nobeastsofierce - Fotolia

Study: Federal data center modernization failing on cloud security

MeriTalk and Palo Alto Networks say the U.S. government's thinks its data center modernization effort is going well, but research shows basic cloud security protections are nowhere to be found.

The U.S. government's federal data center modernization plan had made major strides migrating infrastructure to the cloud, but a new study indicates there are significant security lapses around the effort.

The study, Heart of the Network: Data Center Defense, was conducted by MeriTalk, a government IT advocacy group based in Alexandria, Va. It surveyed 300 federal IT managers and found that 72% gave their agencies an "A" or "B" grade for their security efforts around data center modernization. Yet the majority of those IT managers said their agencies' efforts lacked key security components, particularly around cloud security.

For example, the survey, which was commissioned by network security vendor Palo Alto Networks Inc., revealed that approximately 70% of IT managers had no mobile device management program, network segmentation plan or automated security information correlation systems for their cloud infrastructure. Similarly, nearly 70% said their cloud infrastructure lacked basic intrusion detection and intrusion prevention systems, while 65% said they had no endpoint security management.

Those numbers show a stark disconnect between federal IT managers who graded themselves highly for their security efforts while their systems lack fundamental security controls. At the same time, the survey showed that security was a high priority for the federal IT managers; 67% expressed concerns about security throughout the data center modernization process. When asked about specific phases of the modernization effort, such as server consolidation and virtualization, the two biggest concerns cited by the IT managers were cloud migration to public and hybrid clouds at 74% and 77%, respectively.

Rick Howard, chief security officer at Santa Clara, Calif.-based Palo Alto Networks, said he isn't surprised that federal agencies are missing key security components for their cloud migration efforts because of two reasons. 

One reason, Howard said, is that the government is behind the technology adoption curve, so Howard said it's hardly surprising, for example that agencies don't have proper MDM systems in place.

"I think the federal government has generally been about 10 years behind the private sector in terms of adopting new technology," Howard said. "Some agencies don't allow mobile devices at all, and some are just beginning to dip their toes in mobile and BYOD."

Another reason, Howard said, is that many agencies and departments expect their cloud-service providers to cover the cloud perimeter defenses for them. While that's not the best strategy, Howard said the federal government's IT budget has been strapped in recent years, and most agencies don't have the money to spend on an assortment of security products and services.

While the U.S. federal budget projects to spend $65 billion on cybersecurity over the next five years, Howard said the federal government is huge and that seemingly large dollar amount will get used up very quickly. "First-tier agencies like the Department of Defense and other intelligence agencies are certainly going to do more around cybersecurity," he said. "But many second tier agencies and departments don't have the resources to purchase and manage all of the security layers they need."

Security advantages in the cloud

When it comes to the security, the federal government's move to the cloud isn't all bad news. Just as IaaS offers cost savings and management benefits, Howard said, leveraging products such as cloud-based antimalware and network scanning can offer similar benefits to those agencies with limited resources and budgets. 

"I do think it's a good idea for agencies to look at cloud-security products," Howard said. "There are advantages to having your security controls be in the cloud as well."

To that end, a recent survey of 150 federal IT decision makers from government research firm Market Connections Inc., in Chantilly, Va., showed that 64% of cited secure infrastructure as a top benefit of cloud computing. In addition, 31% of respondents said the improved security of the cloud was as a key driver of cloud adoption. Damian Whitham, senior director of cloud computing at Fairfax, Va.-based General Dynamics Information Technology, which commissioned the study, said he believes federal agencies generally feel more comfortable moving to cloud, thanks to improved security.

"We're seeing federal government move more mission-essential applications and data moved to the cloud," Whitham said. "There's more acceptance today about moving to the cloud. You can gain more security visibility in standardized cloud environments, and it's also easy to roll out software patches, so there are a lot of benefits."

Jeff Sessions, senior vice president of corporate strategy at Red River, a government-focused solution provider based in Claremont, N.H., said some security challenges and oversights were to be expected with the federal data center modernization effort. 

"It's such a huge undertaking." Sessions said, "that there's bound to be issues with it."

But Sessions said a move to the cloud will ultimately bring better security and functionality to the federal government's IT operations. "I'm very bullish about it," Sessions said. "It's not all roses, obviously. There are cybersecurity threats and budgets constraints, but there's also been a current of change with how the government uses technology and how much quicker agencies are adopting it, so I'm very optimistic."

Next Steps

Find out how the European Space Agency, CERN, and other government entities are embracing the cloud.

Dig Deeper on Cloud Network Security Trends and Tactics