Federal agencies are increasingly using cloud computing services for tasks like data storage, daily operations and resource sharing. But the Government Accountability Office recently warned that “without effective security measures, these services can make the U.S. government vulnerable to cyberattack.”
The majority of government agencies rely solely on Microsoft software–including its cloud computing technologies. But when the State Department and other agencies had their cloud-based emails stolen by Chinese hackers last year, it exposed the vulnerabilities of relying on a single provider.
According to the Cyber Safety Review Board’s 2024 report on the 2023 hacking, cloud service providers “have become one of our most important critical infrastructure industries.” But the Board found that “other cloud service providers [maintained] security controls that Microsoft did not.”
Here are some of the ways the U.S. government uses Microsoft’s cloud technologies:
- The Department of Energy uses Microsoft’s Azure Quantum Elements in their work in chemical science.
- The U.S. Navy has leveraged Azure for tropical cyclone forecasting.
- NASA uses Azure Quantum to manage communication with space missions.
- The Department of the Treasury uses Azure Government to manage daily business activities like processing payments.
- The Department of Homeland Security uses Microsoft’s cloud to share information on events like hurricane response and law enforcement activities.
This consolidated structure, known as a single point of failure in cybersecurity, provides a uniform network that makes it easier for hackers to penetrate if one part of the system is compromised. Alternatively, a multi-cloud strategy adds layers of protection by spreading risk across various platforms, providing redundancy that is essential for security.
In April 2024, the Senate Homeland Security and Governmental Affairs Committee voted to approve the Multi-Cloud Innovation and Advancement Act. The bill tasks several federal entities to issue guidance on how agencies can implement multi-cloud computing.
Here are four ways a multi-cloud strategy can help protect government agencies against hackers:
1. Reduce Single Points of Failure
By spreading workloads across multiple cloud platforms, agencies avoid putting all their critical systems and data in one place. If one cloud provider is compromised, other systems in separate clouds remain unaffected, reducing the impact of an attack.
2. Improve Recovery from Outages
By storing backups in different clouds, government agencies ensure that even if one provider experiences a breach or outage, they can quickly recover from another location, minimizing downtime and data loss. In the case of a natural disaster, utilizing multiple cloud providers is essential to ensure continuity of services.
3. Segment Sensitive Data
Agencies can isolate high-value workloads in different cloud environments. This makes it more difficult for hackers to obtain complete sets of data, even if they breach one cloud provider.
4. Leverage Multiple Security Tools
Each cloud provider offers its own security features, such as encryption, identity management and threat detection. By using multiple clouds, agencies can leverage the best security practices from each provider and implement layered defenses. This makes it harder for hackers to exploit vendor-specific vulnerabilities.
Major private sector businesses, from Netflix and Coca-Cola to BP and BMW, already rely on a multi-cloud strategy to protect their data. According to a 2024 OVHcloud executive report, 62% of organizations are currently using a multi-cloud environment, and 18% are in the process of transitioning to one.
The Department of Defense is also moving towards a multi-cloud environment with the introduction of the Joint Warfighting Cloud Capability contract. As George Lamb, Director for cloud and software modernization in the office of the DOD CIO, recently explained to FedTech Magazine:
“With every project that moves into the cloud, we’re trying to do the analysis, understand what the requirements are and decide what cloud environment makes the most sense. Amazon Web Services has really powerful storage options, Google is strong in the search space, Oracle in the database space, and Microsoft for workplace and communication applications.”
The rest of the government needs to follow suit. Distributing resources, data and applications across multiple cloud environments can provide tangible benefits for U.S. cybersecurity.