It's 2015. Do you know where your data is?

As the end-of-fiscal-year spending spree – the one federal CIO Tony Scott recently called “horrible” and “frivolous” – approaches, agencies might be well served by taking a step back and considering IT’s central, oft-overlooked questions:

Where’s my data?

Who’s accessing it?

And how?

Get off of my cloud, maybe

“The biggest issue that everybody’s trying to get their hands around is, ‘What do we really have?’” said Brian Houston, vice president of engineering at Hitachi Data Systems Federal, speaking of federal agencies and the cloud.

For years, the federal cloud conversation was all about getting agencies to make the leap, but now, Houston said, the conversation is starting to take the opposite tack.

“The early adopters are now looking back at it” and rethinking costs of being fully cloud deployed, Houston said. “They’re starting to pull back a little bit,” Houston added, because, “not everything needs to be in the cloud from a cost justification.”

Security is one part of the equation; “cost analysis” is another.

On-premises data storage might make more sense for highly sensitive data, as well as for high activity data that agencies are frequently accessing and modifying.

“It’s a multifaceted approach with everything,” Houston said. “It’s not just putting the data out there and letting it sit.”

Put “the wrong data up in the cloud,” Houston noted, and agencies could see costs and breach risks spike.

Houston stressed the value of analytics applied to a virtualized environment – such as Hitachi offers – in helping agencies understand the specifics of their data situation.

“’What data needs to be where, and how am I accessing that data?’ is really the future I see in federal agencies,” Houston said.

Think through mobile

As agencies have surged to the cloud, they’ve let mobile languish – and that’s a whole other data-centered problem.

A recent survey of more than 1,000 feds, conducted by mobile security firm Lookout, found that nearly half of the federal employees were skirting official rules and using personal smartphones for work. Seven percent of surveyed feds said they were using jailbroken devices, and 24 percent had downloaded apps from non-sanctioned app stores.

“I don’t know that they understand the risk that that represents,” Bob Stevens, Lookout’s vice president of federal, said of the rule-breaking feds. “It makes their job easier. It’s about productivity.”

Agencies could cut down on the threat posed by the “shadow BYOD” phenomenon – Lookout reported an annual rate of 110 serious mobile threat encounters per 1,000 federal devices – with vigorous, clearly defined mobile strategies, Stevens said, but so far they’re not.

“The unfortunate thing is, mobile doesn’t seem to be priority for them,” Stevens said. “There hasn’t been a breach yet – or one that they know about,” so priorities fall elsewhere. But that’s a faulty perspective, Stevens said. “How do you know that your credentials weren’t stolen off your mobile device and used to gain access [during a breach]?” he asked.

Ultimately, the question comes back to data.

“It is all about the data and how to protect the data,” Stevens said. “Agencies need to understand where their data is at any given time and who’s accessing that data.”

Employees have sent a loud-and-clear signal that they will use smartphones to get their jobs done, but without the right guidance and leadership, those mobile devices will become a dark spot in a broadening attack surface, Stevens argued.

With the right oversight and tools, even jailbroken devices could be used to get government work done.

“I think a jailbroken device is fine as long as you’ve got the tools to understand what’s going on on that device at all times,” Stevens said, calling for a “defense in depth strategy.”

As sequester prospects loom, agencies may be ramping up their September spending even more than usual. Scott and Stevens both take a dim view of such rushed spending, given that much of it will likely go toward supporting outdated systems instead of funding modern security tools the feds need to keep tabs on their data.

“I don’t know why the government is so reluctant to turn old systems off … and replace them with new systems,” Stevens said.

He had one idea: “They like to hit the easy button.”