Myth No. 3: Cloud is inherently insecure. It can’t support my organization’s most sensitive workloads or data.
The Reality: Not true. The proliferation of industry-mandated security frameworks—such as the Federal Risk and Authorization Management Program (FedRAMP), the Risk Management Framework (RMF), and the National Institute of Standards and Technology (NIST)—as well as contemporary tooling and monitoring, and dedicated cloud service provider (CSP) enclaves that align to a broad set of data sensitivity levels means the commercial cloud can address nearly all workloads, including those managed by the Department of Defense (DoD) and intelligence communities. The critical aspect of an organization’s migration and hosting strategy can be found in the ability of the application owner, integrator, and CSP to properly delineate where responsibility lies for securing the different layers of application and infrastructure architecture.
Myth No. 4: To take advantage of the cloud, my organization should adopt an enterprise-wide, or application-wide, cloud-native architectural approach.
The Reality: There’s tremendous efficiency and flexibility in being able to decompose your workloads into container-based microservices that can be independently updated, scaled, and deployed. However, shifting to a cloud-native environment doesn’t have to be a “big bang” event. Establishing interim milestones such as introducing domain-driven design, containerizing traditional applications, and maturing your DevSecOps pipeline will move you down the path to cloud native and provide transitional operational efficiencies and benefits.
Myth No. 5: In the event of a disruptive event such as a power outage, natural disaster, or cyberattack, we need a multi-CSP strategy as our failover and disaster recovery (DR) plan for application workloads.
The Reality: Architecting cross-CSP backup and recovery for a single workload can result in paying a high cost for a low-risk event. The chance is infinitesimal that all of your cloud service provider’s availability zones would go down at the same time. Instead, start by building fault tolerance into your architecture, take advantage of multiple availability zones within your cloud service provider’s ecosystem, and conduct a risk-based cost-benefit analysis as a part of DR planning.
The reality is, government agencies need to consider many issues—cost, security and scale, among others—in a cloud move. The Federal Government and DoD, in conjunction with CSPs, are lowering the barrier to cloud migration. Integrators that understand the mission and agency data can help federal agencies develop and implement a strategic cloud approach that balances long-term organizational needs with technological advances.