Skip to main content
Popular Searches
Featured
Learn more
Federal IT modernization services

Subscribe to modernization insights

Subscribe

Don't miss out

Don't miss out

Don't miss out

Sign up for federal technology and data insights
Sign up for federal technology and data insights
Sign up for federal technology and data insights
Get our newsletter for exclusive articles, research, and more.
Get our newsletter for exclusive articles, research, and more.
Get our newsletter for exclusive articles, research, and more.
Subscribe now

Debunking cybersecurity myths: Why cloud-native wins over on-premises

Debunking cybersecurity myths: Why cloud-native wins over on-premises
By Nadim Rizk
May 9, 2025
6 MIN. READ

For federal leaders, the cloud security debate is no longer theoretical. The real question is not whether cloud‑native development can be secure, but whether agencies are structured to operate it with the rigor, visibility, and accountability modern missions require. As agencies modernize under increasing delivery pressure and regulatory scrutiny, security outcomes are shaped less by where systems live and more by how they are governed, implemented, and continuously monitored.

ICF’s research and hands‑on experience with federal IT modernization show that when cloud environments are designed intentionally—rather than treated as lift‑and‑shift destinations—cloud‑native security can outperform traditional on‑premises models. In this conversation, Nadim Rizk, ICF’s Field Chief Technology Officer, explains why cloud‑native approaches often deliver stronger security outcomes, where agencies go wrong, and what leaders should prioritize to reduce risk while moving faster.

How do the ICF report’s findings track with what you’ve experienced in federal IT modernizations?

It’s exciting to see that the data backs up what’s happening on the ground. Based on what I’ve seen in the federal IT modernization market, agencies have embraced the cloud because it offers scalability and resilience that legacy systems struggle to match. Cloud-native setups often come in with built-in compliance and automated transparent security updates, which aligns with federal mandates. Agencies moving to the cloud often get better visibility and increased automation, which tightens security.

The fact that 51% of core cloud users rate their software development practices highly for security makes sense too. They’re leveraging modern tools that non-core users might not have yet. When done right, cloud-native setups reduce human error and vulnerabilities faster than traditional setups, which tracks with our findings in the report.

When cloud adoption is paired with automation and continuous monitoring, security improves not because systems move locations, but because leaders gain clearer, real‑time oversight of risk across the environment.

What are some of the security tools that are available for cloud-native development?

The key is picking tools that fit your specific cloud setup, whether it’s multi‑cloud, hybrid, or Kubernetes‑heavy, and embedding them early in the development process (shift‑left security) to ensure proactivity rather than reactivity in detecting and remediating issues.

Leading tools like Zscaler, Datadog, Aqua Security, SentinelOne Singularity, Prisma Cloud, Kubescape, and HashiCorp Vault help federal agencies secure cloud-native apps with real-time threat detection, compliance automation, and strong data protection—all integrated into fast-moving DevSecOps pipelines.

These examples illustrate the breadth of mature, cloud‑native security capabilities available today, not a prescribed toolset—what matters most is how those capabilities are integrated into development and governance workflows.

This approach shifts security from an after‑the‑fact control function to a built‑in operating discipline, strengthening accountability while allowing teams to move faster without increasing exposure.

The distinction becomes clearer when comparing cloud-native security models with traditional on-premises environments. The perceived control of on‑premises environments often masks operational complexity that slows response times and limits visibility at enterprise scale.

How does that approach differ from on-prem security?

When you’re on prem, there’s this misconception that you’ve got more control of the platform. You have your hands physically on your own servers, your own files, your own networks. But if you think about the magnitude of these operations, and how expensive, cumbersome, and complex they can be, they are unmanageable.

Cloud-native security offers a variety of advantages, including:

  • Speed: Automated patching and continuous monitoring mean vulnerabilities get detected and fixed faster than on-prem, where updates can lag for weeks or months.
  • Scaling: You can adjust resources dynamically so you’re not overprovisioning hardware or leaving gaps like you might with fixed on-prem servers.
  • Visibility: Cloud-native tools deliver greater visibility, providing real-time insights across distributed systems and catching anomalies that on-prem’s siloed setups might miss.
  • Fault isolation: Microservices and containerization mean failures or attacks are contained, unlike on-prem where a single server crash can halt everything.

Taken together, these advantages materially change an agency’s risk posture by reducing the window between vulnerability, detection, and remediation.

What are some pitfalls agencies should avoid?

I advise clients against “lift and shifts”—just porting a legacy application to the cloud without doing anything else.

Misconfiguration. Misconfigurations—like accidentally opening API access—can expose sensitive data or systems to attacks and are the top cause of cloud breaches. These errors happen when teams rush deployments or lack automated checks. Using Cloud-Native Application Protection Platform (CNAPP) tools to scan for misconfiguration in real time and enforcing strict IAM policies can catch these mistakes before they become breaches.

Avoid tool overload. Having too many point solutions creates complexity and blind spots. If an agency uses 50 cybersecurity tools, it must train and enable operations on all of them. Operating and managing these tools can get out of hand fast, opening the door to inefficiencies and increased costs. It’s better to use a well-defined, small set of tools and consolidate with a CNAPP where possible.

In practice, security risk increases when complexity outpaces governance, making disciplined tool selection and clear ownership as important as the technology itself.

Prevent compliance slip-ups. Federal agencies are bound by strict regulations like NIST 800-53 or FedRAMP. Violating those regulations often happens when teams overlook automated compliance checks or misconfigure resources. For instance, a rushed deployment might skip required access controls, risking non-compliance with zero-trust mandates. Using CNAPP tools and regularly training staff will keep you aligned with standards and help you avoid costly penalties or security gaps.

Sustained security improvements depend on whether agencies adapt operating models, incentives, and skills to match the pace of cloud‑native environments.

What best practices should agencies follow during a cloud implementation?

Keeping an eye on AI-driven security will be important. It’s starting to predict threats before they strike, which could be game-changing for federal IT.

But it’s also important to understand that culture is as critical as tech. Agencies can deploy the best cloud-native tools, but if teams resist change or stay in silos, they won’t realize the cloud’s full benefits.

Cloud‑native security ultimately depends on whether agencies align operating models, incentives, and skills with the pace and demands of modern delivery environments.

How would you recommend agencies approach this culture change?

First, agencies need to gain buy-in and foster collaboration across IT, security, and mission owner and align on goals. Sharing metrics-driven success stories, such as an example of how another agency or customer leveraged cloud-native apps to slash deployment times, can show what’s possible.

Agencies also must provide continuous training and enablement to upskill staff because cloud-native environments move fast. Regular workshops, hands-on labs, and certifications—like those for AWS, Azure, GCP, or CNAPP tools—empower staff to confidently manage modern setups.

Ultimately, cloud‑native security is not a technology upgrade—it is an operating decision. Agencies that see stronger security outcomes are not simply adopting new platforms; they are aligning governance, tooling, and workforce practices to support continuous oversight and accountability. That includes resisting lift‑and‑shift shortcuts, reducing tool sprawl, and investing in the skills and collaboration required to run modern environments well.

For leaders, the implication is clear. Security posture is shaped by execution discipline and organizational alignment as much as by infrastructure choice. Cloud‑native development can enable faster, more resilient, and more defensible operations—but only when agencies treat security as a core capability to be designed, governed, and sustained, not assumed.

Meet the author
  1. Nadim Rizk, Field Chief Technology Officer
File Under

Your mission, modernized.

Subscribe for insights, research, and more on topics like AI-powered government, unlocking the full potential of your data, improving core business processes, and accelerating mission impact.

Sample content from the report
Agencies and AI: See the latest data
41% of federal leaders are running small-scale AI pilots. What’s holding them back from large-scale adoption?
Download the report

Related insights

Article
FEMA BRIC is back: What the restart means for resilience funding
E863CFDC-E4F9-44F8-A33B-EC91C168E6EA Created with sketchtool.
Article
Transforming disaster response with spatial data infrastructure
E863CFDC-E4F9-44F8-A33B-EC91C168E6EA Created with sketchtool.
Article
A modern decision framework and delivery model for federal web consolidation
E863CFDC-E4F9-44F8-A33B-EC91C168E6EA Created with sketchtool.