Federal agencies’ early cloud integration efforts created access issues
Cloud integration has delivered major benefits for every federal agency that has embraced the technology. With the cloud, departments have become more agile and more efficient, and they've gained a host of new abilities in the process.
That being said, not all of the news surrounding federal adoption of cloud solutions has been positive. Missteps in regard to provider selection and implementation have caused a number of problems. Key among these is data access, as federal auditors and inspectors general recently reported.
As Sandra Jontz of Proquest highlighted, a number of government auditors and general counsel offices believe that they do not have sufficient access to their own data. In most cases, this information is stored on commercial cloud servers. While this in and of itself is not problematic, these issues arose because of miscommunications and a general lack of detailed planning prior to implementation.
"Unfortunately, I think there was a rush to the cloud for the federal government, and I don't think … all aspects of it were well thought out," said Chuck Coe, assistant inspector general for Information Technology Audits and Computer Crime Investigations at the Department of Education.
Specifically, Coe pointed out that cloud environments present a significant challenge for investigators not familiar with the technology.
"It's a virtual environment, and it's a little bit different than the typical data center that federal agencies are used to running and we're used to visiting and auditing and doing our cybercrime investigations," said Coe.
A recent report from the National Institute of Standards and Technology's Cloud Computing Forensic Science Working Group reached similar conclusions.
"The cloud exacerbates many technological, organizational and legal challenges already faced by digital forensics examiners. Several of these challenges, such as those associated with data replication, location transparency and multitenancy, are somewhat unique to cloud computing forensics," the report explained.
Aside from issues arising from a lack of cloud computing expertise, federal forensics teams and auditors have also run into problems due to the language used in agency cloud contracts.
To highlight this issue, Coe provided the example of an Education Department investigation from a few years ago, in which the agency's auditors needed to access a private data center's information.
"We had to subpoena them for that and it delayed our audit for a year," Coe explained. "The contract language did not flow down properly to give [the Education Department] the leverage needed. However, because of the IG Act, it gave us the ability to subpoena the company, and we ultimately won, but a year later. The moral of the story is it's better to have great contract language than it is to rely on the IG Act."
Again, this ties into the broader issue of federal missteps in regard to cloud integration. By failing to secure the ideal language in their cloud contracts, departments have crated unnecessary challenges for themselves.
This recurring problem highlights the need for better cloud integration efforts throughout the federal government. And to achieve this goal, third-party partnerships are likely essential. These consulting firms have the resources and, critically, expertise necessary to help agencies choose the ideal cloud computing arrangements for their specific needs and long-term goals. This includes both the tools themselves and the contracts concerning their use.
Furthermore, third-party consulting firms can help to ensure that the actual deployment of cloud solutions goes smoothly. This can speed up time-to-value and minimize the risk posed by cybersecurity threats. Considering the importance of securing agency data within cloud environments, this last point may be particularly critical.