Military and civilian agencies have long struggled to make the jump to cloud computing. Deciding on the right cloud approach and strategy that best aligns with their mission needs for today and tomorrow is no easy task. But more important, agencies continue to struggle with modernization efforts amid concerns about potential security gaps and vulnerabilities the cloud introduces.
“It’s a tricky balance. The reason why it’s tricky is because organizations rely on various IT and security architecture applications and legacy systems implemented for their specific mission support. Another challenge is that many agencies struggle with having so many tools, having an influx of data coming in from various logs across all these disparate legacy systems — and they don’t integrate well. They don’t talk to one another,” said LaLisha Hurt, public sector industry advisor at Splunk.
In its 2023 CISO Report, for example, Splunk found that chief information security officers identified that cloud applications and infrastructure have the biggest security coverage gaps across industries, with cloud impacting business services, healthcare and technology at 71%, 64% and 64% respectively. Cloud security impacts manufacturing at 64%.
To address that problem within DoD, the Pentagon awarded the multibillion-dollar Joint Warfighting Cloud Capability contract to establish a common and secure cloud infrastructure. Last year, Chief Information Officer John Sherman instructed the military services to prioritize JWCC for their cloud modernization efforts. So far, less than 2% of the $9 billion contract has been utilized as concerns around security linger.
Transferring to cloud, however, is essential to modernization efforts. Hurt noted that, in the end, it all goes back to the mission.
The California statewide automated welfare system, for instance, needed to ensure it delivered benefits for Californians in a highly secure and uninterrupted manner. The agency was able to replace three disparate legacy systems with one single cloud-based platform, which saved over $30 million in taxpayer dollars.
“While they also improved productivity and reduced risks, that’s really the mission that this particular entity was trying to solve for” — safe, consistent access to benefits,” Hurt said. “And I think it’s similar for other agencies. They have their mission, and they’re looking for help to deliver on that.”
No transformation happens without collaboration
Cloud transformation starts with a strategy and gaining the support of various stakeholders to deliver on the strategy.
“I know that sounds simple, but people want to jump to the capabilities or technologies. But what’s that strategy that you’re trying to align to? And do you have buy-in from not only your leadership but the people that are going to be implementing it — your employees — which I think is equally important,” Hurt said.
Determining the model will depend on each agency or organization’s unique mission needs and ensuring that the model can be scalable and increase as the demands grow.
“So many customers are going cloud only. Some remain on-prem for unique mission needs. And then there are others that actually operate in a hybrid environment,” Hurt said. “And I don’t think there’s a right or wrong approach, as long as it serves your business needs. And also, as long as it allows you to scale in the future. That’s important.”
She continued: “The other thing I would say is to take a risk-based approach and ensure you have a strong inventory of assets, systems and classification prior to the migration. You might find that everything does not necessarily need to go to the cloud.”
Splunk spends the most time with customers conducting business value assessments to understand the pros and cons of moving to the cloud versus staying on premise, Hurt said.
“It goes back to the mission. What are the things that are mission-critical to your agency? What are the things that you care about most? And where do you want to house them? And what levels of security do you want to put around them? That will dictate whether you keep things on prem versus move to cloud,” she said. “Where are you trying to gain and obtain more efficiencies?”
It’s also important to expand participation in these conversations and bring in “not only your cyber teams but your infrastructure teams, your chief technology officer, your chief information officer,” Hurt said. “It’s really a cross-functional effort that should be considered when you’re building that cloud strategy.”