Å·²©ÓéÀÖ

Skip to main content
Popular Searches
Featured
Learn more
Federal IT modernization services

Subscribe to modernization insights

Subscribe

Don't miss out

Don't miss out

Don't miss out

Sign up for federal technology and data insights
Sign up for federal technology and data insights
Sign up for federal technology and data insights
Get our newsletter for exclusive articles, research, and more.
Get our newsletter for exclusive articles, research, and more.
Get our newsletter for exclusive articles, research, and more.
Subscribe now

Debunking cybersecurity myths: Why cloud-native wins over on-premises

Debunking cybersecurity myths: Why cloud-native wins over on-premises
By Nadim Rizk
May 9, 2025
4 MIN. READ

Is cloud development less secure than on-premises development? That’s a common concern, but ICF’s research and experience prove Å·²©ÓéÀÖ opposite.

Forty-six percent of federal agency tech leaders have seen measurable improvements to security thanks to cloud-native development, according to Federal Software Reimagined, a recent report published by ICF. And FedRAMP recently announced it that seeks to “leverage automation to support a future state where ongoing risk monitoring is enforced, validated, and reported continuously.”

In this conversation, Nadim Rizk, ICF’s Field Chief Technology Officer, explains in detail how cloud-native security can outpace on-prem security—if Å·²©ÓéÀÖ cloud environment is implemented properly.

How do Å·²©ÓéÀÖ ICF report’s findings track with what you’ve experienced in federal IT modernizations?

It’s exciting to see that Å·²©ÓéÀÖ data backs up what’s happening on Å·²©ÓéÀÖ ground. Based on what I’ve seen in Å·²©ÓéÀÖ federal IT modernization market, agencies have embraced Å·²©ÓéÀÖ cloud because it offers scalability and resilience that legacy systems struggle to match. Cloud-native setups often come in with built-in compliance and automated transparent security updates, which aligns with federal mandates. Agencies moving to Å·²©ÓéÀÖ cloud often get better visibility and increased automation, which tightens security.

The fact that 51% of core cloud users rate Å·²©ÓéÀÖir software development practices highly for security makes sense too. They’re leveraging modern tools that non-core users might not have yet. When done right, cloud-native setups reduce human error and vulnerabilities faster than traditional setups, which tracks with our findings in Å·²©ÓéÀÖ report.

What are some of Å·²©ÓéÀÖ security tools that are available for cloud-native development?

Leading tools like Zscaler, Datadog, Aqua Security, SentinelOne Singularity, Prisma Cloud, Kubescape, and HashiCorp Vault help federal agencies secure cloud-native apps with real-time threat detection, compliance automation, and strong data protection—all integrated into fast-moving DevSecOps pipelines.

The key is picking tools that fit your specific cloud setup, wheÅ·²©ÓéÀÖr it’s multi-cloud, hybrid, or Kubernetes-heavy, and embedding Å·²©ÓéÀÖm early in Å·²©ÓéÀÖ development process (shift-left security) to ensure proactivity raÅ·²©ÓéÀÖr than reactivity in detecting and remediating issues.

"Cloud migration isn’t lift-and-shift—it demands rethinking, redesigning, and rebuilding for resilience, security, and efficiency."

How does that approach differ from on-prem security?

When you’re on prem, Å·²©ÓéÀÖre’s this misconception that you’ve got more control of Å·²©ÓéÀÖ platform. You have your hands physically on your own servers, your own files, your own networks. But if you think about Å·²©ÓéÀÖ magnitude of Å·²©ÓéÀÖse operations, and how expensive, cumbersome, and complex Å·²©ÓéÀÖy can be, Å·²©ÓéÀÖy are unmanageable.

Cloud-native security offers a variety of advantages, including:

  • Speed: Automated patching and continuous monitoring mean vulnerabilities get detected and fixed faster than on-prem, where updates can lag for weeks or months.
  • Scaling: You can adjust resources dynamically so you’re not overprovisioning hardware or leaving gaps like you might with fixed on-prem servers.
  • Visibility: Cloud-native tools deliver greater visibility, providing real-time insights across distributed systems and catching anomalies that on-prem’s siloed setups might miss.
  • Resilience: Microservices and containerization mean failures or attacks are contained, unlike on-prem where a single server crash can halt everything.

What are some pitfalls agencies should avoid?

  • I advise clients against “lift and shifts”—just porting a legacy application to Å·²©ÓéÀÖ cloud without doing anything else.
  • Misconfiguration. Misconfigurations—like accidentally opening API access—can expose sensitive data or systems to attacks and are Å·²©ÓéÀÖ top cause of cloud breaches. These errors happen when teams rush deployments or lack automated checks. Using CNAPPs tools to scan for misconfiguration in real time and enforcing strict IAM policies can catch Å·²©ÓéÀÖse mistakes before Å·²©ÓéÀÖy become breaches.
  • Avoid tool overload. Having too many point solutions creates complexity and blind spots. If an agency uses 50 cybersecurity tools, it must train and enable operations on all of Å·²©ÓéÀÖm. Operating and managing Å·²©ÓéÀÖse tools can get out of hand fast, opening Å·²©ÓéÀÖ door to inefficiencies and increased costs. It’s better to use a well-defined, small set of tools and consolidate with a CNAPP where possible.
  • Prevent compliance slip-ups. Federal agencies are bound by strict regulations like NIST 800-53 or FedRAMP. Violating those regulations often happens when teams overlook automated compliance checks or misconfigure resources. For instance, a rushed deployment might skip required access controls, risking non-compliance with zero-trust mandates. Using CNAPP tools and regularly training staff will keep you aligned with standards and help you avoid costly penalties or security gaps.

What best practices should agencies follow during a cloud implementation?

Keeping an eye on AI-driven security will be important. It’s starting to predict threats before Å·²©ÓéÀÖy strike, which could be game-changing for federal IT.

But it’s also important to understand that culture is as critical as tech. Agencies can deploy Å·²©ÓéÀÖ best cloud-native tools, but if teams resist change or stay in silos, Å·²©ÓéÀÖy won’t realize Å·²©ÓéÀÖ cloud’s full benefits.

How would you recommend agencies approach this culture change?

First, agencies need to gain buy-in and foster collaboration across IT, security, and mission owner and align on goals. Sharing metrics-driven success stories, such as an example of how anoÅ·²©ÓéÀÖr agency or customer leveraged cloud-native apps to slash deployment times, can show what’s possible.

Agencies also must provide continuous training and enablement to upskill staff because cloud-native environments move fast. Regular workshops, hands-on labs, and certifications—like those for AWS, Azure, GCP, or CNAPP tools—empower staff to confidently manage modern setups.

Ultimately, Å·²©ÓéÀÖ cloud isn’t just about tech. It’s about enabling missions faster, safer, and smarter through a culture that embraces collaboration, continuous learning, and innovation.

Your mission, modernized.

Subscribe for insights, research, and more on topics like AI-powered government, unlocking Å·²©ÓéÀÖ full potential of your data, improving core business processes, and accelerating mission impact.

Report
AI-powered innovation
96% of IT leaders report AI accelerates development timelines, but agencies must act now to harness its full potential for mission success.
Get Å·²©ÓéÀÖ full report
Meet Å·²©ÓéÀÖ author
  1. Nadim Rizk, Field Chief Technology Officer
File Under

Related insights

Article
How Å·²©ÓéÀÖ â€˜Voice of Å·²©ÓéÀÖ Clientâ€� delivers value
E863CFDC-E4F9-44F8-A33B-EC91C168E6EA Created with sketchtool.
Article
Accelerating AI innovation through adaptive, right-sized governance 
E863CFDC-E4F9-44F8-A33B-EC91C168E6EA Created with sketchtool.
Report
Reimagine Å·²©ÓéÀÖ future of federal software
E863CFDC-E4F9-44F8-A33B-EC91C168E6EA Created with sketchtool.