ZDNet's Jason Hiner spoke with Katie Lewin, Federal Director of Cloud Security Alliance at this year's RSA Conference.
Watch their conversation in the video above, or read the transcript below:
Jason Hiner: Welcome back to RSAC TV. I'm Jason Hiner with ZDNet and TechRepublic and with me I've got another special guest, Katie Lewin. Katie, why don't you introduce yourself, talk a little bit about what you do?
Katie Lewin: Hi everyone, I am Katie Lewin, I'm the Federal Director of the Cloud Security Alliance, which is a nonprofit, vendor-neutral association of cloud service providers. Our focus is to address and improve the ability to keep the cloud secure both in government and in the private sector.
Before that, I was the first director of the Federal Cloud Security Program, and as that I implemented FedRAMP, so I have many fans and many people that are maybe not such big fans. I also did the data center consolidation project, which resulted in a lot of federal government agencies consolidating their data centers from some 6000 to, I think, they're under 2000 now.
Jason Hiner: Awesome.
Katie Lewin: Yeah.
Jason Hiner: Big project.
Katie Lewin: Yes. It was very interesting.
Jason Hiner: Let's talk a little bit about cloud security, stay in cloud security because when we go back a decade there was a lot of this fear of, "I don't want to go to the cloud, it's not secure. I'll lose control," and that's migrated to almost completely the opposite now where it's like, "If I put it in the cloud I don't have to worry about it. They've got it under control." The reality is somewhere in between, right?
Katie Lewin: Yes.
Jason Hiner: Talk about the approach that when companies are going to the cloud the best practices. What are the really smart companies doing as they think about, okay, now we are migrating actual federal data from here to the cloud?
Katie Lewin: As I said before, to you, my perspective's going to be the federal government because that's what I know the most about. I was either in the federal government as an actual employee or a consultant to them for many years. The first mandate to move to the cloud was in 2011 when OMB issued this memo, which is almost the same as a directive and it says, "You will do this or if you don't you have to tell us why," and since OMB controls the money it's pretty serious. Their mandate was if you, federal agency, are going to develop a new system you have to justify why you would not put it in the cloud. That was a big push to agencies taking it seriously. Of course, everyone did the right thing, which is start with the data that needs the least security. They did a lot of customer facing informational websites, things like that. Then, they still had to continue modernizing and then they would go into mission-critical systems.
Right now, I think, we're at a crux where agencies are starting to realize that they can't just do the low hanging fruit anymore, but in fact they have to start moving legacy mission-critical systems to the cloud. What would you do? I'll answer that question, but on two points, what the feds do and then what the companies do.
The federal government has begun to get that they way to procure cloud services is not in a traditional contract. They have performance goals or performance levels that companies have to meet, so it's not the same as describing every single thing that a company has to do, but in fact do it your way but you have to meet these performance goals, that's number one. The next thing is that they have to ... it just went out of my head. They have to meet security, so the federal government uses a thing called FISMA, which is a federal law.
Then, there's a methodology called FedRAMP that's applicable to all federal agencies and it's drawn from FISMA. Companies, before they get certified to offer cloud services at any level in the stack they have to FedRAMP certified, which means that they have to address some 300 controls. It doesn't mean they have to implement all those controls, but if they're not going to they have to say why they're willing to accept and/or mitigate the risk. Those are the two things that the feds have done and, of course, they've done a lot of training and getting to know what cloud really means.
On the procurement side I think it's still rocky because payment by the drink is not the way the federal government is used to buying services, however, that's also coming along. That, I think, is doing well. Then, on the company side, it was also a big adjustment so, again, this is for federal agencies, but you have to meet these performance standards as opposed to just saying, "It'll be fine, we'll get back to you," number one. Number two, in several cloud service providers they had to really set up a federal cloud because, for security reasons, they didn't want their data, the feds didn't want their data bouncing all around the world for obvious reasons. While that may cut down on some of the benefits because it's not super efficient where you can get the best cost at any one time, however, it's much better for security purposes.
I agree with you, I think right now agencies are at the cusp where they're being forced or strongly encouraged by money, which is one of the things that is a motivator, to move things to the cloud.
Jason Hiner: We've seen in the private sector where companies have moved to the cloud and they have this expectation that it was going to be cheaper and, in fact, it was either the same or, in some cases, even more expensive. You talked about the paying by the drink scenario, have federal agencies discovered this as well, that their costs actually went up in some cases when they moved to the cloud?
Katie Lewin: I would say yes in that their investment to migrate to the cloud is probably ... it's an investment. If you took the long term return on investment you would probably see that it was less costly to use the cloud. However, that's hard to justify when you're up for a budget request and it shows that the cost of operating your legacy system is going to go up by a certain percent. I think, now that there is a base for comparison it probably is an easier sell. There also are other issues to moving to the cloud in addition to the cost.
It's a different way of doing business. You asked me what are best practices? One of the things that agencies should do is look at their business processes, like how do those work? Are we just going to automate the same legacy system? Or, should in fact, we think about other efficiencies, processes, whatever that will be more efficient regardless of the cloud?
Jason Hiner: Some government agencies are notorious for running very outdated systems for a very, very long time. Is moving to the cloud mitigating some of that because now they are forced to essentially be on an update cycle? Or sometimes the updates come automatically, that kind of thing. Is this solving or helping to solve that sort of long-term problem?
Katie Lewin: I would say yes and no. I used to work at the IRS and they have some systems that are very old and it's really to their credit that they've been able to keep them functioning so well. When you think about it, the tax code, not every year there's this big tax legislation like we had this year, but certainly there are changes every year. They've been able to maintain their systems to administer the tax code however it changes. Some of their code, I believe, is still written in COBOL.
Jason Hiner: Wow.
Katie Lewin: I know.
Jason Hiner: Yeah.
Katie Lewin: That's pretty amazing that they're able to meet the services that they're supposed to provide. I would say to you that that's going to require ... They're doing it, I think, in a phase way, so that they do some stuff, but then they have to integrate it into the legacy system.
The answer to your question is, yes, if you're building a new system you're in good stead because you can just use all the cloud benefits and advantages and plug it in there. If you have to migrate a legacy system it's going to be harder to realize benefits until you get the whole thing in place and that's a hard thing to project, define, and implement.
Jason Hiner: Of course, they had their big problem yesterday probably not related to a cloud system.
Katie Lewin: I don't think so, but I don't know. I really don't. I just know that my check has an extra day to clear.
Jason Hiner: Very good. What are some of the federal agencies that have been leaders in moving to the cloud and have been the most progressive and leaning forward looking in their technology journey?
Katie Lewin: I think related to the cloud is customer service, so lots of agencies are putting an emphasis on citizen services and customer service, which means that your experience with the federal government should be successful, should be satisfactory, which doesn't mean everything's going to be solved to your perhaps wishes, but at least you know that the person you dealt with was ... Let's take Immigration and Naturalization Services. I know in the past they were like four different systems that they had to physically move from computer to computer, terminal to terminal to get that rolling. Now, I don't believe that's still the case. I think, for the average American the cloud is invisible but its benefits are coming out in service provision, so I would say that was one area.
I also know that financial systems, Treasury and other agencies that deal with that like Commodity Futures Trading Commission and SEC, they are making progress, for example SEC and CFTC, in accepting filings. Filings are huge, $10K, I think it is?
Jason Hiner: Yeah.
Katie Lewin: Yeah, they are very important to the business cycle, so as soon as you file everyone wants to see it because that's how the markets go and your competitors, and all that. With cloud the idea of getting it in and Xeroxing it 500 times there were services who did that, those things are no longer the case. You can just go online and look at it.
I also think that the intelligence agencies, which I have to admit I'm not super ... and if I told you I'd have to kill you. I know that they are very forward leaning in terms of using cloud to share information, but that's obviously completely opaque to us. I know, I was on a panel a couple years ago and I think it was the NSA CIO said that they were seriously thinking about putting some of their data in the cloud. This was an open forum and people in the audience just gasped like, "Oh my gosh." I am not an authority on them, but I believe that that has happened.
Jason Hiner: Very good. Certainly, the benefit of nimbleness, and elasticity, and scalability the government works at such a large scale these things are, in that sense, tailor-made for some of the projects that the government has.
Katie Lewin: Exactly. Look at the census, every 10 years they have to do something. For the rest of the time ... that's their spike in service, every 10 years. Now, it doesn't mean that they're not doing anything for the interim, but they definitely have a spike in activity every 10 years. Technology has improved so much in those 10 years that they don't want to use 10-year-old technology, they want to use the new stuff. Now, with the cloud it's going to be much easier because that's available, they don't have to buy all this new software, they can just go up to the cloud. That's another example.
Jason Hiner: Very good. What are some of the opportunities for some of the federal agencies to do some better stuff? Sort of forward-looking, what are the ways that the cloud can help solve some problems that we haven't seen yet or that they haven't really addressed yet? What are some of the most progressive things that are happening?
Katie Lewin: I think, as I said, service to the citizen is big. Now, you can file your taxes on your own if you have an orderly financial life, I guess. I'm thinking about agencies that serve specific niches of the society. IRS touches us all, certain other agencies, SSA touches us all. SSA you can go on and look at your benefits, you can see what you will get when you retire. There's all of these things that are pushed out, so that you don't have to stand in line, or make an appointment, or wait on the phone for X number of minutes that, in fact, services are coming directly to you.
The other thing is electronic funds transfer, so payments to both annuitants and to businesses. Because Lockheed Martin's probably not going to go under if the billing cycle is not 30 days, but there are small businesses that do business with the federal government that really need to keep their cash flow going. The federal government is very, I think, proactive in asking and requesting small businesses to participate. In fact, they have huge programs in every agency to do that, so, I think, those kinds of things are good.
In terms of forward looking things, security is obviously a big deal. I was asking our CTO what he thought were going to be some big things, so I could tell you. He said everyone in the federal government they like shiny opposite objects and AI is a big thing, obviously, and Internet of things, and blockchain. I think the government is looking at those things to improve. To me, procurement is a great place to start with blockchain and every agency has procurements so that would be good. He also said, and I agree although I don't think this has caught fire yet, identity access management. Right now, it's access, verify, go. It should really be verify, access, go. I think that that's going to be one of the things that we're going to be moving towards.
Jason Hiner: Nice. Very good. One of the things that we have seen lately since there's been this big push, especially over the past couple years, with government agencies moving to the cloud and some of the mandates that have come down, executive orders, and so on is there have been a number of reports about some of these winner take all cloud contracts. What are the challenges and dangers there of these monumental contracts and having to go to one vendor? And is that common or are a lot of these big agencies, are they using multiple cloud vendors?
Katie Lewin: Again, I don't know everything that's going on in the federal governments, but there are several huge contracts that are up for bid right now, I think there's one from DOD. It's a trap between efficiencies, and responsiveness, and control I guess you would say. While you benefit from a large enough cloud deployment you don't want to have everyone have their own cloud. When we were first starting that off that was one of the things we talked about like, "Oh my gosh, as opposed to everyone having a server under their desk, everyone's going to have a cloud," which is not probably efficient either. That's a fine line between what's the most efficient and effective and what gives you better control. I don't think there's one answer for all agencies.
For example, the federal government has an association of small agencies and they pool a lot of their resources in terms of research, and lessons learned, and best practices, and all that, there's a small agency counsel. Maybe, and I don't know if they're doing this, but maybe they could have a cloud, maybe that would be practical for certain things. Then, each of them should have clouds for their secure stuff, as an example. Having a big cloud for specific things in a large agency might be okay.
One thing, I'll put a plug in for FedRAMP, is that what we did was we standardized how you grant security authorization and it's across agencies. If commerce does one ... Let's say the census did one and commerce and they want to accept this particular cloud product, if they follow FedRAMP requirements which they're mandated to do, then let's say interior had a similar need for a similar product, they don't just start the security thing all over again. They can accept the authority operate from interior and then, let's say that they had a couple of things that they were concerned about or were unique to their agency, they can ask their contractor to address those controls. It's expandable, as long as they don't completely reinvent it, but certainly that's a way of getting efficiency so you don't have to do all of the work up front at the beginning.