The United States administration announced the "Cloud First Initiative" in 2011. That was just two years after Gartner formally considered cloud computing a leading IT trend, and five years following the first large-scale commercial cloud offering, by Amazon (the Elastic Compute Cloud). The United States government, which is considered highly bureaucratic, hesitant towards trends and late to employ new technologies, became a pioneer of cloud services adoption.
However, the "Federal Innovation" battle is waged even years later, and federal cloud adoption is riddled with challenges. Slow procurement of services is a common fault of federal, state, defense and similar sectors. Cloud services, which did not fit well into the known frameworks and models of IT services, were found hard to adopt. The shared responsibility model could not have come early enough, as the cloud demanded a change in mindset and procedures. Who is responsible for security? Who is in charge of operations?
Security concerns stemming from the unique consumption, deployment models, and underlying technologies of cloud services introduced unique risks and challenges; are standard federal IT systems controls adequate? Are they applicable? How is shared risk managed?
Defense Sector in the Cloud
Regulatory barriers were first overcome by civilian agencies who found it easiest to adopt public and hybrid cloud services, yet NIST security frameworks still had to be met. Federal and defense agencies are more tightly regulated, various DISA & FedRAMP mandated security verification levels, and STIGs (Security Technical Implementation Guides) introduced additional complexity. Neither was very well fit for the new models, risks, and technologies in the scope of the cloud mandate. Iterative and/or uncoordinated adoption efforts incurred costs and delays.
In the past couple of year, the affair has evolved into a relationship. 2016 has seen a major leap in cloud adoption by government agencies, and in 2017, even the defense sector has adopted full-blown commercial cloud offerings. Timidly, orderly, but surely so. While the initial 2011 "Cloud First" statement was daring, there were more naysayers and challenges than solutions. Since then, many federal agencies and other government and defense organizations enjoy what cloud services have to offer.
The CIA's Commercial Cloud Services (C2S) are AWS secure cloud services in continuous development and use since 2013. They are used by 17 intelligence-related agencies, under a contract valued at $600 million. The introduction of the C2S served as a tipping point for many hesitant adopters. The consensus was that if these services are secure enough for the CIA, they are probably secure enough for "the rest of us." The CIA is using the C2S to provide and manage applications (PAAS) and servers (IAAS), likely among other services. Other intelligence agencies also use the CIA's C2S IT services.
The NSA has built its own secure cloud (Gov Cloud – based on open sources, such as OpenStack and Apache Hadoop) from scratch. Soon after, other agencies teamed up to consolidate IT infrastructure and services: National Geospatial-Intelligence Agency (NGA), National Reconnaissance Office (NRO), and Defense Intelligence Agency (DIA) divvied up the responsibilities and costs. The agencies were able to win not only on saving costs but also on driving cross-agency process productivity, as information and services were now considerably more available. The NSA is employing its Gov Cloud for computing and analysis, as well as offering its service to other intelligence agencies.
The US Army is using hybrid cloud computing services of IBM to bolster services provided by its Logistics Support Activity with IaaS, later on PaaS, and now SaaS. Earlier, private cloud implementations were supporting real-time intelligence images data processing. The United States Transportation Command has just recently begun to adopt commercial cloud services – a first for a US military organization.
The US Department of Transportation, as well as other departments, are migrating to Microsoft-365 productivity services, chiefly – email. Google productivity apps for government are adopted by departments and agencies in 44 states. It seems that the Department of Defense had experience with AWS government cloud, but the latest development having azure certified DoD Security level 5 shows strong competition.
Pre-approved cloud service providers, integrators, and services were determined to support the rising adoption of cloud computing by federal and defense organizations.
When it comes to the Israeli security forces, the IDF has completed the implementation of private cloud computing infrastructures (disclosed 2016), to provide IT services for the highly technological forces – the Air Force and the Military Intelligence Directorate.
Enabling federal cloud adoption was, and still is, critical for the federal embrace of cloud services. The White House realized it needed better, cheaper, and faster computing services, and the way to achieve that was cloud computing. Even so, the road to the desired state was indeed long and required considerable efforts and resources of both the government and the service providers (even before any contracts were signed).
Several factors must be considered in the process of the federal embrace of cloud services. The first is Strategy. The 2011 administration mandate has set in motion a slow avalanche. Agencies and even military organizations followed suit with their own programs and strategy for reaping cloud benefits. The US Department of Defense, for example, is in the midst of upgrading their cloud strategy. Without a strong lead strategy and explicit mandate, little can be achieved in such scales.
Secondly, cooperation is key. Cooperation between the federal IT agencies, regulators such as DISA, NIST, leading security agencies like the NSA, and vendors and non-profits like MITRE provided for plenty security drive and breakthroughs. Research, frameworks, solutions, and actual tailored cloud technology and services, at times built from scratch, enabled adoption in light of the primary showstopper – information security.
Regulation is another important factor. Regulation and frameworks should not only serve for protecting the public interest, and the case of the federal cloud computing adoption stands exemplary. The Federal Risk and Authorization Management Program (FedRAMP) standardizes security requirements and actually assists procurement, as expectations are predefined and cloud-specific certification is available. The General Services Administration's (GSA's) Federal Cloud Computing Initiative helps set the ground for understanding the common language of cloud computing.
The Israeli case is a decentralized dynamic in which every government agency or ministry manages its own IT assets. In April 2017, the National Cyber Security Authority, which operates under the Prime Minister's Office, has published "The Corporate Defense Methodology" framework and the "Use of Cloud Services – Addendum to the Cyber Defense Methodology for an Organization." Therein the NCSA asks to direct a formal cloud policy for both the public and the private sectors. In response, the Banking, Capital Markets and Insurance directorates at the Ministry of Finance released Cloud Security Orders to ensure compliance of their constituencies.
In conclusion, the US administrations, with the help of the Federal CIO Council, came to understand the pressing need for better, faster, and cheaper IT. Proper strategy drove comprehensive effort in cloud adoption as all involved labored to enable secure and well-regulated cloud service adoption in federal US agencies. This process should be very well studied and adopted by governments and defense agencies worldwide, who can benefit from cloud services in IT. Take initiative, engage in conversation and conclude how cloud computing can make the government better and even more secure.
Alex Getsin is a Security Architect at CyberInt. Ofir Eitan, a cybersecurity leader, contributed to this article