After years of proposing Bring Your Own Device strategies, the U.S. Army has embarked on Phase III ... [+] of its BYOD Pilot.

The U.S. Army is testing a mobile device application that would let its Soldiers and DoD civilians access the Army Cloud using their personal cellphones or laptops. But theres some confusion about the app and the extent to which it will be used.

For context, its worth explaining that the Army and other services have enabled service members and DoD civilians to work remotely via Government Furnished Equipment (GFE) for over 15 years. The once ubiquitous BlackBerry phones that Soldiers, Airmen, Sailors and Marines carried for years exemplified remote work.

Uncle Sam paid for and supplied these devices and users were/are expected to conduct only official business on them, with the resulting phone in each hand a common sight among service people and government officials physically segregating their professional and personal communications. But a lot has changed in the last decade.

The Army and other branches followed and began to embrace the commercial technology evolution that has brought us digital cloud storage and software-as-a-service (SaaS). For the Army, and the rest of the world, that embrace became a bear hug when COVID-19 hit in 2020.

At the height of the Pandemic the Pentagon turned to a commercial solution for the vastly expanded telework work it believed was necessary to continue to function, enabling Microsoft MSFT Office 365 mobile capability for the military/civilian workforce. The capability was well received but in the span of less than a year DoD recognized it wasnt particularly secure. In June, 2021 Office 365 mobile capability was turned off.

To work remotely and access the cloud, users reverted to their GFE. As they did so, the folks running the DoD cloud enterprise were already asking the question - Do they have to use government funded devices?

Bring Your Own Device

With Microsoft Office 365 connectivity disabled, the DoD CIO and the respective service CIOs established separate pilot programs to assess the potential for military personnel and civilians to work remotely using their own cellphones and laptops. The Pentagon refers to this strategy and to the separate service pilots as Bring Your Own Device or BYOD.

The Army, Navy and Air Force each have their own BYOD Pilots though the Armys Pilot - now in Phase III - is likely the most mature. The goal of BYOD the Army says is to extend the convenience of teleworking on just one device to Soldiers and Army civilians. Essentially, its another app on your phone. A service member can walk out of the Pentagon or off-base, go to the store and still be connected to official business via his or her personal device.

BYOD may also save the service considerable money Army CIO, Dr. Raj Iyer says.

Army CIO Dr. Raj Iyer says its BYOD Pilot is demonstrating the convenience and potential cost ... [+] savings of having Army personnel use their own devices for official business.

We know that there are savings to be had. If you look at the total cost of ownership of government furnished cellphones and how much we pay for data services from the telecom providers, theres an opportunity to reduce those costs by switching to BYOD.

How much potential savings from dropping GFEs/data could be realized is one of a number of issues relating to BYOD over which there has been some confusion. Chief among these has been what kind of work it will enable users to do.

Lieutenant General John B. Morrison, the Armys Deputy Chief of Staff for Command, Control, Communications, Cyber Operations and Networks (G-6), emphasizes that BYOD is largely for administrative work. Technically, it is cleared to carry up to Impact Level 5 (IL 5) information including unclassified and controlled unclassified information the Army says. It is not for use for classified work, communications or data sharing.

Moreover, the Army BYOD Pilot is limited to the strategic administrative level, typically for in-garrison users within the U.S. However, the G-6 is working through use cases outside the continental U.S. LTG Morrison says so personnel in Europe, Africa or South Korea may theoretically be using their own devices through BYOD one day.

Deputy Chief of Staff, G-6 Lt. Gen. John B. Morrison, Jr. emphasizes that the Army's BYOD Pilot is ... [+] evolving and will go forward based on its productivity, security and a cost-driven business case.

While General Morrison says there has been no discussion of using the Bring Your Own Device approach in tactical scenarios at this time, he does not rule out the possibility. That would surely raise additional security concerns and Morrison adds, Were very mindful of the capability some of our adversaries have to use cellphones to do direction-finding and identification.

But for now, BYOD is a tool that replaces the GFEs mostly carried by those at the Army leadership level Morrison says. That includes a fair number of people. Phase III of the pilot will extend to 20,000 users.

Dr. Iyer says it can fully scale to over 20,000 users including National Guardsmen and Reservists whom the Army has also included in the Pilot. If, as LTG Morrison says, the Army will use Phase III to look at other use cases BYOD may have to expand beyond the above number.

The user population brings the BYOD proposition back to cost. If the Army can eliminate the need to provide 20,000 devices, it could probably save come coin. But this proposition has some wrinkles.

For one, both Gen. Morrison and Dr. Iyer stress that the Pilot (and ultimately a program) are strictly voluntary. However if the user base is smaller than anticipated, the cost of acquiring the commercial license for the BYOD app and maintaining its link to the Army cloud may outweigh the savings from handing out fewer phones.

The participation of Guardsmen (both Army and Air Force) and Reservists introduces another nuance to the cost equation. In addition to LTG Morrison and Dr. Iyer, I spoke with Kenneth C. McNeill, CIO at the National Guard Bureau who affirmed that Phase II BYOD testing with Guard Soldiers and Airmen went quite well.

He points out that only a relative handful of Guardsmen (and Reservists) actually have GFEs. To communicate and conduct official business, they have to go to an Armory or other post. When they respond to hurricanes, floods or [provide] whatever support theyre asked to, McNeill said, this will give them the capability to stay connected, pre and post mobilizing.

But since Guardsmen and Reservists who volunteer to use their own phones currently have no GFEs, their participation effectively represents no saving. The convenience may be welcome but Morrison acknowledges, We will do due diligence on whether it fiscally makes sense to move this forward.

Some in the cybersecurity community have already been asking whether moving forward with BYOD makes sense. While Army BYOD is not a classified system, penetrating it would still yield potential insights for U.S. adversaries like China which has derived real benefit over the last three decades from open-source intel, let-alone controlled information.

The Army is cognizant of this and with security foremost in mind, it has given BYOD a Halo.

A Security Halo

The key to BYOD is the ability to securely connect users personal devices to the Armys enterprise cloud environment. Known as cArmy, the services cloud currently offers shared services in the Amazon AMZN Web Services (AWS) and Microsoft Azure clouds at IL 2, 4 and 5.

To enable BYOD the Army turned to Hypori, a Virginia-based SaaS firm which has developed Halo cloud-access software. Halo renders applications and data that reside inside the cArmy cloud on a users device as pixels.

These virtual images allow users to interact and work within cArmy, without any actual transfer of data. Raj Iyer describes Halo-enabled phones as dumb display units which show representations of email, scheduling, spreadsheets or other applications hosted by cArmy. None of it resides on the users device.

This approach largely shifts security from the device to the cloud itself. It allows the service to focus its efforts on defending a single point - cArmy - rather than a collection of phones or laptops. The Army controls access to the cloud (right down to physical access to its servers) and constantly monitors the environment.

Hypori's Halo cloud software connects mobile devices to applications in the cloud via a pixel ... [+] presentation. No data is actually transferred to or from the edge device.

If an anomaly pops up inside cArmy, the Armys Enterprise Cloud Management Agency tells me that it is confident it can rapidly detect and identify an intrusion and defend the BYOD environment. Halo-enabled BYOD has been repeatedly red-teamed Iyer says, passing these evaluations with flying colors and outperforming the solutions the Navy and Air Force have chosen.

Despite their high level of confidence in Halo, both Iyer and General Morrison acknowledge that one can never-say-never in cybersecurity matters. The same centralization in the cloud allows U.S. adversaries to focus their own resources on a single target - cArmy.

While no data rests on the device, the vulnerabilities that always exist at the intersection between hardware, software and the internet remain as does the threat of what the Army cannot control. That stretches from the industrial architecture underpinning the cloud and cloud vendors (Amazon, Microsoft) to the risk of insider exploits.

One of the most notable cloud breaches was publicly acknowledged last May when news broke that in 2019 a former AWS employee exploited her knowledge of cloud server vulnerabilities at Capital One COF and more than 30 other companies to steal the personal information of over 100 million people, including names, dates-of-birth, and social security numbers. The possibility of such an insider breach of BYOD or other cloud systems rings as real to the Army as the name, Bradley Manning.

Even though the Army BYOD is currently intended for non-classified work, LTG Morrison stresses that, Weve baked cybersecurity in early and often and well do it again if we go live and do continual assessments to ensure that we adequately secure the capability were providing.

What was interesting to us about Halo was that we could implement it on devices that were unmanaged, Dr. Iyer says.

Other BYOD solutions come with a Mobile Device Management (MDM) approach which requires the environment (cloud) owner to take control of the device, typically to ensure security and compliance issues. For users, MDM raises privacy concerns which might prove a significant obstacle to adoption. But there is no MDM with Halo. The Army does not control the users device and cannot see beyond its own cloud boundary.

Before BYOD, one of the things we consistently heard from our users was that they didnt want their cellphones to be monitored or wiped if there was any potential [data] spillage, Iyer acknowledges.

The Army G-6 is confident enough in the privacy and security of Halo that I was told that there would be no obstacle to users having it on their phones - right next to Tinder, Reddit, or even TikTok.

Convenience or Burden?

As noted, adoption will be key to BYOD. General Morrison notes that the cost savings it may help the Army realize are up there in terms of importance with the productivity gains and security expected with BYOD. Its success in delivering on this trio of elements will determine a path beyond the current Pilot.

We will do due diligence on whether it fiscally makes sense to move this forward, Morrison affirms.

Users may ultimately have to weigh the convenience of using their own devices for official business with the cost. Some observers have already questioned whether BYOD simply shifts the burden of ownership of appropriate devices with sufficient data plans, identity security, and personal accountability from the government to the individual.

Having the right phone may or may not be a hurdle. In fact, my discussions with the G-6, General Morrison, Dr. Iyer and Hypori illustrated some cloudiness on the issue.

According to the G-6 there will be a list of approved devices which would not include phones no longer supported by their original equipment manufacturers like older Android and Apple versions. An iPhone 6, for example, wouldnt be acceptable. (Nor presumably, would a Huawei phone.) A signed user agreement for BYOD would also require that device owners maintain the latest security updates to remain eligible to work via the app.

However, Raj Iyer differed with the strict notion of approved devices, telling me that a user could bring just about anything to BYOD. Because it is an unmanaged solution, there are no specific requirements for what cellphone you bring. God forbid if you have a BlackBerry somewhere, that might work too.

I was later told Dr. Iyer was joking about the BlackBerry but the impression is that almost anything goes. To be sure I checked with Hypori CEO, Jared Shepard.

Shepard re-emphasized that Hypori Halo is a zero-trust platform which assumes that all edge devices are compromised. By design, it does not allow interaction of data from the protected environment with the device.

But he added, As a Security best practice we recommend that only devices that are still supported [updated and patched] by the manufacturers be allowed. This allows a tremendous amount of flexibility for devices new and old [many 4-6yrs old or more]. Currently iPhone 6 and 7 are still supported by Apple.

We will learn how this capability reacts to different kinds of phones that are out there, Morrison concludes.

As with other aspects of BYOD, the Army will have to have consistent messaging on its user requirements. These include identity. According to Iyer, BYOD employs multi-factor authentication (MFA, passwords augmented by scanning a fingerprint or entering a code received by phone for example).

However, the user identification system employed may also limit devices that can be used with BYOD. For example, Cisco Systems Duo MFA device requirements include a Secure Startup mode and a Cisco-approved operating system (Android 7 or higher) among other things.

Dr. Iyer points out that the Armys enterprise IT management system not only identifies but tracks BYOD phone locations. If a phone operating in Washington DC pops up three hours later in China, somethings obviously wrong. Devices will generally have to indicate active use inside the U.S. While the Army wont have access to personal data, dropping a GFE device wont allow users to go un-tracked.

Iyer says he has seen tremendous excitement about BYOD on social media, suggesting a population eager to embrace the scheme. But given its rollout largely to a group of more senior Army and civilian users, there may be less enthusiasm for yoking ones personal device (and consumer data plan) to BYOD than for a broader cross-section of the Army.

Indeed, one senior Army National Guard officer with a background in cybersecurity told me that while he thinks BYOD may be a useful convenience in the future, hed likely stick with his GFE. Since BYOD is strictly voluntary, potentially eligible users could elect to stay with their government furnished phones prompting a question as to whether personnel who decline to participate might worry about the career implications of taking a pass on BYOD.

This is not going to be viewed favorably or unfavorably, Dr. Iyer assures. I believe that the majority of our users will want it.

Kenneth McNeill thinks people will eventually get comfortable with the idea and says theres already a sizeable group of Guardsmen and Reservists volunteering. General Morrison characterizes early adopters as BYOD champions, people who are helping craft the tactics, techniques and procedures for its use. As Phase III progresses the Army will evaluate its expanded mix of users, continually reassessing the Pilot and iterating the app. How BYOD will ultimately take shape isnt known yet Morrison acknowledges.

Were being very pragmatic, he stresses. That includes putting BYOD through several legal reviews. Army personnel and DoD civilians will have the last word, ultimately making it clear to the service whether theyre comfortable enough with the privacy, security, cost and convenience of personal devices as a gateway to the Army cloud to bring their own.

More:
A Plan to Let Soldiers Interact with the Army Cloud Using Their Own Devices Got a Bit Clouded - Forbes

AWS, a leading cloud platform, is debuting its latest addition to Amazon QuickSight: Fine-Grained Visual Embedding. This feature provides users with individualized visualizations from Amazon QuickSight dashboards for embedding within high-traffic web pages and applications. Increased visibility is supplied to end-users through Fine-Grained Visual Embedding, without requiring server or software setup, or infrastructure management.

Amazon QuickSight is a cloud-based, embeddable, and ML-backed business intelligence (BI) platform that provides users with interactive data visualizations, analysis, and reporting to support data-driven decision-making, without the process of managing servers. Amazon QuickSight allows users to embed branded analytics, such as interactive dashboards, natural language querying (NLQ), or BI-authoring experience within internal portals or public sites.

With Fine-Grained Visual Embedding Powered by Amazon QuickSight, developers and ISVs now have the ability to embed any visuals from dashboards into their applications using APIs, said Donnie Prakoso, software engineer and senior developer advocate at AWS. As for enterprises, they can embed visuals into their internal sites using 1-click embedding. For end-users, Fine-Grained Visual Embedding provides a seamless and integrated experience to access a variety of key data visuals to get insights.

Benefits of Fine-Grained Visual Embedding include automatic updates of embedded visuals, as well as automatic scaling without requiring server management, and optimized for efficient performance on high-traffic sites. Amazon QuickSight will also support 1-click embedding for nontechnical users to deploy code embedding, via 1-click enterprise embedding or 1-click public embedding. Users can also employ visual embedding through the API, using AWS CLI or SDK, for increased flexibility to configure allowed domains at runtime.

To learn more about this latest feature, please visit https://aws.amazon.com/.

Read the rest here:
Fine-Grained Visual Embedding by Amazon QuickSight Brings Visibility without Complexity - Database Trends and Applications

In Part 1 of our tales of real-world cloud attacks, we examined real-world examples of two common cloud attacks. The first starting from a software-as-a-service (SaaS) marketplace, demonstrating the breadth of potential access vectors for cloud attacks and how it can enable lateral movement into other cloud resources, including a company's AWS environment. The second cloud attack demonstrated how attackers take over cloud infrastructure to inject cryptominers for their profit.

As we have witnessed, more attacks have moved onto the cloud, so it was only a matter of time before ransomware attacks did, too. Let's look at two scenarios where attackers leveraged ransomware to gain profits, and how unique cloud capabilities helped victims avoid paying the ransom.

The first case (or rather cases, as this attack has appeared numerous times) is the notorious MongoDB ransomware, which has been ongoing for years. The attack itself is simple attackers use a script to scan the internet (and now, common cloud vendor address spaces) for hosts running MongoDB exposed to the internet. The attackers then try to connect to the MongoDB with the empty admin password. If successful, the attack erases the database and replaces it with a double ransomware note: pay, and your data will be returned; don't pay, and your data will be leaked.

Intervention was necessary to address the second part of the extortion scheme: data leakage. Luckily, the company had data backups, so recovery was easy, but the database contained considerable amounts of personally identifiable information (PII), which, if leaked, would be a major crisis for the company. This forced them into the position of either paying a hefty ransom or dealing with the press. MongoDB default logging, unfortunately, cannot provide a definitive answer regarding the data accessed, as not all potential types of data collection commands are logged by default.

This is where the cloud infrastructure became an advantage. While MongoDB may not log every command, AWS logs the traffic going in and out of servers, because it charges for network costs. Correlating the network traffic going out of the attacked server with the times when the attackers were connected to the compromised MongoDB server provided proof that the data could not have been downloaded by the attackers.

This allowed the company to avoid paying the ransom and ignore the threat. As expected, nothing further was heard from the attackers.

Another company experienced an attack on its main servers running on AWS EC2, where it was hit by a ransomware Trojan, not unlike those seen on on-premises servers. As often occurs these days, this was another double-extortion ransomware attack and the company needed help dealing with both issues.

Luckily, due to the company's cloud architecture and preparedness, there were AWS snapshots of the environment going back 14 days. The attackers were unaware of the snapshots and had not disabled them in their attack. This allowed the company to immediately revert to the day before the data encryption, resolving the first part of the attack with minimal effort. That still left two challenges to deal with: the potential data leak and the eradication of the attackers from the environment.

To address these challenges, there was a full investigation of the breach, which turned out to be quite complex due to the hybrid nature of their environment. The attackers compromised a single account with limited access, used by an IT person. They then identified a legacy on-premises server where that individual was an admin and used it to take over the Okta service account, allowing privilege escalation. Finally, using a decommissioned VPN service, they were able to hop to the cloud environment. Using the elevated privileges, they took over the EC2 servers and installed the malware.

The investigation yielded two significant findings. The first was the attack timeline. It showed that the compromise of all hosts occurred before the earliest snapshots were taken, indicating that the recovered servers were compromised and could not be used. New servers were installed, the data was transferred to them, and the original affected servers were purged.

The second finding was even more surprising. Malware analysis identified that the attackers used rclone.exe to copy the files to a remote location. The connection credentials were hardcoded in the malware, so the company was able to connect to the same location, identify, and remove their files, eliminating the attackers' access to the files, eradicating the extortion aspect of the attack.

As these real-life scenarios reveal, attackers are infiltrating the cloud and cloud breaches are on the rise. It's time for organizations to prepare for cloud incidents. Cybercriminals are leveraging cloud capabilities in attacks, and you should use them, too, to protect your organization and prevent a crisis from hitting the headlines.

Read the original here:
Real-World Cloud Attacks: The True Tasks of Cloud Ransomware Mitigation - DARKReading

State and local IT leaders are galloping toward the cloud, whether they know it or not.

Thirty-seven percent say they moved on-premise infrastructure to public cloud this past year, according to the 2022 CompTIA Public Technology Institute (PTI) State of City and County IT National Survey. And 32 percent said that migrating systems and applications to the cloud will be a top priority in the next two years.

Yet much of state and local cloud adoption still goes unrecognized as such, said Alan Shark, vice president of public sector and executive director at PTI. People say theyre not in the cloud very much, and when you start asking questions, it turns out that theyre very much in the cloud.

Taken together, formal migrations to the cloud and adoption of cloud-based SaaS indicate a steady shift in IT resources: away from on-prem legacy solutions and toward the cloud. Its continuing to gain traction, Shark said.

In Utah, for example, the building that housed the states main data center is slated to be demolished, and CIO Alan Fuller is seizing the moment to jump-start his cloud migration. Were hoping to get better scalability, elasticity, security, redundancy and lower cost, he told GTat the NASCIO Midyear Conference in May. We have a multi-vendor cloud strategy and we want to move as many services and applications as we can from on-premise to the cloud.

Here, a range of state and local leaders help to paint a picture of the state of cloud adoption: the early wins, and the challenges yet to be faced.

The push came from a Deloitte assessment, which found in part that the state could uncover a lot of savings by consolidating its data center investments. Through cloud migration, we could avoid a $15 to $30 million investment that would have been necessary just to keep our primary data center facility going.

The state subsequently demolished its primary data center. (The site is now a parking lot.) Sloan reports that 80 percent of that activity moved directly to the cloud, and an additional 5 percent migrated to a shared data center with a much smaller physical footprint.

In the process, the IT team identified about 96 data centers across state agencies, including everything from formal data centers to servers running in spaces under desks. Ninety-two of those have since been decommissioned, with only a few outliers kept online.

In order to ensure the push to cloud aligns with specific agency needs, the IT team has established relationships with multiple cloud service providers, including Amazon Web Services, Microsoft Azure, Google Cloud and IBMs Z Cloud.

The way a particular agencys infrastructure has matured over time influences which cloud option is best suited for their needs. The child protection agency, for example, had already replaced an aging case management system with a solution that was based on Microsoft Dynamics. That went into the Dynamics 365 cloud, Sloan said. Weve allowed the agencies to have a voice in selecting the cloud providers that best meet their needs.

It shouldnt come as a surprise that Sloan makes a strong case for the benefits of cloud adoption. As government services and data shift to the cloud, he said, you inherently gain access to scalability and elasticity, as well as a whole set of feature functions that you dont inherently have in your current on-premise data center environment.

Theres a benefit on the personnel side as well. You get people out of having to do the managing, the administration, all the care and feeding for physical servers. Now the same number of people are able to do more things. They have more time to put into more valuable activities, he said.

One big adjustment has been the shift from capital to operational budgeting. Here, Sloan advocates for a gradual approach. It takes time. If you try and flip a big switch, there can be some real challenges, depending upon where you are in your capex cycle, he said.

If youre not at the end of a capex cycle, you potentially end up having duplicate costs, he said. So we work with our people to plan ahead. We will say: Youre not going to be buying new servers the next time this comes around, so if youre in year two of your five-year server cycle, plan now. Youll need to make the transition when those are up on their life cycle.

The city has its office productivity tools and online collaboration tools in the cloud, along with an e-signature platform and a records request tool. Next up: enterprise resource planning for human capital management and finance, followed by public safety.

We will have a big ERP system launching here the first week of October, and right on the tail of that, probably in late January or early February, were doing a major public safety systems swap-over to cloud, said CIO Chris Seidt.

While the transition has gone smoothly, Seidt is candid about the bumps hes hit along the road, and the need to manage thoughtfully through the details of a cloud migration. When subscribing to cloud services, for example, its important to pay close attention, to ensure you are subscribing to all of the things that you need, he said.

Because there may be different tiers of subscription models for different cloud services, you really have to look carefully at what is included in that, because it may not include all of the pieces that you would need as an organization in order to maintain your security posture, in order to gain access to functionality, he said.

In fact, Louisville initially undersubscribed for its office productivity suite. It lacked some of the practical security aspects that really needed to accompany it, Seidt said. If you stepped up a tier, a lot of those security tools were just included. Of course, theres a cost jump there too.

In addition to working through those technical details, Seidt has also focused heavily on change management.

One big barrier is staff willingness to go along, he said. Ive got a couple systems engineers that have been with me for decades, and now were asking them to do cloud. So one of the first steps was to make sure people got comfortable. When people are worried about losing their jobs, you have to get out ahead of that. We certainly didnt go into our cloud journey looking to reduce our headcount. If anything, we wanted to repurpose it.

To that end, the citys cloud journey has included not just messaging about the virtues of cloud, but also training to reskill IT for the task that lies ahead. Seidt said hes quadrupled the training spend since 2018, in an effort to upskill staff for the cloud transition.

When you let them know that youre willing to train them in those new skill sets, it makes them more engaged, Seidt said. Some of our systems guys are our biggest champions now, because they see the bigger picture.

While others work with multiple cloud providers, Seidt for now is focused solely on AWS engagements. With a single provider, he said, he can more easily control and manage his cloud resources.

At the same time, Seidt has been working with others in the city to repurpose the data center space hes no longer using.

In a lot of city governments, the data center serves as more than just a place to house compute and storage. It may also have your network core redundancy. It may also have fiber terminations for municipally owned fiber. Theres a lot of other things that live there, he said.

As he moves to decommission compute and storage, hes looking for opportunities to refresh the HVAC systems for downsized demand and potentially repurpose those spaces for other uses.

As for the shift from capex to opex spending, Seidt said good communication is the key to success. It does require a lot of cooperation with your chief financial officer and your elected officials, making sure that they understand the business case for it and the benefits that come with it, he said.

We have been slow to embrace the cloud, said Director of Information Services Eric Romero. Were so busy here, it is hard to find the time to get up to speed, to learn the newer technologies and to get to that comfort level.

The city has nonetheless already shifted a few applications to the cloud, including 311, permitting and a nearly billion-dollar road program thats leveraging cloud-based tools for project management. Romero said hes already seeing the benefits of a modernized approach. The upside is certainly that its less taxing on my department, my resources, my staff, he said.

Still, Romero has questions. Hes particularly concerned about data portability, or the lack thereof. Once all the data is in the cloud, how do we get it out of the cloud in a way that we can either use it for historical purposes or convert it for use in another system? he said, noting that his sense is that cloud service providers dont want to make this easy.

He said hed like to see more data on cloud reliability, too: downtime metrics and the like. Hed also like some assurance that a cloud provider would be able to respond quickly to an urgent need.

When we have an issue, something that might not seem critical to them might be extremely critical to us. If we had it in-house, my guys would be working on it 24 hours a day until it got resolved, he said. That might come through with the contract process, but will they really understand it?

At this point, when he does make a move, its typically a matter of cloud by necessity. For example, were running an old version of Exchange for email and every time that we get a patch from Microsoft, we have issues getting the servers back online, he said. We just finally came to the conclusion that we had to move.

In tandem with such efforts, Romero has been communicating with folks on the budgeting side to ensure a smooth transition to opex as needed.

American Rescue Plan money is helping bridge the gap between capex and opex for the moment, but eventually those new cloud-based contracts will come due again maybe two or five years down the road and Romero said it will be important to have solidified the funding model in support of that spending.

I was very upfront with our finance folks and the administration here, saying: These are my needs and we are going to use ARP funds for this, but weve got to address the budget or else in five years were going to be cutting these services.

In the long run, he said, changes to the budget process and incremental steps toward the cloud together will put the IT team on a better footing. Cloud will ultimately lower the management burden, freeing talent to tackle higher-level tasks. And a move to the cloud could also make it easier to hire the people he needs.

As candidates come in and they see that youre not fully embracing the cloud, that can be a detriment to their considering the position, he said. Seen in this light, cloud becomes increasingly a must-have for state and local governments looking to attract the best and brightest in a highly competitive talent market.

More to the point, Romero describes cloud as an inevitable technological evolution.

We know that this is coming. Were seeing more and more: not just software applications, but solutions that are being pushed to a subscription-based model, most often cloud-based, he said. We know that its coming and at some point, we will get there.

More:
Everything as a Service?: Government and the Cloud - Government Technology