Federal agencies face growing pressure to move their cybersecurity operations to the cloud, a potential boon to shared service providers and companies offering security as a service.
The White House and the Department of Homeland Security want agencies to move to cloud-provided network security, likely bringing new business to federal cybersecurity shared services providers, companies currently providing continuous diagnostics and mitigation (CDM) through DHS, and companies offering security operations centers (SOC)-as-a-service (SOCaaS) in the cloud.
Most SOCs today are facilities where highly trained teams works 24 hours a day to stave off or find, analyze and respond to cybersecurity incursions, and to ensure compliance with cyber regulations.
A drastic shortage of cybersecurity workers is making on-premises centers too costly and the rapid move to cloud computing is challenging their expertise. These difficulties are exacerbated for federal agencies by a powerful mandate from the White House Information Technology Modernization plan released in December, giving them little choice but to turn to cloud SOCs.
“Agencies now realize that they cannot possibly maintain cyber defenses strong enough to defeat many cyber attacks. They therefore need to leverage the capabilities built into commercial clouds,” wrote Alex Rossino, senior analyst at federal market data firm Deltek in September.
“When I look at a visionary view of cyber, I think this is really where we are headed,” Barry West, DHS senior accountable official for security, told a chief information security officers summit on Jan. 25. West, who has served as acting DHS deputy chief information officer, acknowledged that considering private sector SOCs as a service marks a rapid evolution in cloud acceptance by federal agencies, which once strongly resisted moving to the cloud due to security concerns.
Government isn’t alone in abandoning terrestrial SOCs. The private sector can’t afford escalating cybersecurity salaries, either. “[Chief information security officers] and technology leaders contemplating building their own SOC should be very cognizant of the cost and staffing implications involved in this approach,” Siddharth Deshpande, principal research analyst at IT advisory firm Gartner, warned companies in October. “There are plenty of alternatives to building and staffing an in-house SOC, and companies should explore them,” he urged.
The federal IT modernization plan says outdated cybersecurity practices are hindering agencies from moving to cloud solutions, which it calls “more secure than current agency IT environments.”
The DHS CDM program focuses on securing networks hosted on agency premises, versus cloud-hosted systems, the plan notes. And CDM security teams and SOCs may not yet have the expertise to defend cloud architecture. So the plan orders DHS and agencies, with the General Services Administration, to hasten acquisition planning and task orders to implement CDM phases 3 and 4 and future work, to include cloud security.
In addition, since not all agencies can afford to establish SOCs, especially for cloud applications, the plan orders DHS, GSA and the Office of Management and Budget to identify agencies that have SOC capability and can offer it as a service to others. Additionally, OMB is to identify agencies with insufficient SOC capability and direct them to plan to transition to SOCaaS provided by government shared services or companies.
