FCW convened a slew of IT and data leaders from across DOD and civilian agencies this week to discuss cloud environments and governance for mission systems. As government moves past the fundamental question of whether to migrate to the cloud and even past the more straightforward “lift and shift” motions of migrating email, agencies are now facing more complex transitions, and with them, complex challenges.
As well, IT decision-makers are tackling critical questions, including the best way to manage access and identity, how to implement clear guidelines for managing multi-cloud environments, how to best leverage and secure data across systems, and more.
Security, too, remains a paramount concern despite tools like the FedRAMP authorization process and the new TIC 3 policy – especially in the “new normal” of ubiquitous remote work and a workforce that depends on (expects, in fact) more and more functionality from mobile devices for remote access anytime, anywhere.
A number of best practices and recommendations emerged across sessions – a list of imperatives to ensuring mission capability and security within complex cloud migrations and environments. We’ve aggregated them here.
Understand that modernization doesn’t just mean IT
Modernization and a successful path to cloud deployments and management depend on a refreshed way of looking at collaboration. The three key inputs to collaboration that lead to positive outcomes are people, policy, and pipes – meaning that stakeholders, policies and IT infrastructure (pipes) must be aligned in service of the same set of outcomes to ensure organizational success.
Consider decoupling software capabilities from hardware
In instances when an agency is expected to both develop the hardware and software that comprise a system, as is frequently the case within the Department of Defense (think: weapons systems), separating the two is key to enabling the delivery of new functionality to a fixed or legacy platform. This enables the ability to be agile and deliver small amounts of capability into production more quickly, without having to make changes to the fixed (often legacy) platform.
Embrace agile, finally
Already common practice in commercial software development, agile – the ability to push incremental capabilities into production rapidly – is becoming a “must” in order to deliver mission outcomes within cloud environments. This ability to deploy early and iterate quickly means a swifter process from testing to outcomes, but it requires calibration of process methodology and a DNA change to agency culture of test, test, test before the push. Adopting agile team tactics, like daily scrums to check in and create visibility about the products different teams are delivering, is a good first step.
Temper lofty expectations of data out of the gate
Once data stands at the ready to be pulled down and shared on command from the cloud, agencies need to know what they want to do with it. Don’t expect that just because you now have on-demand access to data that used to be siloed and inaccessible, you can now “plug” (or pull-down) and play. Two things must happen in tandem – a discussion that defines what the organization’s goals for its data are and a concerted effort to understand where your agency’s data is as well as organizing and tagging it in a way that makes sense for all stakeholder groups.
Next, remember that the biggest challenge to broader sharing of data across the enterprise is security – defining where security protocols lie, implementing new postures and guidelines, and more. New security programs necessitated by the cloud look different for every agency. Some may find the securing data at its source may work best; others may turn to securing it at its destination. Some may decide it makes the most sense to avoid bringing classified data into cloud environments at all.
Lean (forward) into new security methodologies
Zero Trust and identity protection are critical to ensuring security in the cloud. Remember: cloud is not inherently more secure, as many believe. That said, there are also a lot of security capabilities included in cloud products that should be leveraged.
And, utilizing cloud solutions that have gone through rigorous federal authorization programs like FedRAMP can help ensure that security postures are (as the old adage goes) “built-in, not bolted on.”
The overall message from the summit was clear: cloud policy, strategy, and IT culture must be aligned with the mission. That is the best way to ensure that the cloud infrastructure is built in a way that meets the needs of stakeholders across the organization and delivers on mission-specific outcomes.
Maximus provides the market’s most robust FedRAMP-authorized cloud contact center platform through our partnership with Genesys. Learn more about the Maximus Genesys Engagement Platform.