quences of an \[Amazon\] or a Micro- soft or a Google having a breach of the government’s data is a huge hit on their market share,” one said. “I’m not going to say that market alignment is going to solve all the problems, but I’m saying in this instance we have a rare case where our vendors are aligned existentially with us on this.”
That view was not universally held, however. Several participants said that although the large-scale cloud infra- structure providers have security well covered, the situation is much more uneven in the exploding universe of software-as-a-service offerings. One recounted a SaaS provider that had 150 known problems with meeting various federal security controls.
“We’re a little hesitant in putting anything sensitive in that environ- ment,” the executive quipped.
Others agreed that SaaS providers were still evolving toward government- grade security. “We’re all about SaaS as the way of the future,” one CIO said, “but we had to evaluate certain things, and say, ‘Our agency will not use a certain SaaS application until it reaches that mark.’”
As efforts such as the Federal Risk and Authorization Management Pro- gram’s Tailored initiative attempt to
address SaaS challenges, there was general consensus among participants that agencies must do a better job of determining what controls really mat- ter to them.
“I would bet that most of us can’t \[say\], ‘Those are the controls that mat- ter most for my data or for my environ- ment,’” one participant said.
Another added that agencies should start sharing their control sets through FedRAMP rather than simply shar- ing the authority to operate. That approach would enable agencies to make smarter choices about existing ATOs and better answer questions their inspectors general pose about cloud security.
Even though security controls and service-level agreements continue to improve, the group said, it’s critical for agencies to understand and embrace their own security obligations.
“As my mission partners move their applications into those environments, we are still responsible for ensuring the applications meet all the security requirements necessary for our data,” one executive said. “There’s this fire- and-forget mentality that some people have. ‘Oh, I’m going to move my stuff to the cloud, and I’m done.’ It doesn’t work like that.”
Are infrastructure and services inherently governmental functions?
Several participants said the ques- tion of who is responsible for which security obligations is part of a larger debate about just how much IT agen- cies should own.
“I’m spending my money on the wrong things,” one executive said. “If I own all this hardware, I’m spending my time on operational thinking, mak- ing sure that stuff is up and running.”
It’s nearly impossible for IT lead- ers to think strategically and be a true mission partner “if you own stuff,” he added. “If you own the hardware, if you’re running the data center — I would even argue if you were run- ning \[infrastructure as a service\] — you can’t divorce yourself from that.”
Multiple participants said that by taking away much of the responsibil- ity for operations, cloud technology enables them to work on the right problems.
“We need to get back to remember- ing why we are here,” one executive said. “As a government organization, we are not here to replicate what com- mercial industry can do — and frankly can do better. We need to get back to the premise of we’re here to deliver services to citizens.”
October 2017 FCW.COM 41