Government cloud adoption efforts lag as security concerns persist

Half a decade into the cloud-first initiative, adoption in the federal government continues to be way behind schedule mostly due to security concerns. Vendors argue that those concerns are exaggerated.

When the Obama administration's CIO declared that the government would move to a cloud-first policy for its technology procurements, it was sending a clear message that agencies would be expected to modernize their IT shops.

But five years later, that transition still seems like it's in its early stages, according to Mark Kneidinger, director of the Federal Network Resilience Division at the Department of Homeland Security.

 "In 2015 many agencies are still using cloud computing similar to 2010," Kneidinger observed during a recent field hearing members of the House Oversight and Government Reform Committee held in San Antonio.Many of the applications that agencies have shifted to the cloud might be considered commodity IT, such as email or collaboration tools that CIOs sometime describe as the low-hanging fruit -- functions that can be moved to the cloud with relative ease and minimal disruption.

But agencies have been far slower to migrate more elaborate, mission-oriented systems, and legacy IT remains in widespread use throughout the government.

Rep. Will Hurd (R-Texas), the chair of the oversight committee's subcommittee on IT, notes the government's estimate that of the roughly $80 billion the government spends on technology each year, 80 percent goes to the maintenance of legacy systems.

"Legacy systems are expensive to maintain and often make sensitive information vulnerable to cyberattacks," Hurd says. "The Labor Department has a 30-year-old system developed by people who are now all dead. They had to resort to looking for old parts on eBay."

He recalls the recent hack of the Office of Personnel Management, a massive breach that compromised the records of more than 21 million current, former and prospective government employees and contractors, which was widely suspected to be the work of Chinese. Hurd suggests that OPM's reliance on aging technology left the agency vulnerable to attackers."The chief information officer of the Office of Personnel Management actually came before our committee and argued that the antiquated COBOL mainframe IT system at OPM was a cybersecurity asset," Hurd says. "The Chinese government disagreed."

Security remains top obstacle for federal CIOs

There are any number of barriers that have kept government CIOs from a broader adoption of cloud technology, including budget and contracting considerations, the decentralized nature of technology across departments, agencies, sub-agencies and bureaus, and the cultural resistance to a new model of IT. But one of the most enduring obstacles has been the lingering concerns about the security of the cloud. And despite the establishment of a formal review standard for cloud technologies in the form of FedRAMP, Kneidinger notes that security issues persist.

"There continues to be a lack of consensus by the agencies with their cloud service providers as to how effectively to measure, monitor and evaluate security in a cloud environment," he says.Cloud vendors, who were represented at the hearing by executives with Amazon, Rackspace and VMware, are only too eager to defend their security posture, and cheerfully support Hurd's view that the cloud offers a better security proposition than many agencies can muster in-house.

"I think what you immediately gain by working with any one of the cloud providers here and a number of other companies out there in the market is the level of sophistication that they've had to grow into and maintain to continue to operate on the Internet today," says John Engates, CTO at Rackspace. "To be a player in the cloud you really, literally have to defend against some of the most sophisticated attacks on the planet on a regular basis, and so you get really good at it, and I think those are benefits that could be immediately gained by the use of cloud computing."

Similarly, Alan Boissy, product line manager for VMware's vCloud Government Service, argues that the cloud can actually help ease the burden on federal security workers by consolidating the systems they are tasked with protecting into a centralized environment with fewer entry points."It's true, absolutely, the cloud is not a panacea," Boissy says. "You still have to build and run secure systems using a cloud platform, but the advantage is that you greatly reduce the surface area of concerns that your security professionals need to focus on, so they now have maybe half the problems that they used to worry about. Now they worry about that reduced amount and their focus and hopefully their execution on that can be that much better."