates its technology, with an aim at grading agencies based on their ability to adhere to and improve on the following categories:
Susanna Patten
Cloud Computing, Cybersecurity, Education, Market Intelligence, State & Local Government, Technology
The annual EDUCAUSE conference highlighted higher education technology trends, goals, challenges, and how to identify a way ahead for higher education institutions to be successful in today’s modern world.
Yvonne Maffia
Cloud Computing, Cybersecurity, Market Intelligence
The Air Force hosts an annual summit known as Department of the Air Force Information Technology and Cyberpower (DAFITC) in Montgomery, Alabama, right next to Maxwell Air Force Base. It’s an opportunity for Guardians, Airmen, academics, and IT industry to come together to discuss pain point remedies and high-level plans and strategies. It is also an opportunity for branch heads to strike deals that lead to the adoption of modern and effective systems, meant to enable air superiority. Ms.
Kevin Shaker
Cloud Computing, Cybersecurity, Education, Federal Government, IT Infrastructure, State & Local Government, Technology
The Cybersecurity and Infrastructure Security Agency (CISA) has seen increased malicious activity with ransomware attacks against K 12 educational institutions. Malicious cyber actors target school computer systems, slowing access, and rendering the systems inaccessible to essential functions, including remote learning. In some instances, ransomware actors stole and threatened to leak confidential student data unless institutions paid a ransom.
Ransomware attacks on US government organizations cost $18.9bn in 2020.
Asad Zaman
Cloud Computing, Cybersecurity, Federal Government, State & Local Government, Technology, Tips and How-Tos
TD Synnex Public Sector’s Chief Cybersecurity Technologist, Don Maclean sat down with Mark Guntrip, Senior Director of Security Strategy at Menlo Security, to discuss one of the latest emergent security threats.
James Hofsiss
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos
Every year, there are more and more security breaches, and it gets harder and harder to spot them. According to a leading cybersecurity vendor1, it takes almost seven months for organizations to find breaches, which gives malicious attackers plenty of time to get what they want.
Most often, system misconfigurations like default settings or credentials leave the door wide open for exploitation, resulting in these breaches. As organizations grow, this problem only gets worse because quick changes frequently result in skipped steps.
Heather Sweet
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos, Training
Security is paramount in the digital age, especially when it comes to keeping networks secure. Having network security monitoring services stand between your organization and malicious attackers is crucial. Still, the volume of alerts and issues that come with them can easily overwhelm your team.
The volume of these alerts is rising every year too. According to a report by TrendMicro, 54% of teams surveyed felt like they were drowning in alerts, and 27% said they spent most of their time dealing with false positives.
Heather Sweet
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos
The digital landscape evolves fast, and attackers are even faster. New ways to attack systems and organizations appear every day, and traditional methods are starting to fall behind the times.
Highly Evasive Adaptive Threats (HEAT) are the newest step in the digital world for malicious attackers. These attacks are unlike anything security experts have seen before and lead to some of the most devastating breaches ever seen.
In this article, we’ll explain how HEAT attacks impact companies worldwide and how Menlo Security’s Isolation Core can help protect your organization.
Heather Sweet
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos
The term "Integrated Management Workplace System" (IWMS) was first used by Gartner in 2004 to refer to a program that could manage and integrate all business and workplace requirements into a single, centralized solution. Since then, a number of solutions have emerged with the aim of bringing together various operational and organizational areas that had previously tended to operate in isolation from one another.
Heather Sweet
Cloud Computing, Cybersecurity, Technology
The development world has changed, and organizations are still adapting to developing in the cloud. Cloud native technology and containers are now at the forefront of software development, meaning that software no longer exists and operates locally. However, despite these quick advancements, cloud native application security still lags behind.
This article will cover how you should approach cloud native application security and why Snyk is the best solution for your needs.
Adam Fyffe
Cloud Computing, IT Infrastructure, Market Intelligence, State & Local Government
The 2022 fiscal year-end is drawing near for 46 states, which means the time to leverage last-minute opportunities is coming to an end as state, local and education (SLED) organizations set their sights on next year’s budget and priorities. With FY23 just around the corner, SLED organizations will start executing on budget plans and drafting request for proposals (RFPs).
Yvonne Maffia
Application Lifecycle, Cloud Computing, DevSecOps
In this post we will look at how to accelerate the development of cloud native applications, give you a snapshot of the USAF deployment of D2iQ, and provide a link to the DLT Cloud Security Assessment to see where you currently stand.
Jeff Schad
Cloud Computing, Cybersecurity, Federal Government, IT Perspective
Over the last few years, the federal government has begun to embrace a zero trust approach as the new cybersecurity standard for agencies. Utilizing the latest solutions and best practices, the hope is to bolster federal cybersecurity and create a robust and resilient IT infrastructure that can protect and secure networks from attacks and breaches.
Kevin Tierney
Cloud Computing, Cybersecurity, IT Perspective, Technology
Last January, the Office of Management and Budget (OMB) released M-22-09, a memorandum that set forth the federal government strategy on zero trust adoption, in an effort to reinforce the security and protection of government agencies’ critical systems, networks, and IT infrastructures.
David Presgraves
Application Lifecycle, Cloud Computing, Cybersecurity, DevSecOps, Market Intelligence
"We are making progress. This really is not just about technology. This is about changing our processes changing our approach to delivering and operating technology to IT systems and our cyber mechanical warfare systems as we move forward," said Robert Vietmeyer, DoD Director for Cloud and Software Modernization.
Toan Le
Application Lifecycle, Big Data & Analytics, Cloud Computing, Cybersecurity, DevSecOps, IT Infrastructure
For the second year in a row, Gartner named IBM a Leader in Gartner Magic Quadrant for 2021 Cloud Database Management Systems based on its Ability to Execute and Completeness of Vision. With emergence of a single cloud DBMS market, We believe our portfolio of feature-rich, enterprise-tested offerings, bold acquisitions, and partnerships enable our clients to address the unique needs of their business, respond to the growing volume, velocity and variety of today’s data and drive more accurate data driven decisions.
Holly Vatter
Application Lifecycle, Big Data & Analytics, Cloud Computing, Cybersecurity, DevSecOps, IT Infrastructure
This week's roundup of the latest news and insights gathered from IBM's Government Research Institute thought leaders:
Michael J. Keegan
Cloud, Cloud Computing, Cybersecurity, Federal Government, Technology
As organizations adapt to hybrid work and more and more cloud services are deployed, new service entities that collaborate and exchange data without human interaction, such as virtual machines and containers, are proliferating. The growth of these service accounts and identities and their increasing volumes of permissions, privileges, and entitlements expose organizations to new attack vectors.
Kevin Tierney
Cloud Computing, Federal Government, IT Infrastructure, Technology
You’ve gathered requirements, evaluated technologies, gotten all the right people to sign off on acquiring new technology, and now comes the hard part — procurement. IDIQs, BPAs, GWACs...the contracting officer is throwing out a bunch of complex terms, options, and estimates of how long it will take to get through negotiations. NetDocuments believes our public sector customers should have contracting options that are a lot like our solutions — easy to use.
NetDocuments
Cloud Computing, IT Perspective, Tips and How-Tos
What’s next for cloud in 2022 (and how can you prep for it?)
There were so many noteworthy AWS re:Invent 2021 announcements out of this year’s big Amazon Web Services (AWS) conference. But what will that news mean for the year in cloud ahead? And how can learners and businesses prepare for the opportunities these will create?
Pluralsight
Cloud Computing, Cybersecurity, Federal Government
The Department of Defense (DoD) is taking major steps to boost cloud performance, with the promise of a tangible, positive impact on military missions throughout the world. Specifically, the Joint Warfighter Cloud Capability (JWCC) contract is replacing the Joint Enterprise Defense Infrastructure (JEDI) initiative, which was intended to establish enterprise-class cloud capabilities for the military community.
Carolyn Ford
Business Applications, Cloud Computing, Market Intelligence
At this year’s Department of the Navy (DON) IT Conference, the U.S. Marine Corps discussed its enterprise cloud delivery strategy and how it is derived from its mission to evolve antiquated networks. Before, a Marine working out of headquarters or a U.S. base would use enterprise systems, applications, and infrastructure, but when a Marine goes out in the field, a new email and identity are assigned to operate from different servers and shared drives. For the Marine Corps, that approach is going by the wayside.
Lloyd McCoy
Cloud Computing, Cybersecurity, DevSecOps, Market Intelligence
"Zero Trust is a cybersecurity strategy and framework that embeds IT security mechanisms throughout an architecture that generate metadata used to secure, manage, and monitor every device user, application, and network transaction at the perimeter and within every network enclave."
From the Department of Defense (DoD) Zero Trust Reference Architecture v1.0
Toan Le
Cloud Computing, Cybersecurity, Federal Government
There has been an increased focus among U.S. government agencies on adapting to modern IT environments and enhancing cybersecurity solutions. This increased focus on security government networks, data, and critical infrastructure is a result of ongoing digital transformation initiatives that are resulting in more mission-critical connected systems and more data for agencies to secure. It’s also a result of the increased number of cyberattacks and more sophisticated cyber-criminals that are targeting our nation’s networks.
Kevin Tierney
Cloud Computing, Cybersecurity, Market Intelligence, State & Local Government
If you have been looking for the right time to sell your technology product or service to the state, local and education (SLED) market, now is the time to act. With thirty-six states beginning their fiscal year on July 1st, now is the time to position yourself to take advantage of a confluence of once-in-a-lifetime conditions that have left the SLED market booming with opportunity. Here are some of the factors driving that opportunity:
New Leadership
Yvonne Maffia
Analytics & Data Science, Big Data & Analytics, Cloud Computing, Cybersecurity, Market Intelligence
The COVID-19 pandemic has spurned greater demand for health information technology (IT) by demonstrating the importance of having robust medical research, health surveillance and healthcare systems capable of rapidly responding to new and developing situations, something which requires strong IT investment in big data, cybersecurity and cloud. In addition, both the pandemic and emerging technologies have led to numerous changes within the healthcare industry, such as telehealth expansion and increased use of wearables, which necessitate robust health IT solutions.
Gabriel Zighelboim
Cloud Computing, Cybersecurity, Market Intelligence, State & Local Government
On December 8, 2021, the National Association of State Chief Information Officers (NASCIO) released its 2022 annual top 10 priorities list identifying the most pressing technology and policy issues that state CIOs are prioritizing for the upcoming year.
Yvonne Maffia
Big Data & Analytics, Cloud Computing
What is the difference between AI and ML?
Artificial Intelligence and Machine Learning are two of the most transformative technologies in the computing space that are changing the world in which we live. However, there is often confusion in in what constitutes Artificial Intelligence, and what constitutes Machine Learning.
Ricardo Dutton
Business Applications, Cloud Computing, Cybersecurity, Market Intelligence
Recent signals by the U.S. federal government suggest that customer experience (CX), primarily citizen-facing services will receive attention and investment from funding sources like the Technology Modernization Fund (TMF). The initial $311 million awarded by the TMF primarily went to projects focused on cybersecurity in keeping with stated priorities and the prevalence of cybersecurity threats. From the beginning, however, TMF has emphasized CX projects that focus on how taxpayers engage with government services in secure digital environments.
Dawit Blackwell
Cloud Computing, Market Intelligence
The concept of cloud computing has been around for many years now. Anyone positioned in the information technology (IT) world knows the language: SaaS, PaaS, IaaS, multi-cloud, hybrid, on-prem, and the list goes on. How has the concept of cloud morphed? More importantly, what are the cloud buzzwords and concepts that you should be aware of to get in front of end-users? Edge computing, data-centric architecture and sky computing are emerging, and here to stay. Let’s break down what each is and its current or future role in the U.S. federal market.
Susanna Patten
Big Data & Analytics, Cloud Computing, Cybersecurity
With another busy year behind us, it’s time to look ahead to fiscal year (FY) 2022. The official information technology (IT) budget request is $97B, a 4% increase over FY21, which would be a new record. Of course, those numbers undercount all the IT spending that goes unreported. Furthermore, remaining provisions in the American Rescue Plan, the Technology Modernization Fund and IT provisions in the Infrastructure Bill will represent additional pockets of opportunity worth billions for channel partners and technology vendors.
Lloyd McCoy
Business Applications, Cloud Computing
Assuring the best digital employee experience is now a business imperative.
DLT Solutions
Cloud Computing, Market Intelligence
The numbers don't lie. The U.S. public sector is rapidly adopting cloud technologies across the spectrum. According to the NASCIO 2020 State CIO Survey, only 14% of state chief information officer (CIO) organizations do not have a cloud migration strategy, whereas 41% of respondents indicated that they had implemented a cloud first strategy for all new applications.
David Blankenhorn
Cloud, Cloud Computing
As I.T. professionals, security needs to be at the forefront of everything that we do. Even in mature organizations with robust cloud deployments we must always believe there is room for improvement. Here are four considerations to make when evaluating the security of your AWS workloads.
How will you utilize your logging data?
Ricardo Dutton
Cloud, Cloud Computing
Cloud billing can be a tedious and complicated task if not planned for correctly. If you do not have a well thought out plan on how to approach your AWS bill when charging back to various departments or projects, things can get messy when attempting to divide the bill correctly. In this article we will discuss three methods to make strategizing your approach ahead of time to make things much easier when it comes to invoice time.
Cost Allocation Tags
Josh Gazes
Application Lifecycle, Big Data, Cloud, Cloud Computing, DevSecOps
2020 was a transformative year for public sector IT. Accelerated by necessity, agencies rapidly scaled and secured their digital ecosystems to accommodate a newly remote workforce. Against this backdrop, significant cybersecurity hacks revealed continued vulnerabilities in the federal supply chain and state and local IT infrastructures.
Looking forward there is much work to be done. A new administration, new regulations and continued reliance on the cloud will shape public sector IT through 2021.
Brandon Norris
Cloud, Cloud Computing
Teresa Carlson, Vice President, AWS Public Sector held a leadership session, From complexity to clarity: The strategic value of AWS. Teresa’s breakout highlighted how crucial cloud technology has been for organizations. The AWS cloud provides the ability to respond quickly to the new reality brought on by the ongoing global crisis. Several AWS customers shared how they were able to solve some of the world’s most pressing challenges using the cloud. Furthermore, how they are driving impact around big ideas, discoveries, and turning points to solve some of the world’s largest challenges.
Zev Stern-Coder
Cloud Computing
This will be the first in what DLT intends to be an ongoing series of posts highlighting what our partners are building for the Public Sector using AWS.
The Challenge
A Global Service provider wanted a way to develop a messaging solution, to augment, marketing and sales teams for promoting events using a standard Calendar Invite.
Greg Hanchin
Cloud Computing
Before reading this month's Thought Light interview, we invite you to read about BMC's multi/hybrid cloud initiatives for federal government, click here.
What is BMC and how does it help the public sector?
DLT Solutions
Cloud Computing, DevSecOps, IT Infrastructure
Cloud governance shouldn’t be an afterthought. Indeed, it should be a foundational element of any cloud security strategy. Why? Because the cloud is enormous – it’s software, hardware, developer tools and platforms, and more. All delivered by a host of vendors.
DLT Solutions
Cloud, Cloud Computing
It has been 10 years since the U.S. government began warming to cloud computing, beginning with the federal Cloud First initiative in 2010 leading to today’s Cloud Smart strategy – a game plan for bringing processes and applications into a new hardware environment.But to take advantage full advantage of a cloud-driven ecosystem, the government must have more than just a cloud strategy. Agencies also need a data strategy.What is a cloud data strategy?
DLT Solutions
Uncategorized
Article originally posted on GovDesignHub here.
Autodesk University (AU) returns to Las Vegas from November 19-21 – and we have some good news. In addition to discounted conference passes now available on GSA Schedule, Autodesk Certification exams are back at AU 2019!
Caron Beesley
Uncategorized
By Mav Turner, VP, Product Management, SolarWinds
For federal IT pros, moving to a cloud environment is a “when” rather than an “if” proposition. From the government’s recently released Report on IT Modernization, calling for agencies to identify solutions to current barriers regarding agency cloud adoption, to the White House’s draft release of a new “Cloud Smart” policy, which updates the “Cloud First” policy introduced in 2010; cloud migration continues to be a priority.
DLT Solutions
Federal Fiscal Year End, Uncategorized
The old business adage runs, “Nothing happens until somebody sells something.” To which you might add this corollary: nothing good happens in the absence of strong requirements.
Brian Strosser
Cloud Computing, Cybersecurity
It’s often said that there are two types of organizations: those that have been hacked, and those that will be – turning the conversations around security breaches from ‘what if?’ to ‘when?’.
Isabella Jacobovitz
IT Perspective, Uncategorized
The latest data on the progress of federal government agencies’ implementation of the Federal Information Technology Acquisition Reform Act (FITARA) was released on June 26 by the House Oversight and Reform Committee as Scorecard 8.0.
Melissa Perez
Cloud Computing, Uncategorized
Key takeaways show how public sector customers are achieving more with cloud.
As cloud continues to transform the public sector, cloud has had its own metamorphosis: from a trendy buzz word to a catalyst for meaningful change, innovation, and more. Last month, AWS hosted its 10th annual AWS Public Sector Summit. The conference brought together more than 17,000 attendees for 2+ days of insights, sessions, and networking, and explored how cloud is fueling the public sector for a limitless future.
Recap
Isabella Jacobovitz
Cloud Computing, Uncategorized
Key takeaways show how public sector customers are achieving more with cloud.
As cloud continues to transform the public sector, cloud has had its own metamorphosis: from a trendy buzz word to a catalyst for meaningful change, innovation, and more. Last month, AWS hosted its 10th annual AWS Public Sector Summit. The conference brought together more than 17,000 attendees for 2+ days of insights, sessions, and networking, and explored how cloud is fueling the public sector for a limitless future.
Recap
Isabella Jacobovitz
Cloud Computing
The AWS Public Sector Summit is just around the corner. Part of a global series of summits, this year’s event in Washington, D.C. brings the public sector cloud community together to connect, collaborate, and learn about AWS. DLT will be exhibiting at the Summit this year with its technology vendors including AWS, Crowdstrike, NetApp, Quest, and more in booth #800.
DLT Solutions
Uncategorized
Many states' fiscal years are quickly coming to an end, and at DLT we’re committed to making the job of the procurement officer as easy as possible as they scramble to make smart and responsible purchasing decisions with remaining taxpayer dollars. Part of this process is raising awareness of what’s new in our extensive portfolio of IT solutions including big data and analysis, cloud, cybersecurity, application lifecycle, digital design, IT consolidation and management, and more.
Brian Strosser