Fearless, Secure, Compliant: Optimizing the Cloud


>> EMILY JARVIS:  Good afternoon everyone and welcome to our third sessions of the day, Fearless, Secure, and Compliant; Optimizing the Cloud.  My name is Emily Jarvis and I’m the Senior Events Manager at GovLoop, so thanks so much for joining me.  And a special thank you to our partners at Booz Allen Hamilton for helping us put on this training today.  So let’s get to it.  The cloud allows your agency to capitalize on efficiency, agility, and the flexibility to transform operations, even within highly secure and regulated environments.  Successful migration is the goal for government agencies looking to transition and optimize within the cloud.  Fearless migration to the cloud includes a continuous security and compliance strategy that bakes these elements into the overall cloud maintenance and operations.  And in this session you’ll hear how agencies are using automation tools to security audit and manage resources in the cloud.  But before we get to that, we do have a few housekeeping items to go over.  First, I encourage you to share your insights via Twitter, using the hashtag #gltrain.  We hope you don’t have any technical difficulties, but we’re living in a remote world, so you might.  If you do, look for that Ask a Question tab on your console, and my colleague Amy will help troubleshoot any challenge you might be facing.  It’s in that same portal where you can ask our experts questions, and don’t you dare be shy, put your questions in early and often.  We are taking a panel approach to this session, so don’t hold back.  On the console we have several resources available for you to download.  Those resources are just to the right of your screen, so make sure you check those out.  We will be sending out a recording of the entire virtual summit tomorrow so you can view this session or all the sessions again, or share them with your colleagues.  Finally, we are giving out one CPE credit for your participation in today’s training.  Be sure to take all 3 polls, participate in the entire session, and fill out the post event evaluation to obtain your CPE credit.  The CPE evaluation can be found in the Resources Module on your screen.  For those eligible, the CPE certificate will be emailed to you on September 18th.  Alright, with all that pesky housekeeping out of the way, I want to introduce you to our wonderful speakers. 


First up we have Brad Beaulieu.  Brad is a Senior Security Specialist and Cloud Security Architect at Booz Allen Hamilton.  He has over 14 years of experience in IT security, spanning leadership and engineering and FedRAMP and FISMA compliance, cloud security, automation, and application migration.  Brad is the technical advisor and a key member of the Booz Allen Fed, FedRAMP 3PAO team, and is the Chief Engineer for the Virtual Cloud Defense, Booz Allen’s signature cloud security capability.  We also have Faisal Iqbal.  He is currently the manager of Federal Solutions Architect at Amazon Web Services, supporting partners and customers.  He brings more than 17 years of engineering, consulting, and project management experience to his role at AWS.  He and his team are focused on helping federal programs adopt cloud solutions to increase mission agility while lowering costs and ensuring security.  And last, but certainly not least, we have Drew Epperson.  Drew is the director of Solutions Architecture for Palo Alto Networks Federal.  That’s a tongue twister for me.  In this role, Drew leads a team of technical leaders who support a wide range of federal customers and policymakers.  Drew has over 10 years of experience in designing and implementing enterprise cyber solutions for the federal government.  Drew also leads Palo Alto Network’s Federal Innovation Initiatives, with a focus on solving the hard problems their customers face in meeting their mission.  It is so wonderful to have the 3 of you joining us today. 

And I want to kinda kick things off with some level setting, ‘cause there’s a lot that we could be talking about when it comes to optimizing the cloud.  So Brad, I’m gonna go to you first here.  What changes have you seen recently with how organizations are adopting and utilizing the cloud?  

>> BRAD BEAULIEU:  Thank you.  So, I’m seeing agencies are embracing more cloud native services, especially the platforms in software as a service organizations.  And that, and that includes the large SAS providers that you’re, you’re all probably familiar with.  But also adopting managed services that infrastructure providers are offering, such as container orchestration, DevOps tools, and, and security solutions.  They don’t wanna reinvent the wheel, or continue to deal with the challenges and the complexities of, of maintaining their own IT infrastructure.  You know being on, on call 24 by 7, and… dealing with patching and maintenance of, of systems.  They wanna focus on the most efficient way to achieve their, their business objectives.  And there’s a wide range of, of experience and maturity levels out there from organizations who have gone all in on cloud several years ago, to others who are just getting started.  And you know I think those who are just getting started have, have a great opportunity to really look at cloud as, as a new opportunity to, to re-architect and, and adapt those as new innovative offerings. 


>> EMILY JARVIS:  Wonderful.  And Faisal, you know, building off of what Brad was just saying, you know, what changes are you seeing in addition to those that Brad was just talking about, that is really kind of changing in how agencies are adopting and utilizing the cloud? 


>> FAISAL IQBAL:  Yeah.  When we take a step back, I think we’ve seen over the number of years, a real close knit focus on moving things to cloud because of cost savings primarily.  And we’ve seen that a lot of the conversations start that way.  But more recently we’ve seen agencies move workloads, and build new workloads in the cloud, into the cloud natively from the get go.  And instead of just moving what they have on prem into the cloud and saying check the box here, we’re in cloud, they’re really thinking about how they, how they can reimagine that experience for their customers, whether it’s a citizen, a warfighter, or an internal user, and really to learn for the mission.  For instance, U.S. Census is a great example.  Earlier this year we all went through the census process.  It was one of the first ears where we did such a large amount of census collecting digitally, right, in the cloud, and that was sort of reimagined from the ground up., being a cloud native sort of application.  So instead of just moving what they have on prem to cloud, agencies are sort of reimagining that experience from the ground up in a, in a, in a true digital innovation type manner.  That’s the biggest sort of thing that we’re seeing lately. 


>> EMILY JARVIS:  Yeah, definitely,  And Brad, kind of that census example that he was just talking about is so poignant because I think it gets to the heart of something that we talk about a lot, is how does migrating to the cloud help organizations achieve their business objectives.  Obviously, being able to have a more accurate count from the census perspective is incredibly central to their mission as an organization.  How are other organizations thinking about this migration and its tie to the business objectives piece? 


>> BRAD BEAULIEU:  Absolutely.  I think, you know, reimagining and taking advantage of the cloud is, is the right approach.  If… and, and that really applies to the security elements too.  If you, if you try to adopt or, or apply the, the old ways of doing things, just moving you know, your security approaches and, and practices into the cloud, you’re gonna be much less secure, and you’re gonna hamper your ability to take advantage of those, those new cloud native, innovative, you know, services that Faisal had mentioned that the census is taking advantage of.  You’ll, you’ll, um… exactly what he said; you’ll, you’ll be in a cloud, check the box, but not really getting any of the benefit.  And all that goes to the cost element.  I, early on, I, I heard cost quite a bit.  I, I rarely hear cost as, as a driver (Hm) for, for cloud, cloud migration. 


>> EMILY JARVIS:  Got ya.  Alright, well I don’t wanna forget about our audience.  So we’ve got our first poll question coming out to you right now.  And for this one, we wanna know how far along are you on your cloud migration journey.  And I’m gonna give you a few seconds to answer that.  And while we do, you know, Drew, one of the things that makes cloud so appealing is that you know it does have this, you know security and compliance infrastructure in it.  What are some considerations that agencies should really be paying attention to looking at, when it comes to this migration piece? 


>> DREW EPPERSON:  No that’s a, that’s a great… to your question, I know our, our federal customers love the compliance consideration.  It’s always a, a hot topic (Laughs) that’s well debated.  Yeah, one of the things that we’ve been working with customers on that I think is a, is a, a good conversation to have as we talk about migrating the cloud infrastructure, is cloud provides us a couple different ways to do things differently.  And specifically when it comes to compliance consideration, compliance in enterprise environments in legacy, especially legacy enterprise environments, have, have been very cumbersome.  There’s not a great way to do it, it’s very difficult to maintain, and, and a lot a people look at compliance, and then they say that does not equal security; why am I even doing this.  And I think what we’re working with customers on right now, is that in cloud environments, because of, because of how highly automated they are, and the way that we can use things like automation templates to both deploy and also configure and maintain, there becomes a new… a new realm of what compliance can actually be and what it can mean for cloud customers. 


And I think specifically for our federal customers, there are a lot of these compliance controls are there for a reason, right?  They’re there to try to provide a better sense of security and better control over these environments.  So I think more than what we’ve traditionally seen in enterprise environments, especially on prem, the compliance does not equal security conversation still holds true, however, in cloud environments that, that compliance can be heavily automated, and it also can become a critical part of how you both maintain and secure and get visibility into these cloud environments as we move forward with larger cloud deployments. 


>> EMILY JARVIS:  Got ya.  Alright, the results of the poll are in.  And when asked how far along are you on your cloud migration journey, 40% said they were operating partly in the cloud, another 16, 17 % said they were in the planning stage, and 15% haven’t started yet.  And Brad, when I hear those results, 40% are in the cloud in some way, shape, or form, but then another 15% haven’t even started yet, it just… brings up the question that there are some challenges associated with this migration effort.  So what are some of those top unique challenges that government organizations should be keeping in mind as they’re migrating to the cloud, and adopting new cloud services?  What, what are the top ones that bubble to the surface? 


>> BRAD BEAULIEU:  Yeah, the 3 challenges I think; and by the way, these challenges can be turned into strengths if you do them right; is, is preventing misconfigurations, and whom we heard previously au-automation and guardrails can be a big way to prevent that.  I think we’ve all heard about you know how easy it is to make a mistake, but it’s also very easy, and, and, to put in controls to prevent that, automate the configuration, continuously verify that things are compliant with your configurations, and, and taking automated actions when things are detected to be out of compliance.  So that… you can always be assured of, of being in the, in  the secure state.  The second piece is identity and access management.  And so the great, great thing about cloud is… everything is accessible via an API, to be automated, but also a lot of points where now we have identity and access management required.  


And, this is kind of along the, the approach of, you know, the identity is the perimeter in a Zero Trust approach.  Adopting that rather than trying to create a single and often porous perimeter, is the approach to take.  Don’t, don’t try to just create a trusted zone, create, uh, security at every single endpoint and entry point, within, within that environment.  And then ensuring visibility.  I see a lot a challenges today where… organizations, they’re, their SOC or their, their governance organizations don’t have good visibility into the cloud infrastructure and cloud presence across their organizations.  I think ultimately that’s because they haven’t taken a new approach to looking at how to get visibility and, and assurance of, of the cloud and other cloud posture and cloud activities.  And, and that’s ‘cause they’re, they’re cha—taking a, a traditional old way of doing it by applying their, your current capabilities.  You know they’re, the cl—and, and in practice, cloud is, is very much gonna be more secure, more visible than anything you can achieve on premise.  And so with those, those 3 top priorities, I think that’s a great opportunity to be much more secure as organizations transition to the cloud. 


>> EMILY JARVIS:  I love how you’re,  you’re . . . .


>> FAISAL IQBAL:  Yeah, I mean I, I…


>> EMILY JARVIS:  Oh go ahead.


>> FAISAL IQBAL:  Yeah, yeah, I’ll, I’ll jump in there for a minute to expand on that.  I think… that’s right on.  We see… a lot of customers try to take the cloud and put it into their on prem box in the way that they’re operating their environment, securing their environment.  For instance, hey, I need to know the name and the IP address of every server that you deploy in the cloud.  I need to know how to secure that for that deployment we’re gonna do, you know 2 months from now, considering we’re gonna do that deployment once every year or once every six months.  And the way cloud operates completely turns those things on its head, and really requires folks to, to sort of think about security very differently, in regards to immutable infrastructure, securing sort of the, the pipeline, securing the, the design, and not necessarily individual elements of a server, individual elements of a piece of software.  And it really requires the re, reimagining of how we approach security, and not be limited by the constraints that we applied based on sort of the, the structures that we have due to on prem legacy environments. 


>> EMILY JARVIS:  Wonderful.  Alright, I want to… remind our audience that this is a panel discussion, so don’t wait till the last 10 minutes to put your questions in.  Put your questions in early and often.  And right now we are coming to you with your second poll question, so we’re keeping you on your toes here.  We wanna know, are you considering using a multi cloud platform.  And, Brad, you know, this poll question in particular, really strikes me, based off of the results of the last poll, which basically was asking you know, if your agency was considering cloud, was working in the cloud, migrating to the cloud.  And you know 40% or so said yes, they were doing it in some way, shape, or form, and some additional folks as well.  I’m hearing more and more people say that they are taking  a multi cloud approach.  Is that what you’re hearing as well? 


>> BRAD BEAULIEU:  Absolutely.  You know from… just looking at it from the procurement and trends that we’re seeing, um-hm you know the, the focus is on having a strong governance across multiple cloud environments, and, and each one, you know, being adopted for, for different specialties or purpose, purposes according to the, the business needs.  The multi cloud is, is definitely approach that I think is here.  And, and one thing too is, is or—some organizations didn’t realize they were multi cloud.  They’d be using a financial accounting or HR system that’s delivered as a, as a cloud service or, or platform that they didn’t really think about it.  But when you look at the delivery model, the, the shared responsibilities between who’s responsible for the content and the users, and the hosting of security of the infrastructure, they’re very, very much already in a multi cloud environment. 


>> EMILY JARVIS:  Alright.  Well the results are, of the poll are in.  And 29% are already using a multi cloud approach.  36% are considering it, and a few other folks are still pending some options there, which is always like to, which is always what we like to see.  Alright, so we’ve talked about kind of the background a little bit of how these migrations can happen, how we can make them fearless, so that there isn’t that anxiety, that cultural piece that is in effect when we’re moving to the cloud.  I wanna pivot a little bit for the next part of the conversation.  And Faisal, I’m gonna come to you first for this one.  You know, what does the future of cloud and innovation really look like, and how do third party vendors and cloud service providers like AWS, how do you guys help government organizations opt, optimize and automate cloud solutions? 


>> FAISAL IQBAL:  Yeah, so, it’s a loaded question at a high level.  (Laughs)  But… from an innovation perspective, I think we’re seeing a lot more agencies again, move away from just building and moving simple applications, to reimagining like I said.  That, that being said, there’s a real focus around data.  A lot of agencies have a lot of data within their control, and they’re just now… tapping into some of the insights that data can provide.  Whether it’s to better inform decisions on what deployed satellites, whether it’s… better informed decisions on how to deploy workers in the field, or even make financial decisions.  We’re seeing a lot more agencies, FINRA for example, that are using data, and, on top of data, machine learning, as a good way to sort of crunch data and get to the ana—analysis.  And  the best place to sort of get one view of that data and that dataset is, we see the cloud as a natural landing place for a lot of that from an innovation perspective. 


And there, I think with any cloud platform, it’s only as strong as its ecosystem that surrounds it.  Whether it’s for things like data, for security, or for migration, third party vendors, like Palo or Booz Allen, as a consulting partner, right, I think they’ve done a lot of good work in the space.  And that’s really what we need to build and champion when going to market with agencies.  If agencies wanna drive success, they’re gonna need a, a CSP, they’re gonna need a consulting partner, they’re gonna need technology partners to sort of put together all the pieces of the puzzle to meet their specific needs.  That’s really sort of how we see it play out in the, in the, in the real world, where those 3 come to, come together in a trifecta to deliver solutions for the specific workload or agency. 


>> DREW EPPERSON:  Yeah, and, and yeah from the, from the security vendor side, I think, yeah, we’re spot on, right?  I mean this is, as we partner with both CSP’s like AWS, and we partner with federal agencies, or, or DOD entities, one a the things that may not be the most innovative sounding thing in the world, but something that’s important, is that when you look at how Gartner categorizes all of the emerging trends for cloud, most of them say that there’s the misconfigurations in cloud, that will then result in some type of negative activity.  And I think from you know the, the partnership side on the security piece, we as security providers and enablers, need to step into those environments and make sure that it’s both easy to deploy and also easy to configure and maintain security implementations that follow the best practice.  And so one of the simplest ways we can do that is take the regulations both by things like CISA and, and DOD CIO, DISA, we take those, we conform those into prepopulated automation templates, we partner with our, our cloud service provider friends like AWS, and we make sure that when  you deploy security infrastructure in cloud environments, that it comes off automatically deployed in the best configuration and that it’s maintained that way.  I think that’s one easy step that we can do to make sure that as our customers adopt more and more cloud, computing and cloud infrastructure that we are securing it in the most efficient way possible. 


I think the second thing that we can do there is, is also just innovate in how things have been historically accomplished.  And what I mean by that is, you know, Palo Alto Networks, one of the things that we invested in last year, was a company called Aporeto, and the reason we acquired them was because in cloud based environments, machine identity is, is difficult.  IP addresses aren’t as important as they’ve traditionally been in, in enterprise environments.  And so bringing new technologies like that to bear to make sure that we can deploy in safe and secure methods, using things like Zero Trust, you know, pining identity to machines and instances, and making sure that there’s policy applied to those.  You know all of that is great, but I think it comes back to the basic point that if we don’t make it easy for customers to use and easy to maintain, it likely isn’t gonna be any better.  And I think that that’s the big driving force behind cloud security right now. 


>> EMILY JARVIS:  Wonderful.  Alright, so if I’m you know, one of these agencies, and like you just said Drew, there’s this real driving force behind you to, to consider the cloud and migrate a bunch of your you know services there, what are some best practices?  What are some organizations that I should be following so that I make sure that I am efficient and effective with my cloud and the utilization therein? 


>> DREW EPPERSON:  Sure.  I’ll take two, and then, I’m sure the (Laugh) the other panelists have lots of— This is an important question right?  What,  what are the best practices? That is a, a broad sweeping question that we could spend I’m sure hours on.  I’ll take (Laughs) two of the things that have, that are most recent, right,  most top of mind with customer engagements, customer engagements recently.  One is,  I, I feel like there’s a lot of focus put on the cloud environments themselves.  And then when we start engaging with customers, we quickly determine that there may not have been as much thought about how to securely access those cloud environments, and how both employees and organizations access cloud environments when we’re in the world of COVID-19 and everyone is remote.  And so there’s been a significant amount of effort put around things like TIC 3.0 in the civilian space, cloud native access points on the DOD side, how do we securely and efficiently get users into the cloud environments that enable their business.  And I think that from a best practice standpoint is a great place to start when customers are starting to chart their cloud journey.  How are you gonna get there?  How are you gonna do it efficiently and securely? 


I think the second piece for us, you know that, that kinda comes to mind when we start thinking of best practices, you said it earlier, most customers have a multi cloud experience right now, especially federal customers.  And so I think you know, instead of focusing on a specific cloud technology, or a specific cloud security concept, taking a broader approach to how do we get broad visibility, broad compliance monitoring, broad enforcement of a zero Trust nature across multiple clouds, I think is a good starting place to then form how you would implement a multi cloud security strategy.  If you do them, you know, a security strategy for your on prem private cloud, hybrid cloud, and public cloud, and they’re all separate, they’re disjointed, they don’t, they don’t have a common visibility platform, or some type of common visibility dataset, it likely is not gonna be as, as efficient as it could be.  And so I think from a best practice standpoint, those would be the two that I would, I would call out, you know, from the near term experiences we’ve had. 


>> EMILY JARVIS:  Definitely. 


>> FAISAL IQBAL:  Yeah. 


>> EMILY JARVIS:  Oh  yeah go ahead. 


>> FAISAL IQBAL:  yeah.  Yeah a few things to follow on there.  From what we’ve seen on the AWS side of the house from a multi cloud perspective, we definitely see a lot of agencies investigating multi cloud as a, as a directive.  But when it actually comes to deploying workloads, and actually seeing where applications live, we see 70 to 80% of those workloads still living primarily in one cloud platform.  And you know, maybe 10 or 20% landing in a second cloud platform.  Just, just because the… the knowledge, learning a cloud platform is… is, is, takes some work, takes some time.  And to sort of expect everybody in a, in every agency to know 2 or 3 cloud platforms, is a pretty tall order.  So we definitely would recommend that customers get good at one (Laugh), first, before they try to sort of swallow a whale and sort try to do multiple cloud platforms in the same… department or same agency, just to sorta keep things relatively simple.  I will say that you know, security at a high level is job zero.  That’s show(ing) we think about it within our organization.  And how we encourage customers to also think about baking into the process.  And what we, and governance in a cloud environment is a key part of that.  So, you wanna make sure that you’re establishing the guardrails, identifying sort of the right users, authentication, enabling encryption by default.  Not letting users make mistakes, right, and baking in by policy. 


And a lot of things that our partners and we have done jointly, is to sort of create those solution environments that allow you to sort of very easily come in, do what you need to do, deploy a workload or application without running into some a those paper cuts where you’re gonna make a mistake from a security perspective.  And I do wanna reiterate that although security is a big part of, of our mission, we don’t wanna necessarily sacrifice, or you don’t wanna sac—think about sacrificing the innovation aspect of the cloud.  One a the great things about cloud in general allows people to experiment and fail quickly, try a new way of doing things.  And we, sometimes we see agencies, again, locking down their cloud environment even more tightly than they would do on prem, to keep it safe, and they sorta stifle their innovation, and their agency’s ability to, to sort of experiment with new technologies and services because of that.  So I would just make sure that… you, there are, is an approach to sort of keep it balanced, to sort of keep that security bar very high, while enabling folks to still experiment on nonproduction data, or in development, or sandbox environments in the cloud space. 


>> EMILY JARVIS:  Wonderful.  Alright, Faisal, anything we, (Laugh) the other two didn’t mention that they should have, when it comes to best practices? 


>> BRAD BEAULIEU:  Yes, that was, this is brad here.  Um… you know, I definitely echo what they’re saying.  I think… having a mindset of it should be easier to deploy something securely, rather than to, to make a mistake and, and, and along that path, rather than preventing someone, uh, a, a service, or preventing someone from doing something, enable it to be done in a secure way.  and taking that… that, that mindset.  And… you, you know, the other, the other thing again that I see around the, the multi cloud, multivendor, versus agnostic approach, …I think it’s best to think about in architecture, an approach that is… modular or decoupled, so that if it turns out the, the path you’re going with, the vendor you have, or the cloud service you’re using, is not the right one, you’re not stuck using it, you can change it to another one.  So, so rather than wasting, or, or spending a lot a time building some agnostic platform that can work in a lot a different vendors, that ultimately doesn’t take advantage of, of anyone in, in a particular way, can be a much better approach, and you can more efficiently achieve your goals and change and adapt as you see fit. 


>> EMILY JARVIS:  Wonderful.  Alright, so, I, we’ve been talking a lot about you know how things are going, the process that you go through.  I wanna do my favorite thing, and I want you all to peer into your crystal ball a little bit.  And let me know, you know, what changes do you see, in how government organizations will adopt, use, secure cloud services.  What’s on the horizon in the next 3 to 5 years?  Because we know a lot of change has already come about in 2020 in response to the COVID-19 pandemic.  So Brad, starting with you on this one, you know, where do we see government going, and what pivots do they have in store for them? 


>> BRAD BEAULIEU:  Yeah, I’m actually gonna fill out a little bit something that’s all, already been mentioned.  And I think it’s, you know, we mentioned TIC 3.0, or the, you know trusted internet connection (Um-hm) approach that the federal government is taking.  It’s really a change in philosophy.  Moving away from centralizing or aggregating all of your security and visibility control into a single location on premise, and instead, you know really focusing on… you know security enforcement points and definition of trust distributed to, to users, to endpoints, to different cloud environments, right?  So, so branch offices rather than connecting into a centralized headquarters through, a VPN tunnel, they’ll connect security to, directly to those cloud services.  And, you know, this, and, and especially in, in this world where, you know everyone is, is suddenly remote, I, I think is really accelerating that approach of securing the, the user’s experience with, directly with their, their services that they’re consuming from, whether it’s on, on premise or in the cloud.  And it’s gonna result in a much better user experience from a, from a performance and, and… you know usability perspective.  But also I think it’s gonna make it more secure, by… adapting our security and visibility monitoring and enforcement points to, to the user, to the endpoint, to how they’re interacting with that service, is gonna be much, uh, a much better way.  And, and really with, as we take a look at, at some of these new technologies, you know, as, as 5G starts to become you know more ubiquitous, we’re just gonna see exponential growth in connected devices at the edge, distributed, using a, a number of different ways of connecting to, to, to the internet and to one another.  It’s the approach that has to be taken. 


>> EMILY JARVIS:  Faisal, anything to add  there? 


>> FAISAL IQBAL:  Yeah.  I mean I agree.  The… (Laughs) when we think about, when we think about a network, right, we traditionally have thought about it as hey, we’ve gotta build a moat around the castle, and, you know, (Um-hm) put some really big protections around sorta the castle to make sure that we keep the bad guys out.  And, cloud flows up that model, where now we’re, it’s in a ubiquitous network, can be accessed from anywhere.  So having specific entry points in and out is important to control and monitor.  I also think that at, at a higher level, what we’re gonna see happen is, we’re gonna see more and more move towards up the stack services, which decreases just the surface area for potential sort of attackers.  So, where we’re less focus on managing individual servers, and now we’re sort of managing a platform for consuming a SAS based application.  And, each of those will sort of bake security in, from the provider perspective and allow agencies to worry less, right, about sort of having to manually manage those, and put that responsibility back onto the cloud service provider or the SAS provider, to sort of manage the risk, and security on. 


So I see us moving and the industry moving towards adopting  those, just because it, it relieves some of  the underlying pressure of the security responsibility.  IoT is sort of the next, IoT and edge computing is sort of the next generation of what we expect the cloud and computing to really move to.  So, today we have to send data to… datacenters, which live in the cloud somewhere in different parts of the country or the world.  That is not good enough for real time applications where I need a machine learning model will tell, to help me identify a tumor, while I’m doing surgery live, right?  It doesn’t help me identify a combatant on a war, on the, on the, on the war, um, on the field of war, when I need to sort of identify… somebody very quickly, right, because that takes processing time.  So, the real power of the cloud, we think will sort of be really enumerated when we move towards these edge, edge type use cases, where latency is drastically reduced, and you can get those insights, that data analysis, that machine learning, really at the edge of what you’re doing, in, in a split second fashion, instead of having to wait for the cloud to crunch it and send it back to you.  And that will really change the way how we build applications, and how we think about experiences for, for not only government, for, for consumers overall.  So that’s gonna be pretty exciting in my opinion. 


>> EMILY JARVIS:  I agree . . .


>> DREW EPPERSON:  Yeah, I mean sure, I would pile on, it’s always nice going last, ‘cause you can just agree with all the smart things other people have said.  Um… but I think what we’re seeing right now in the, in the industry and specifically within federal, is this idea that cloud enabled technologies are the next, the next kind of innovation horizon.  And I think we’ve named almost all of ‘em, right?  5G, IOT, edge computing, artificial intelligence, machine learning.  All of these things that our customers are talking to us about have security impacts and constraints that we need to plan for.  


But I think as we, as we emerge more and more into a 5G world, or an IoT deployed world, there’s gonna be a point where sometimes we might even forget that cloud computing is the enabler sitting behind that.  And, awkwardly enough, I mean it would be like us having a conversation 5 or 10 years ago, wholly around datacenters and forgetting about all the things the datacenters provided us, right?  And I think as we get closer and closer to some a these new emerging technologies, cloud is just gonna be this ubiquitous infrastructure behind it that’s gonna make it all work.  and I think the only way that that could, that will likely be sustainable, especially in environments like ours that are, that have a need to be highly secured, is to make cloud security easy, right, where it can be done without massive amounts of teams of people setting and maintaining all of these environments on a daily basis.  There will still be people and there will still be processes that need to take place, but when we’re focused on, you know, to Faisal’s point, the 5G impacts, or the IoT impacts, to the mission and to, you know human life out in hospitals. You know, the last thing somebody wants to think about at the edge is, how is my cloud configuration maintained and secured, right?  They’re using the output of it, they don’t want to necessarily maintain all the infrastructure and have to worry about that on a daily basis.  I think that… from a security innovation standpoint is where we have to get.  Where it’s delivered, and the outcome is what we’re focused on. 


>> EMILY JARVIS:  Alright.  It is now time for our third and final poll question.  And for this one, we wanna know have you found, are you finding that security is a hindrance to migrating to, or operating in the cloud.  So I’m gonna give you a few seconds to answer that question.  And while you do, I wanna remind our audience to throw some questions into the Q&A portal.  So Drew, I’m actually gonna come to you first on this one.  I know you said you like to go last, but you know, I’m a honey badger, and I’m just throwin’ it your way first.  We, you were talking a lot about you know, some of these possibilities that are coming with edge computing and IOT and… rethinking the way you’re even kind of coming up with these applications.  You know, what are some lessons learned that agencies can take from some of the pioneers in this field?  I know you guys were mentioning the DOD.  What are some things that other agencies can really take as some quick lessons learned, things that they can implement as they explore these possibilities? 


>> DREW EPPERSON:  Sure.  Yeah I think I would start with just a, a pretty common observation, but something that maybe isn’t thought about when people are embarking on these changes.  These emerging technologies that we’ve discussed are highly connected.  The Department of Defense is a great example.  You know there’s a lot of current pilots around 5G deployment.  Those 5G deployments are being used for things like smart warehouses.  Smart warehouses use things like IoT sensors.  Those IoT sensors and the way that those are processing data, typically rely in some case on machine learning or some, you know base version of artificial intelligence, in what they’re processing and how they’re communicating.  All of that is, is very much connected into this cloud journey. 


And… you know I think there is a, you know a possible pitfall here, to focus on the specific technology without necessarily looking broadly, macro lens of the entire you know outcome that you’re trying to pursue.  And then finding all the points that these converge.  And I think you know from this conversation it’s pretty obvious, but a lot of those things converge in their delivery in cloud computing.  And, you know again, I think if we don’t take a very thoughtful approach to how we both architect, deliver and maintain both the in-state technologies people are using, but also the infrastructure that enables it which would be cloud, then, you know, we, we could fall into this same legacy trap, which is, you know, if I’m the 5G team, I’m gonna have my implementation in my cloud.  And if I’m the IoT team, I might have my implementation in my cloud.  That, that kind of goes in contrast to what we had I think originally hoped as an industry for cloud, which is that to Faisal’s point, you know, one cloud, even if it’s only 80% of the stuff that you have, it makes it easier to get common visibility, common constraints, guardrail, security through automation, there’s a lot of benefit there.  And, it would, it would be unfortunate if all these things break into silos and, and do not you know converge in the back end for a more centralized security deployment. 


>> FAISAL IQBAL:  That, that’s a great point, right.  the, the culture aspect is about… cloud being an enabler to drive… an innovation of your agency’s culture, to move away from sort of stovepipes, towers, of expertise, into really that agile culture that is cross-functional, sort of collaborative, and can learn and support each other, right?  ‘Cause I think historically, we’ve lived in a world where that’s not my responsibility, right?  That’s responsibility of the security team, right?  Or that’s responsibility of the operations team.  The cloud changes all that, where we all have to take ownership of applications from sort of cradle to grave, and we’re stakeholders in securing them and delivering them, and making sure that they deliver the experience that we expect them to deliver from the mission.  I think that’s a great point which we don’t stress enough, about how cloud should change how agencies and corporations think and act. 


>> EMILY JARVIS:  Alright, the results of the third and final poll are in.  And when asked so have you found that security is a hindrance to migrating or operating in the cloud, 44% said yes, 31% said no, and 25% weren’t quite sure.  You know Brad, in some ways these results are a little bit surprising to me, based on kind of what we’ve been talking about so far, and kind of the roles and responsibilities going forward in kind of the migration process, and how you can alleviate some of these security concerns or hindrances.  Do these results surprise you, or is this what you expected to see?


>> BRAD BEAULIEU:  Yeah I think there’s a lot a different ways to look at that.  Let me go back to one example of an agency that… you know they had a presence in the cloud and they were experiencing you know a series of denial service attacks.  Their on premise environments, they had good visibility into you know the areas that were targeted, whether or not they were successful, and also the information insight in, into those attacks.  But they didn’t have much of an idea of what was happening in the cloud.  And… I think the real reason for that was…their approach for security was a hindrance.  And it was enforcing the old ways of thinking about visibility and security in the cloud, or thinking about you know security and having a strong perimeter around their systems does not work, and, and was not effective in the cloud environment.  And so I think that by taking that approach of, that we’ve already talked about several times here of… you know leveraging cloud native services, distributing visibility and, just, you know taking advantage of what’s available, and the cloud security capabilities these providers are implementing for us and for you, is going to give you those, those insights into the cloud, and give you much more visibility.  So I think you know, there’s, the, part of the, some of those experiences that I’ve seen and approaches, are reasons why you might see some say it’s a hindrance, and others say it can be a benefit. 


>> EMILY JARVIS:  Got ya.  Alright . . .


>> FAISAL IQBAL:  I think, I think we . . . .


>> EMILY JARVIS:  Yeah, go ahead. 


>> FAISAL IQBAL:  We saw, we, we, I think we saw security as a hindrance more so in the past.  (Um-hm)  We’ve seen a lot of high, highly visible agencies stand up and say cloud is more secure than what I can do in my own datacenter.  And that’s really I think changed and paved the way to sort of remove security as like the number one blocker.  I think everyone would agree that most of the cloud service providers are investing… tons of money in not only securing their infrastructure, but also with compliance, far more than any agency could do on their own, or even any corporation.  And being a part of that infrastructure to really enhance the overall posture of that organization’s data is, I think is a big, big win if they can do it.  We see agencies that have built like servers running in cloud, that’s servers running underneath somebody’s desk, right?  (Um-hm) And agencies sometimes just don’t have the visibility to know what’s happening there.  Are we losing data?  So I mean like, with cloud, you get complete visibility in terms of what’s happening in your environment. You have automated tools to secure, validate, comply, audit, across the, the environment.  And it really sort of takes, removes the ability for somebody to sort of set something up in their own environment without you getting sort of control of, uh, control over or visibility of it.  So I think that’s the big benefit that, that folks sometimes stumble over.  And sometimes they also, just ‘cause it’s a new world, learning new technologies, learning how we secure things in the cloud, and how they’re different verse on prem, is sometimes just a little bit of a learning curve.  But I think most folks would agree that cloud is more secure than a traditional datacenter, and it’s, it’s about getting folks sort of on the same page as agency at, regards to that message. 


>> EMILY JARVIS:  Got ya.  Alright.  I have a few questions in here for the Q&A portal.  So in the 3 minutes we have left, we’re gonna do this in rapid fire format.  So Drew, first question over to you.  How do federal cloud efforts align with state cloud efforts?  Is there a collaboration?  Are you seeing kind of the same trends that you’ve been talking about on the federal side, on the state and local side as well? 


>> DREW EPPERSON:  Yeah.  (Um,) we are.  You know most of what happens at the federal level has some, you know, has a parallel track with state and local specifically.  You know obviously state and local governments are concerned about the same data separation, privacy, concerns that federal has.  You know good news is federal has an entire process around FedRAMP, and, and what that means.  (Um-hm)  And so you know, there’s, there’s obviously some overlap there.  Yeah also I think on you know the private sector side, we’re taking the lessons learned that we have for instance from Palo Alto Networks on the federal side, and sharing those with our, um, with our SLED friends within our company, just to make sure that what we’re doing for our customers and what they’re doing for their customers, we try to align where possible, and share best practices.  And we’re also, you know, where possible, creating automaton and, you know infrastructure as code templates to support both SLED and Fed, um, broadly, because to  your point, they do have a lot of the same security concerns and compliance needs. 


>> EMILY JARVIS:  Definitely.  Alright Faisal, a question in here for you.  Five years from now, what is your expectation of what percentage of workloads or applications will be in the cloud for most major federal agencies?  Now (Laugh), we’re not gonna hold you to this percentage, but give us a ballpark here, of what you see in the next 5 or so years. 


>> FAISAL IQBAL:  It’s hard to make a percentage, but I will say that (Laughs) like we have seen like corporations go all in on cloud, where they’re completely eliminating their datacenter footprint altogether, and deploying everything in cloud.  From their internal infrastructure, leveraging SAS.  So like all in on cloud is a real thing, and corporations on the commercial side of the house have been doing that for years.  I think we see some agencies, which are newer agencies, go completely cloud, like they’re born digital.  (Um-hm)  We see like a big trend and success of those.  But I think we’re gonna see a vast majority of those workloads move over the next 5 years, where you’re gonna see a lot more workloads in the cloud.  Probably more so in the cloud than even on prem. 


>> EMILY JARVIS:  Wonderful.  Alright, Brad, you’ve got the hardest job of all here.  You, you’re in wrap-up mode.  We’ve talked about so much on today’s training.  What is one or two things our attendees should take away? 


>> BRAD BEAULIEU:  I mean ultimately I think what we’ve heard today, cloud migration is an opportunity, it’s a fresh start.  If, you know if you haven’t yet begun your journey, you know, keep; don’t be fearful.  (Laugh) Don’t fear the cloud.  And, that works even for agencies that have already gone all in.  There’s lots of opportunity.  IN fact, it’s probably much easier to transform your systems if you’re already hosted in the cloud environment.  And, probably the, other thing that, that I wanna look at is, you know what’s, what’s on the horizon, what do we see in the future.  I think it’s really, uh, as we’ve seen today, you know, since, since the COVID-19 has forced us to completely change how we operate, it’s really hard to predict exactly what’s gonna happen.  So it’s, we need to be prepared (Um-hm)  to, uh, uh, adopt, uh, adapt, and change your approach quickly, and take that, you know more nimble, more agile approach, and, and use  your cloud migrations to, in get those governance and that… philosophy in place. 


>> EMILY JARVIS:  Alright, I think that is a perfect way to end up, because unfortunately, that is all of the time we have.  I wanna thank Brad and Faisal and Drew for sharing their insights with us.  We are giving you a virtual round of applause, so I hope you feel it at your home offices.  And I want to thank our partners at Booz Allen Hamilton for helping us put on this training.  I do have a few quick reminders before we head to the next session.  You can find this session on demand in the conference hall in about 30 minutes.  We’ll also be emailing you a link to the entire virtual summit tomorrow.  You’ll be able to access all the sessions again, as well as the more than 50 related resources.  Our goal with these trainings is always to provide you with the tools you need to help you do your job better.  But the great content isn’t over yet.  Up next at 1:30 you have a training, How to Proactively Detect and Prevent Security Threats with AI Driven Analytics.  You’re definitely not gonna wanna miss out on that great content.  In the meantime of course, you can download those resources in the Learning center.  The more resources you download, the better, and we’ll see you at the next session.

Cloud migration solutions for the Federal Government

For federal agencies, cloud solutions have become a critical enabler. Cloud has empowered agencies to shrink their IT footprints. It’s allowed them to streamline their business operations and provide more flexible work options to their employees. Perhaps most importantly, it’s let them embrace digital-first approaches to providing government services to an American public that’s increasingly online. 

Now, as emerging technologies like 5G, edge computing, and artificial intelligence come to the fore, cloud is the flexible foundation empowering agencies to integrate and leverage these powerful tools.

For authoritative advice on how agencies can take full advantage of all that cloud has to offer, watch a recording of the Fearless, Secure, and Compliant: Optimizing the Cloud webinar. Recorded as part of GovLoop's Innovation Summit held on September 2, the webinar features a panel of cloud solutions experts, including Booz Allen cloud security architect, Brad Beaulieu. 

Among other things, the panelists explain how cloud platforms, environments, and computing power allow government agencies and organizations to transform operations. This is true even for programs that function within highly secure and regulated environments. 

What You’ll Learn:

  • Going beyond compliance and utilizing the cloud to achieve organizational objectives
  • Optimizing and automating cloud solutions, whether private, public, multicloud, or on-premise
  • Assessing changes in your security perimeter as you adopt cloud computing infrastructure and move to the cloud
  • Understanding the ways that organizations will adopt and secure cloud migration services in the future


  • Brad Beaulieu, Cloud Security Architect, Booz Allen
  • Faisal Iqbal, Manager of Federal Solutions Architecture, AWS
  • Drew Epperson, Director, Solutions Architecture for Palo Alto Networks Federal
For more on the hows and whys of today’s cloud services imperative, read our publication, Fearless Migration, Cloud Security is a Necessity in Today’s Interconnected World.
1 - 4 of 8