A Blueprint and Best Practices for Government Cloud Governance
Cloud governance shouldn’t be an afterthought. Indeed, it should be a foundational element of any cloud security strategy. Why? Because the cloud is enormous – it’s software, hardware, developer tools and platforms, and more. All delivered by a host of vendors.
As they transition to the cloud, government agencies need a pervasive governance program to respond to this broad and dynamic landscape. Without it they struggle to control costs, reduce human errors, rein in unnecessary spending, and protect data. The cloud also introduces third-party risk. As the threat surface increases, agencies need a formalized set of controls and processes to manage and mitigate that risk.
The challenge for the government is that cloud governance has traditionally slowed procurement processes and approvals. Agencies need a cloud governance framework that puts guardrails in place for those who use the cloud without impeding speed or other cloud benefits.
To help agencies achieve this, Forrester has outlined best practices around the who, what, where, and how of cloud governance.
The “who” includes internal stakeholders who should be 10-15% dedicated to maintaining a cloud governance process. These include cloud architects, IT security, network operations, compliance officers, IT operations, developers, and DevOps. It’s too much to get into here, but the report explains the reasons why these parties should care about cloud governance.
Next, the “what.” Agencies need to clearly define the scope of cloud governance, meaning define the cloud areas and processes that cloud governance covers. These include cost optimization, budgets, and billing integration; regulatory compliance; cloud migrations and enablement; onboarding, permissions, and access; threat detection and prevention.
The “where” addresses governance models for different cloud technologies and deployment models.
“The best way to kick off a governance practice is to map cloud usage to the four classic variations of cloud technologies and deployment models and build out the added complexity of your usage from there,” explains Forrester. Analysts suggest that agencies start with the following cloud target areas and customize from there: private cloud, IaaS, PaaS, and SaaS.
Finally, the “how.” This is about connecting the dots of the why, what, and where. Forrester recommends that agencies create a RASCI chart to map out their cloud practice to stakeholders to ensure a repeatable process and ensure a higher-efficiency cloud governance regime. They should also automate everything to help with provisioning, secure configuration, and reduce administration overhead. Education is important too. Working smarter and incorporating best practices can help close the gap between provisioning and optimization or provisioning and compliance. It also helps build the relationship between the center of excellence or ops team and business or developer customers.
Agencies should also leverage proactive and reactive approaches to cloud governance. Finally, take advice from peers to achieve best practices in cloud governance.
Related Content: Department of Defense Selects D2iQ for DevSecOps Solutions and Services
Related Blog Posts
Cloud Computing, Cybersecurity, Market Intelligence
Originally passed in 2014, the Federal Information Technology Acquisition Reform Act (FITARA) was designed to improve the management of all-things-IT across federal agencies. It essentially realigned how the government purchases and updates its technology, with an aim at grading agencies based on their ability to adhere to and improve on the following categories:
Susanna Patten
Cloud Computing, Cybersecurity, Education, Market Intelligence, State & Local Government, Technology
The annual EDUCAUSE conference highlighted higher education technology trends, goals, challenges, and how to identify a way ahead for higher education institutions to be successful in today’s modern world.
Yvonne Maffia
Cloud Computing, Cybersecurity, Market Intelligence
The Air Force hosts an annual summit known as Department of the Air Force Information Technology and Cyberpower (DAFITC) in Montgomery, Alabama, right next to Maxwell Air Force Base. It’s an opportunity for Guardians, Airmen, academics, and IT industry to come together to discuss pain point remedies and high-level plans and strategies. It is also an opportunity for branch heads to strike deals that lead to the adoption of modern and effective systems, meant to enable air superiority. Ms.
Kevin Shaker
Cybersecurity, Internet of Things, IT Infrastructure, Market Intelligence
IoT and Its Impact on Infrastructure and Governance
The Internet of Things (IoT) revolutionizes how governments, organizations, and citizens interact with the physical world. This wave of interconnected devices promises a transformative infrastructure and governmental operations shift. However as the reach of IoT grows, the implications — especially related to security — become even more profound.
Dawit Blackwell
Application Lifecycle, DevSecOps, Federal Government, State & Local Government
Technology is supposed to make our lives easier. So you know something’s wrong when nearly a third of federal government acquisition professionals surveyed say their agency’s acquisition technology makes the job more difficult.
Ben Allen
Application Lifecycle, DevSecOps, Federal Government, State & Local Government, Technology
Government agencies strive to lower the cost of products and services to save taxpayers money. They also aim to shorten “procurement administrative lead time,” or PALT—the time from identification of need to delivery of value—to expedite their missions without delay.
Ben Allen
Cloud Computing, Cybersecurity, Education, Federal Government, IT Infrastructure, State & Local Government, Technology
The Cybersecurity and Infrastructure Security Agency (CISA) has seen increased malicious activity with ransomware attacks against K 12 educational institutions. Malicious cyber actors target school computer systems, slowing access, and rendering the systems inaccessible to essential functions, including remote learning. In some instances, ransomware actors stole and threatened to leak confidential student data unless institutions paid a ransom.
Ransomware attacks on US government organizations cost $18.9bn in 2020.
Asad Zaman
Cloud Computing, Cybersecurity, Education, Federal Government, IT Infrastructure, State & Local Government, Technology
The Cybersecurity and Infrastructure Security Agency (CISA) has seen increased malicious activity with ransomware attacks against K 12 educational institutions. Malicious cyber actors target school computer systems, slowing access, and rendering the systems inaccessible to essential functions, including remote learning. In some instances, ransomware actors stole and threatened to leak confidential student data unless institutions paid a ransom.
Ransomware attacks on US government organizations cost $18.9bn in 2020.
Asad Zaman
Cloud Computing, Cybersecurity, Federal Government, State & Local Government, Technology, Tips and How-Tos
TD Synnex Public Sector’s Chief Cybersecurity Technologist, Don Maclean sat down with Mark Guntrip, Senior Director of Security Strategy at Menlo Security, to discuss one of the latest emergent security threats.
James Hofsiss
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos
Every year, there are more and more security breaches, and it gets harder and harder to spot them. According to a leading cybersecurity vendor1, it takes almost seven months for organizations to find breaches, which gives malicious attackers plenty of time to get what they want.
Most often, system misconfigurations like default settings or credentials leave the door wide open for exploitation, resulting in these breaches. As organizations grow, this problem only gets worse because quick changes frequently result in skipped steps.
Heather Sweet
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos, Training
Security is paramount in the digital age, especially when it comes to keeping networks secure. Having network security monitoring services stand between your organization and malicious attackers is crucial. Still, the volume of alerts and issues that come with them can easily overwhelm your team.
The volume of these alerts is rising every year too. According to a report by TrendMicro, 54% of teams surveyed felt like they were drowning in alerts, and 27% said they spent most of their time dealing with false positives.
Heather Sweet
IT Infrastructure, Market Intelligence, State & Local Government
The U.S. electric grid is critical infrastructure consisting of an ecosystem of communities, stakeholders, governments and economies. Most of the grid infrastructure was built decades ago and is unreliable. Bad actors know it. In 2015, Russian hackers carried out the first successful cyberattack on the nation's electricity grid, which was just one of an ongoing series of security breaches and attacks on US infrastructure and utilities.
Yvonne Maffia
Application Lifecycle, Cybersecurity, DevSecOps
Implementing zero trust may seem daunting, but it is also an opportunity to integrate more secure coding practices into your software applications from the start. Zero-trust security assumes that all traffic on your internal network is potentially malicious. Consequently, it requires taking measures to:
Don Maclean
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos
The digital landscape evolves fast, and attackers are even faster. New ways to attack systems and organizations appear every day, and traditional methods are starting to fall behind the times.
Highly Evasive Adaptive Threats (HEAT) are the newest step in the digital world for malicious attackers. These attacks are unlike anything security experts have seen before and lead to some of the most devastating breaches ever seen.
In this article, we’ll explain how HEAT attacks impact companies worldwide and how Menlo Security’s Isolation Core can help protect your organization.
Heather Sweet
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos
The term "Integrated Management Workplace System" (IWMS) was first used by Gartner in 2004 to refer to a program that could manage and integrate all business and workplace requirements into a single, centralized solution. Since then, a number of solutions have emerged with the aim of bringing together various operational and organizational areas that had previously tended to operate in isolation from one another.
Heather Sweet
Cloud Computing, Cybersecurity, Technology
The development world has changed, and organizations are still adapting to developing in the cloud. Cloud native technology and containers are now at the forefront of software development, meaning that software no longer exists and operates locally. However, despite these quick advancements, cloud native application security still lags behind.
This article will cover how you should approach cloud native application security and why Snyk is the best solution for your needs.
Adam Fyffe
Application Lifecycle, Federal Government, IT Infrastructure, Open Source
You can spend hours scrolling down the rabbit hole of government IT horror stories, which makes the recent launch of the federal website for ordering free COVID tests that much more remarkable. The website worked, and it was surprisingly easy to use. But that success belies decades of underinvestment in digital transformation that has stifled public sector innovation and hardened the government's low-tech image. For example:
Roland Alston
Cloud Computing, IT Infrastructure, Market Intelligence, State & Local Government
The 2022 fiscal year-end is drawing near for 46 states, which means the time to leverage last-minute opportunities is coming to an end as state, local and education (SLED) organizations set their sights on next year’s budget and priorities. With FY23 just around the corner, SLED organizations will start executing on budget plans and drafting request for proposals (RFPs).
Yvonne Maffia
Cloud Computing, IT Infrastructure, Market Intelligence, State & Local Government
The 2022 fiscal year-end is drawing near for 46 states, which means the time to leverage last-minute opportunities is coming to an end as state, local and education (SLED) organizations set their sights on next year’s budget and priorities. With FY23 just around the corner, SLED organizations will start executing on budget plans and drafting request for proposals (RFPs).
Yvonne Maffia
Cybersecurity, Federal Government, IT Infrastructure, Market Intelligence
The heightened threat of retaliatory cyberattacks by Russia against critical U.S. IT infrastructure is prompting federal investments in cybersecurity to strengthen its cyber defense posture. The ongoing conflict in the region and the increased targeting of critical infrastructure assets will cause federal agencies to look for ways to strengthen their cybersecurity posture and redefine requirements that address cyber breaches that may occur during the coming months and years as well as drive investments into Zero Trust related tools and threat intelligence.
Dawit Blackwell
Application Lifecycle, Cloud Computing, DevSecOps
In this post we will look at how to accelerate the development of cloud native applications, give you a snapshot of the USAF deployment of D2iQ, and provide a link to the DLT Cloud Security Assessment to see where you currently stand.
Jeff Schad
Application Lifecycle, Cloud Computing, DevSecOps
In this post we will look at how to accelerate the development of cloud native applications, give you a snapshot of the USAF deployment of D2iQ, and provide a link to the DLT Cloud Security Assessment to see where you currently stand.
Jeff Schad
Cloud Computing, Cybersecurity, Federal Government, IT Perspective
Over the last few years, the federal government has begun to embrace a zero trust approach as the new cybersecurity standard for agencies. Utilizing the latest solutions and best practices, the hope is to bolster federal cybersecurity and create a robust and resilient IT infrastructure that can protect and secure networks from attacks and breaches.
Kevin Tierney
Cloud Computing, Cybersecurity, IT Perspective, Technology
Last January, the Office of Management and Budget (OMB) released M-22-09, a memorandum that set forth the federal government strategy on zero trust adoption, in an effort to reinforce the security and protection of government agencies’ critical systems, networks, and IT infrastructures.
David Presgraves
Application Lifecycle, Cloud Computing, Cybersecurity, DevSecOps, Market Intelligence
"We are making progress. This really is not just about technology. This is about changing our processes changing our approach to delivering and operating technology to IT systems and our cyber mechanical warfare systems as we move forward," said Robert Vietmeyer, DoD Director for Cloud and Software Modernization.
Toan Le
Application Lifecycle, Cloud Computing, Cybersecurity, DevSecOps, Market Intelligence
"We are making progress. This really is not just about technology. This is about changing our processes changing our approach to delivering and operating technology to IT systems and our cyber mechanical warfare systems as we move forward," said Robert Vietmeyer, DoD Director for Cloud and Software Modernization.
Toan Le
Application Lifecycle, Big Data & Analytics, Cloud Computing, Cybersecurity, DevSecOps, IT Infrastructure
For the second year in a row, Gartner named IBM a Leader in Gartner Magic Quadrant for 2021 Cloud Database Management Systems based on its Ability to Execute and Completeness of Vision. With emergence of a single cloud DBMS market, We believe our portfolio of feature-rich, enterprise-tested offerings, bold acquisitions, and partnerships enable our clients to address the unique needs of their business, respond to the growing volume, velocity and variety of today’s data and drive more accurate data driven decisions.
Holly Vatter
Application Lifecycle, Big Data & Analytics, Cloud Computing, Cybersecurity, DevSecOps, IT Infrastructure
For the second year in a row, Gartner named IBM a Leader in Gartner Magic Quadrant for 2021 Cloud Database Management Systems based on its Ability to Execute and Completeness of Vision. With emergence of a single cloud DBMS market, We believe our portfolio of feature-rich, enterprise-tested offerings, bold acquisitions, and partnerships enable our clients to address the unique needs of their business, respond to the growing volume, velocity and variety of today’s data and drive more accurate data driven decisions.
Holly Vatter
Application Lifecycle, Big Data & Analytics, Cloud Computing, Cybersecurity, DevSecOps, IT Infrastructure
For the second year in a row, Gartner named IBM a Leader in Gartner Magic Quadrant for 2021 Cloud Database Management Systems based on its Ability to Execute and Completeness of Vision. With emergence of a single cloud DBMS market, We believe our portfolio of feature-rich, enterprise-tested offerings, bold acquisitions, and partnerships enable our clients to address the unique needs of their business, respond to the growing volume, velocity and variety of today’s data and drive more accurate data driven decisions.
Holly Vatter
Application Lifecycle, Big Data & Analytics, Cloud Computing, Cybersecurity, DevSecOps, IT Infrastructure
This week's roundup of the latest news and insights gathered from IBM's Government Research Institute thought leaders:
Michael J. Keegan
Application Lifecycle, Big Data & Analytics, Cloud Computing, Cybersecurity, DevSecOps, IT Infrastructure
This week's roundup of the latest news and insights gathered from IBM's Government Research Institute thought leaders:
Michael J. Keegan
Application Lifecycle, Big Data & Analytics, Cloud Computing, Cybersecurity, DevSecOps, IT Infrastructure
This week's roundup of the latest news and insights gathered from IBM's Government Research Institute thought leaders:
Michael J. Keegan
Cloud, Cloud Computing, Cybersecurity, Federal Government, Technology
As organizations adapt to hybrid work and more and more cloud services are deployed, new service entities that collaborate and exchange data without human interaction, such as virtual machines and containers, are proliferating. The growth of these service accounts and identities and their increasing volumes of permissions, privileges, and entitlements expose organizations to new attack vectors.
Kevin Tierney
Cloud Computing, Federal Government, IT Infrastructure, Technology
You’ve gathered requirements, evaluated technologies, gotten all the right people to sign off on acquiring new technology, and now comes the hard part — procurement. IDIQs, BPAs, GWACs...the contracting officer is throwing out a bunch of complex terms, options, and estimates of how long it will take to get through negotiations. NetDocuments believes our public sector customers should have contracting options that are a lot like our solutions — easy to use.
NetDocuments
Cloud Computing, Federal Government, IT Infrastructure, Technology
You’ve gathered requirements, evaluated technologies, gotten all the right people to sign off on acquiring new technology, and now comes the hard part — procurement. IDIQs, BPAs, GWACs...the contracting officer is throwing out a bunch of complex terms, options, and estimates of how long it will take to get through negotiations. NetDocuments believes our public sector customers should have contracting options that are a lot like our solutions — easy to use.
NetDocuments
Application Lifecycle, Federal Government, IT Infrastructure, IT Perspective
In the post-COVID world, the federal government spends about three-fourths of its technology budget maintaining aging computer systems including platforms more than 50 years old and even some that use floppy disks, according to a recent Government Accountability Office report.
Roland Alston
Cloud Computing, IT Perspective, Tips and How-Tos
What’s next for cloud in 2022 (and how can you prep for it?)
There were so many noteworthy AWS re:Invent 2021 announcements out of this year’s big Amazon Web Services (AWS) conference. But what will that news mean for the year in cloud ahead? And how can learners and businesses prepare for the opportunities these will create?
Pluralsight
Cloud Computing, Cybersecurity, Federal Government
The Department of Defense (DoD) is taking major steps to boost cloud performance, with the promise of a tangible, positive impact on military missions throughout the world. Specifically, the Joint Warfighter Cloud Capability (JWCC) contract is replacing the Joint Enterprise Defense Infrastructure (JEDI) initiative, which was intended to establish enterprise-class cloud capabilities for the military community.
Carolyn Ford
Application Lifecycle, Cybersecurity, DevSecOps, Federal Government, IT Perspective, Technology
On the Tech Transforms podcast, sponsored by Dynatrace, we have talked to some of the most prominent influencers shaping critical government technology decisions. From supply chain to machine learning, this podcast explores the way technology advancement intersects with human needs.
In March 2022, we sat down with these government technology visionaries:
Carolyn Ford
Business Applications, Cloud Computing, Market Intelligence
At this year’s Department of the Navy (DON) IT Conference, the U.S. Marine Corps discussed its enterprise cloud delivery strategy and how it is derived from its mission to evolve antiquated networks. Before, a Marine working out of headquarters or a U.S. base would use enterprise systems, applications, and infrastructure, but when a Marine goes out in the field, a new email and identity are assigned to operate from different servers and shared drives. For the Marine Corps, that approach is going by the wayside.
Lloyd McCoy
Cloud Computing, Cybersecurity, DevSecOps, Market Intelligence
"Zero Trust is a cybersecurity strategy and framework that embeds IT security mechanisms throughout an architecture that generate metadata used to secure, manage, and monitor every device user, application, and network transaction at the perimeter and within every network enclave."
From the Department of Defense (DoD) Zero Trust Reference Architecture v1.0
Toan Le
Cloud Computing, Cybersecurity, DevSecOps, Market Intelligence
"Zero Trust is a cybersecurity strategy and framework that embeds IT security mechanisms throughout an architecture that generate metadata used to secure, manage, and monitor every device user, application, and network transaction at the perimeter and within every network enclave."
From the Department of Defense (DoD) Zero Trust Reference Architecture v1.0
Toan Le
Cloud Computing, Cybersecurity, Federal Government
There has been an increased focus among U.S. government agencies on adapting to modern IT environments and enhancing cybersecurity solutions. This increased focus on security government networks, data, and critical infrastructure is a result of ongoing digital transformation initiatives that are resulting in more mission-critical connected systems and more data for agencies to secure. It’s also a result of the increased number of cyberattacks and more sophisticated cyber-criminals that are targeting our nation’s networks.
Kevin Tierney
Cloud Computing, Cybersecurity, Market Intelligence, State & Local Government
If you have been looking for the right time to sell your technology product or service to the state, local and education (SLED) market, now is the time to act. With thirty-six states beginning their fiscal year on July 1st, now is the time to position yourself to take advantage of a confluence of once-in-a-lifetime conditions that have left the SLED market booming with opportunity. Here are some of the factors driving that opportunity:
New Leadership
Yvonne Maffia
Analytics & Data Science, Big Data & Analytics, Cloud Computing, Cybersecurity, Market Intelligence
The COVID-19 pandemic has spurned greater demand for health information technology (IT) by demonstrating the importance of having robust medical research, health surveillance and healthcare systems capable of rapidly responding to new and developing situations, something which requires strong IT investment in big data, cybersecurity and cloud. In addition, both the pandemic and emerging technologies have led to numerous changes within the healthcare industry, such as telehealth expansion and increased use of wearables, which necessitate robust health IT solutions.
Gabriel Zighelboim
Cloud Computing, Cybersecurity, Market Intelligence, State & Local Government
On December 8, 2021, the National Association of State Chief Information Officers (NASCIO) released its 2022 annual top 10 priorities list identifying the most pressing technology and policy issues that state CIOs are prioritizing for the upcoming year.
Yvonne Maffia
Big Data & Analytics, Cloud Computing
What is the difference between AI and ML?
Artificial Intelligence and Machine Learning are two of the most transformative technologies in the computing space that are changing the world in which we live. However, there is often confusion in in what constitutes Artificial Intelligence, and what constitutes Machine Learning.
Ricardo Dutton
Cybersecurity, IT Infrastructure, State & Local Government
Adhering closely to the U.S. federal government’s top legislative priorities for 2022, state chief information officers (CIO’s) have once again ranked cybersecurity as their top priority for 2022, following an already established decade-long trend in this direction.
Yvonne Maffia
Business Applications, Cloud Computing, Cybersecurity, Market Intelligence
Recent signals by the U.S. federal government suggest that customer experience (CX), primarily citizen-facing services will receive attention and investment from funding sources like the Technology Modernization Fund (TMF). The initial $311 million awarded by the TMF primarily went to projects focused on cybersecurity in keeping with stated priorities and the prevalence of cybersecurity threats. From the beginning, however, TMF has emphasized CX projects that focus on how taxpayers engage with government services in secure digital environments.
Dawit Blackwell
Cloud Computing, Market Intelligence
The concept of cloud computing has been around for many years now. Anyone positioned in the information technology (IT) world knows the language: SaaS, PaaS, IaaS, multi-cloud, hybrid, on-prem, and the list goes on. How has the concept of cloud morphed? More importantly, what are the cloud buzzwords and concepts that you should be aware of to get in front of end-users? Edge computing, data-centric architecture and sky computing are emerging, and here to stay. Let’s break down what each is and its current or future role in the U.S. federal market.
Susanna Patten