Cloud after COVID

More than a year of pandemic operations has altered government’s view of cloud-centric modernization

cloud (ranjith ravindran/Shutterstock.com)
 

The past 15 months have cemented the importance of moving employee- and customer-facing systems to the cloud, but many agencies are still far from that desired end state. In some cases, budget and leadership buy-in remain insufficient, and the challenges of moving to zero trust security loom for virtually every organization.

FCW recently gathered a group of IT leaders to explore how a year of maximum telework and nearly all-digital operations has altered the role cloud services play in supporting agency missions. The discussion was on the record but not for individual attribution (see below for the list of participants), and the quotes have been edited for length and clarity. Here’s what the group had to say.

Collaboration is a game changer

Perhaps the biggest change participants noted was the way cloud collaboration tools took hold. “ We’ve taken advantage of a lot of the collaboration apps that are available in cloud platforms,” an official from a smaller agency said. “We hadn’t anticipated needing those so badly.”

FCW Perspectives

Participants

Les Benito
Director of Operations, Cloud Computing Program Office, Department of Defense

Simone Gills
Customer Engagement Manager, National Technical Information Service

Chuck Grindle
Leader, SLG AWS Digital Government, Worldwide Public Sector, Amazon Web Services

Allison McCall
Acting CIO, National Technical Information Service

Dovarius Peoples
CIO/G-6, Army Corps of Engineers

Paul Puckett III
Chief, Enterprise Cloud Management Office, Department of the Army

Sagar Samant
Associate CIO for Acquisition IT Services, General Services Administration

James Yeager
Vice President, Public Sector, CrowdStrike

Note: FCW Editor-in-Chief Troy K. Schneider led the roundtable discussion. The June 8 gathering was underwritten by CrowdStrike and Amazon Web Services, but both the substance of the discussion and the recap on these pages are strictly editorial products. Neither the sponsors nor any of the roundtable participants had input beyond their June 8 comments.

The embrace of new services also jump-started work on existing systems. “Other collaboration tools where work kind of stagnated throughout the years all of a sudden are getting pushed to the forefront,” an executive from a larger agency said, adding that the challenge now is “how do we connect them all to make sure that they continue to give us the capabilities we need?”

“There’s no doubt that COVID significantly changed how we do business across the enterprise,” another participant said. “The ability to collaborate was a game changer. And I think we let the genie out of the bottle. So now we have folks who never had the ability to collaborate the way they can today expecting that going forward for everything.”

The biggest collaboration example was Commercial Virtual Remote — the Defense Department’s emergency deployment of Microsoft Teams for all of DOD. At the time of the roundtable discussion, CVR was just days away from shutting down in favor of permanent, service-specific tenancies. Across DOD and in civilian agencies, the new expectation “is that that’s the way we are going to work,” one official said. “So how do we keep that?”

Improving identity, credential and access management will be essential, another participant said, especially with military personnel moving to multiple systems. “Being able to bring folks into the collaboration space easily — identity is the key,” he said. “So we need to make sure that we do it right, but we have to move quickly on it because the expectation is that if we don’t, they’re going to call in two weeks and say, ‘Turn CVR back on.’”

The virtualized work environment has brought other complications. One executive recalled hosting a call to discuss security concerns with a broad range of stakeholders. More than 100 participants called or logged into the platform, and the organizers quickly realized there was no way to easily identify the callers. Unable to map names to phone numbers, “we just decided to kill the call.”

The lesson is that “these types of communication platforms are going to be leveraged, and there are some new challenges relative to boundaries and security controls that we now need to examine further,” the participant said.

“I think the key for everyone is really thinking about the user story,” another official said. “Who are the users who have to be able to access these vital systems to do their jobs? How difficult are you going to make it for them? If you make it too difficult, guess what? They’re going to find other ways that are not secure to do the same thing. You’re forcing them to do it in an insecure way because you’re making it so hard that it just doesn’t work.”

Making sense of the security challenges

Another official said: “ We really need to think about the security and the things we were doing around that to make sure that we can keep doing that in a secure, safe way, but at the same time maximize some of the traction that we’ve made in this last year.”

Zero trust security will be an increasingly important part of those efforts, the group agreed. There is a buzzword factor at work, one said, “but the reality is that we should be able to work in an environment where people can get to the tools they need however they can but in a secure way. And we’ve seen a lot of this shift. Whether it’s development or whether it’s deployment, all these things are now moving out into the cloud and to the edge. And I think that COVID kind of forced that.”

“ You’ve got to think in terms of securing our edges, and that has created a huge paradigm shift,” another official said. “We were thinking about that already, but now it just became a norm.”

A third participant pointed to “ a bit of a dichotomy”: Government leaders have realized that “accessible online services were absolutely critical,” but maximum telework also “opened everyone’s eyes to what we actually mean when we talk about things being secure — not just being planned or being documented, but actually truly understanding about people, about identity, about devices because now we’re forced to work in this distributed world.”

Getting traction on such topics was difficult before the pandemic, that official added, “because sometimes we’re speaking to people who don’t feel the pain. But now people’s eyes have been opened.”

The complexity of securing so many different services also poses challenges, other participants said. “It is really important to understand the roles and responsibilities of the service provider and the customer,” one said. “There are lots of service-level agreements out there.”

Several officials, however, argued that the biggest friction point involves authorization and accreditation. “You’ve got folks who are really forward-leaning on the development side, building and then deploying into the cloud,” one said. “But when it comes time for the accreditation, we’ve seen that around the department, they don’t fully understand, and they’re trying to fit the old rule set into the new technology. It doesn’t fit.”

A continuously monitored authority to operate (ATO) is “the north star,” another official said. “That’s what everybody wants, but to get there, just look at the way we describe the state right now. Yes, we want to approach it as an ecosystem. No, we don’t want to sacrifice the user experience or customer experience. Yes, we want to be 100% secure. All these things kind of contradict each other, but you want to get to that nirvana.”

The problem is not cloud systems per se, another official said. “Whenever I hear about continuous ATO and people lamenting the accreditation process, I still feel like people aren’t focusing where the focus needs to be, which is the way we’ve organized ourselves. We don’t incentivize our program officers to change requirements on the fly. And we talk about bringing security on early and often, but do you have the teams with the skill sets that actually have the time to be part of your process early and often? As you iterate capabilities, do they have the time or even the context to support you? And the answer for most is no.”

In other words, that official said: “We haven’t organized ourselves around how we actually want to function as an organization by continuously building, continuously monitoring and continuously enhancing our software capabilities. I still feel like that’s the major limiting factor for most organizations in this domain.”

COVID as catalyst for leadership buy-in?

The pandemic pushed daily operations into the cloud like never before, and agency leaders have taken notice, participants said. One described meeting “ every two weeks with every single three-star and a few four-stars to talk about our digital modernization strategies and how we’re moving forward. It started about three months prior to COVID kicking off, but COVID was almost like gasoline on that fire of top cover for senior leaders — or at the very least creating room for the discussion.”

Another official pointed to the ultimate indicator of leaders’ interest. They wanted to know: “Where did we spend our money?” The funds distributed under the Coronavirus Aid, Relief and Economic Security Act were “about increasing the capacity of compute or about the security. We were already good at security. But I think now we are more into baked-in security.”

“Sometimes you get those moments where the light bulbs go off and they create room for actually solving the problem,” said another official, whose agency had made clear “that we will actively reprioritize fiscal 2022 funding in order to align with our digital modernization and data and cloud modernization initiatives. All options are on the table.”

“There’s an opportunity for us to correct a lot of the technical debt that we’ve incurred over a number of years,” another executive said, “because people in positions of leadership are now realizing that our digital infrastructure is a major limiting factor for us to be able to move forward.”

Getting the culture changes to stick

Although top-level support for continued cloud modernization is fairly widespread, the group voiced concerns about their agencies reverting to old habits.

“I’m starting to see examples of us falling back into our old ways of doing business,” one said. When it comes to enterprise with a capital E, “people are starting to say, ‘Oh, let’s lock all these things down’ — meaning it has to be government owned. Everything has to be on the government network.”

That participant added that “one of the things we’re going to learn kind of dramatically this year is that if we don’t design based on the user and make a positive, enjoyable and awesome customer experience, people are just going to do their own thing anyway, which creates more risk for us.”

NEXT STORY: Pentagon cancels JEDI contract

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.