NGA wants to speed cloud deployment
Federal government has come to embrace the cloud in a big way, and many of its departments have already started moving their data and applications to the cloud. Though this is heartening from a technology and user perspective, what is painstaking is the process of approvals. Typically, it takes a minimum of six months for a cloud provider to get security clearance for its service. In fact, six months is when the approvals run at the fastest possible pace. Otherwise, clearance to use cloud service for federal government apps and data can take years. The National Geospatial Intelligence Agency (NGA) wants to change all this.
To those working in NGA this elaborate approval process feels like a super slow motion and this is why they’re doing everything they can to change it. According to Jason Hess, the cloud security head at NGA, many different processes are being put in place to reduce the time it takes for a cloud provider to get security clearance. Ideally, Hess wants all approvals to be cleared in a single day, so the cloud service can be up and running within 24 hours of its application. Currently, the NGA uses a combination of DevOps techniques to get approvals within seven days, but this hasn’t been easy by any breadth of imagination.
This is a big initiative, considering that the NGA is planning to move all of its data and applications to the cloud, in a big to “re-invent security.” The agency is looking to tap into the flexibility of cloud to break-down the IT architecture and re-build it every day, so hackers will experience a new operating environment every day. NGA believes that such a move can confuse hackers and the familiarity with the system, and in the process, will reduce the chances of an attack as well.
Though this idea is unique, its practical application is always questionable. Is it possible to build such a dynamic IT architecture that changes every day? Will there be a specific pattern that would be followed in choosing the architectural style? These are important questions that have to be answered if the NGA wants to use this strategy to prevent outside attacks on its system. If an architectural style is going to be repeated after every few days, then it becomes predictable for hackers. Also, if there is no randomization, then architectural styles can be guessed by sophisticated hackers.
Given these questions, we can say that the NGA’s approach to cyber security is not for everyone. Currently many federal departments have vast amounts of data and legacy systems that can make it almost impossible for them to tear down the IT architecture and build one from scratch each day. At the same time, simply installing cyber security measures at the edges of a network system is not going to work anymore.
So, federal departments have to strike a balance between the aggressive security approach of the NGA and its own problems of legacy systems and siloed data,
Overall, it’ll be interesting to see if NGA’s plan can be implemented across the board.