As cloud computing continues to become more of an IT staple than a trend, government agencies are increasingly committing their critical information, such as e-mail and official records, to cloud-based services.
The cloud offers benefits ranging from maximizing capacity utilization, to enabling flexible historic data retention and access, to improving IT responsiveness and lowering costs. Yet government agencies continue to have genuine concerns about the risks of storing critical and often sensitive information in the cloud. Key questions include:
- What organizational information will be stored, processed and accessed through the cloud?
- Will a cloud storage solution comply with record retention requirements?
- Which cloud architecture best meets our agency’s needs?
- Most importantly, will the information be safe from outside threats?
Many federal agencies believe their information—particularly classified and national security data—may be too sensitive to move to the public cloud. As a result, there has been an increase in the availability of government community clouds, like AWS GovCloud and Azure Government, using private clouds and hybrid clouds that integrate private and public systems to assure greater security control.
As agencies evaluate cloud security, architectures and controls for their comprehensive records management solutions, they should use well-defined evaluation criteria, including:
- Secure hosting. Can the cloud services provider (CSP) and integrator ensure all government security concerns are addressed regarding data location and data access? For example, can they host all services and information in the contiguous U.S., managed by U.S. personnel with government background investigations, to reduce security risk.
- Federal Risk and Authorization Management Program (FedRAMP) Authority to Operate (ATO). Does the CSP have a FedRAMP or Defense Information Systems Agency (DISA) provisional ATO for Infrastructure-as-a-Service to ensure the latest security controls and continuous monitoring methods are implemented to secure critical IT assets? Several cloud providers now offer FedRAMP clouds meeting High Impact Level, and DISA Level 4 and DISA Level 5 cloud authorizations.
- On-demand “as-a-service” capability. Can the CSP offer enterprise information management solutions, including records management and eDiscovery as-a-service, on a secure highly-scalable cloud platform? A key objective of the as-a-service approach is to allow agencies to leverage the benefits of a secure, unified service while avoiding the complexities and costs found in implementing traditional information management solutions.
- Analytics and automation. Are business analytics and automation services available? These could include workflow and case management, eDiscovery, eFOIA and integration to enterprise resource planning, among other line-of-business systems.
- Flexible management approach. Does the CSP provide flexible hosting options and comprehensive services that ensure the availability of information, enable upgrades, and include disaster recovery to support continuity of operations?
With the right approach, federal agencies can realize the transformational benefits of cloud-based information management and recordkeeping without fear of compromising the security of their data. Learn how CGI’s secure, compliant Records Management as a Service (RMaaS) delivers the benefits of the cloud while protecting sensitive agency information.
About this author
Director, Consulting Services | CGI Federal
Martin Heinrich currently leads the Business Automation team of CGI Federal’s Emerging Technologies Practice. He is a strategist and management consultant with more than 20 years of experience delivering mission-critical business solutions to government and commercial organizations. An expert in the enterprise content and records ...