SAIC OutFront: ‘Trust, but Verify’ Cloud SLAs, Experts Say – MeriTalk

admin on November 7, 2023 Leave a Comment

As Federal government agencies are fast-tracking their secure multi-cloud journeys, experts this week urged agencies to take a trust, but verify approach to cloud security, which may require a cultural change across organizations.

At the OutFront: Continuous Agility forum hosted by SAIC and MeriTalk in Arlington, Va., on Nov. 2, one government official said that verifying the contracts between Federal agencies and their cloud providers otherwise known as service-level agreements (SLAs) is crucial to a secure cloud strategy.

Jamie Holcombe, chief information officer (CIO) for the U.S. Patent and Trademark Office (USPTO), explained that agencies must ensure their SLAs can be met, and the best way is to take a trust, but verify approach.

I started the journey with a multi, hybrid cloud strategy, Holcombe said, reflecting on his five years at the USPTO. And as we walked through that, it was hard as heck to get everyone culturally thinking about how to move forward, because theyre worried about security.

I always had the attitude [of] buyer beware. Its all about the SLAs. So, youre as secure as your SLAs are, because the cloud providers are providing services that are best effort, he added. Yes, it will have the security that they say it will, but you have to test. And thats a big thing trust, but verify.

The CIO said that while these may seem like simple concepts, procurement and operations are often at odds.

You have to get those two units together to ensure your SLAs can be met and dont accept the base contract, he said. Buyer beware, whatever your services are, make sure they fit your requirements.

Sharon Woods, director for the Defense Information Systems Agency (DISA) J-9 Hosting and Compute Center, noted that part of embracing a trust-but-verify approach involves a mindset shift.

However, she noted that while many SLAs are becoming more routine, one area where SLAs are becoming more challenging for her agency is with edge devices.

For instance, Woods said there are a lot of basic questions that can be tough to answer such as what does shipping out devices look like, what happens when something goes wrong, or what is the cloud provider expecting for patching because the devices are disconnected.

Thats something were still unpacking, Woods said. JWCC [the Joint Warfighting Cloud Capability] has been around for less than a year. So, were still working through that. But I think that thats one of the emergent areas where were encountering some challenges with SLAs.

Nevertheless, embracing these challenges and building trust with a provider is critical to a more secure cloud, according to Alan Halachmi, director of solutions architecture for Worldwide Public Sector at Amazon Web Services (AWS).

A lot of conversations that we have still today start with, Why should I trust the cloud provider? Halachmi said. So, this time that is inevitably spent just to secure the environment itself from us, giving you the confidence that you have the ability to secure your workloads in a way where you have control of who has access to what the content is and so forth, is I think material.

That peace of mind and sense of security allows Federal agencies to more quickly meet their mission outcomes, added SAIC Chief Technology Officer Bob Ritchie.

One of the things that Ive observed is the inheritable cloud security model the ability to go fast as a result of that cloud inheritance, Ritchie said. And so, you mentioned the timely trivia question on how much is FedRAMP and how much is approved by CC SRG [Cloud Computing Security Requirements Guide] at the different impact levels. That very much helps us go fast and really get the mission outcomes.

Visit link:
SAIC OutFront: 'Trust, but Verify' Cloud SLAs, Experts Say - MeriTalk

Related Posts
Posted in Cloud Hosting

Comments are closed.