Cloud is a Good Place to Put Agency ‘Crown Jewels’ of Data

(Illustration: Shutterstock)

Cloud infrastructure may be the safest place to store an agency’s most sensitive data, department of Justice officials said at an AWS Public Sector Summit on June 13.

“I’d say it’s a pretty good place to put your crown jewels,” said Karl Mathias, chief information officer for the United States Marshals Service, adding that commercial clouds may end up being safer than an agency’s own data centers. “A company like Amazon’s entire brand is dependent on preventing a breach from occurring. If a massive breach occurs in AWS, and I’m not saying it will, I’m just saying that it’s a severe hit to the brand, the company takes a corporate hit as a whole. They’re not going to allow this to happen, so they can invest all kinds of money into the right people who can engineer that.”

We are truly in a transformative stage, not just from the pure IT operations and leveraging cloud capabilities, but also from an IT security, from a cybersecurity standpoint we are changing how we do business,” said DOJ’s Melinda Rogers. (Photo: LinkedIn)

Mathias said that he told his team that any system that wasn’t migrated to the cloud in four years would be killed, which he said has acted as a motivator for efficient migration.

“We’re undergoing a major modernization effort, and that effort is going direct to cloud,” said Mathias.

Melinda Rogers, chief information security officer for DOJ, was more cautious about moving classified information to the cloud.

“I’m personally not opposed to it, but it’s got to look right,” Rogers said. “We have more lessons to learn, honestly, even in our moderate and low systems. I think the future is there, it’s just […] right now I have enough workload in front of me to get the things that I can save on out, and that’s where I’m prioritizing my time. And then when I get to the harder stuff, maybe somebody bigger and better can take on that challenge.”

However, Rogers emphasized the importance of moving to cloud to improve security, shared services, and coordination with other departments.


Join us July 12 for Federal Focus: The Cloud Generation. On the agenda: where cloud implementations deliver results, best practices for cloud security and migration, and how agencies can accelerate cloud progress with innovative, collaborative approaches. Click here to learn more.


“This is our opportunity to shape it rather than being dragged from behind,” said Rogers. “We’re still very much at the nascent stage of leveraging these different capabilities provided by the cloud service providers. We are truly in a transformative stage, not just from the pure IT operations and leveraging cloud capabilities, but also from an IT security, from a cybersecurity standpoint we are changing how we do business. We are outsourcing a lot more, we are doing managed services.”

Though John Everett, director of the Cloud Program Management Office at the FBI, said that it is a struggle to manage the balance between security and speed of adoption for cloud, he said that the process of cloud adoption within the FBI was going well.

“We’re few, we’re underfunded, but we get a lot done,” said Everett. “Moving to the cloud within the bureau right now is going relatively well.”

He added that a team works with a security professional to make sure that their actions are “in lock-step” with best security practices.

“At the end of the day, we want to do the right thing,” said Rogers.

Jessie Bur
About Jessie Bur
Jessie Bur is a Staff Reporter for MeriTalk covering Cybersecurity, FedRAMP, GSA, Congress, Treasury, DOJ, NIST and Cloud Computing.
One Comment
  1. Anonymous | - Reply
    Cloud provides emphasize that security is a 'shared responsibility model' for security. https://aws.amazon.com/compliance/shared-responsibility-model/ http://aka.ms/sharedresponsibility (Azure) Thinking the cloud provider will prevent a breach because their reputation depends on it is a whole a lot of assumption ... Cloud providers will NOT provide security down to the resources as that responsibility is on the customer to implement security features within the cloud similar to their own physical environments.

Leave a Reply