The systems architecture for using commercial clouds has served federal agencies well for nearly 20 years.

The cloud movement sparked innovation in the design and deployment of applications, but the exploding use of artificial intelligence calls for a new cloud architecture, suggests Anish Patel, the head of federal civilian at cloud services company Cloudflare.

“If we think about the next generation of services that are going to rely on AI, there’s really a need for a new architecture in that,” Patel said during Federal News Network’s Industry Exchange Cloud 2025. “And so, how does that public cloud architecture, evolve?”

AI compute demands necessitate cloud evolution

He said the principal reason for this need derives from the compute demands of AI.

“AI is really the first thing since the development of the computer that’s been revolutionary on that compute scale,” Patel said.

Developers are folding AI into applications, along with technologies such as post-quantum cryptography and blockchain. Until now, those elements weren’t typically part of digital services.

“But when you combine all those things now,” Patel said, “thinking about the speed of interaction and how reliant you are on a network that’s trusted and reliable becomes really critical.”

Therefore, the resulting architecture must distribute compute power closer to clusters of end users, rather than executing solely in a given commercial cloud.

“If you can bring both that compute and that internet power as close to the end user as possible, that’s game-changing for where the internet is and where AI applications are going,” Patel said. Otherwise, the sheer processor cycle demands of AI will cause performance problems evident to users.

Architecting a reliable cloud architecture for all users

In thinking about the next architecture, IT staffs must consider both their organizations’ own users and external constituents, customers and business partners. Patel noted that many agencies have workforces scattered throughout the country. The need for reliability and low latency equals that of external users.

With reduced workforces, agencies will need to increase that reliability because the paper-based, office visit and telephone options may cease to exist.

“What’s coming next isn’t just that digital services are generally available, and when it’s not, you can pick up the phone or go into an office,” Patel said. “It’s just to be expected that all services are digital, and that service has an uptime and reliability level greater than TikTok or Twitter.”

He added, “There is a new generation of architectural thinking that has to come along with a distributed architecture.”

Patel made the analogy of search. Early Internet search functions, characterized by services like Ask Jeeves, were slow. Google, he said, revolutionized that with instantaneous results.

Today, when using public-facing generative AI sites, users “see it thinking, and there’s a couple of seconds there of it processing, and then it spits out an answer.”

That’s OK for now, he said, but the next generation of AI-enabled digital services will need the same step-function increase in performance that occurred with search.

The distributed architecture also includes distributed data, Patel noted. He said this requires special attention to data sovereignty, privacy and transparency — and secure handling.

“I may be a U.S. citizen traveling overseas, needing access to certain information in a particular country,” he said. “Especially if I’m an agency who’s globally distributed or has people that are traveling all over the world, I want to be able to process my information in a way that adheres to U.S. laws and follows the FedRAMP standard.”

Planning for distributed cloud architecture? Start with your users

Instituting a distributed architecture starts at the application development stage, Patel said.

“You have to start building for where the users are, wherever they are, and adjust to the users’ expectations,” he said. Also important? Building “for the next generation of services that aren’t fully built yet.”

Use of a containerized microservices approach helps because it lets an organization modify or upgrade parts and pieces of an application much more easily than traditional development techniques.

Still, Patel said, until recently “if it was distributed, it was on the agency and the IT folks to come figure out a way to distribute that application, have a disaster recovery strategy, et cetera. If you’re doing that manually, it’s still a highly complicated process, and you still have this scenario where it becomes overwhelming for the IT organization.”

That’s where companies like Cloudflare come in, Patel said. Cloudflare has built a hyper-distributed network together with the services for organizations to use. The company pioneered the idea of easy-to-adopt security for the Hypertext Transport Protocol, so organizations could readily obtain HTTPS status.

“You can now build your applications once and distribute everywhere at the same time, all over the place, and you don’t have to think about it,” he said. “You’re essentially offloading the capabilities of that application, infrastructure and services to vendors who are designed to essentially distribute this across the globe.”

Ensuring FedRAMP compliance in hyper-distributed cloud environments

That raises the question of FedRAMP compliance, the need for which would appear to severely limit the physical facilities on which federal applications can execute. That in turn means federal customers can’t always access the range of cloud services available to commercial customers.

Patel said that, in supporting a mission to “build a better internet,” Cloudflare wants “to ensure that everybody gets the same internet.” Its solution is to build the FedRAMP standards into the architecture itself, so that distributed instances of an application inherit compliance that was built into the original version.

“That means,” he said, “if there’s new services that are offered — new capabilities — and you need to extend the services to be tightly controlled in a particular way to a particular geography, you have the full control to be able to do that.”

The control ensures an agency can maintain public trust in an application and adjust how distributed instances operate.

“You may have certain areas where certain applications that you just want distributed everywhere,” Patel said, “and you need it to just be available for the user as fast as possible.”

On the other hand, he added, “You may have some cases where it makes more sense to for the application to be highly centralized in particular way and be able to route it to the right location.”

For example, at a local clinic somewhere offering medical services to veterans, “you want to make sure, regardless of the Wi-Fi they may have or the device they may have, that experience is still secure but performant, so the veteran can get through the process.”  

Discover more articles and videos now on our Federal News Network’s Industry Exchange Cloud 2025.

The post Industry Exchange Cloud 2025: Cloudflare’s Anish Patel on AI driving need for new cloud architecture first appeared on Federal News Network.

Identity, credential and access management, a foundational pillar of zero trust, centers on three key elements: widespread use of phishing-resistant multifactor authentication, elimination of unnecessary administrative privileges and continuous monitoring and authorization. 

Tony Goulding, cyber evangelist at Delinea, said one area where agencies are seeing the most success is deploying phishing-resistant MFA.

The Office of Management and Budget’s M-22-09 memo and the Cybersecurity and Infrastructure Security Agency’s accompanying guidance expect agencies to use phishing-resistant multifactor authentication whenever possible. 

While CISA’s guidance is somewhat flexible, emphasizing that “any form of MFA is better than no MFA,” it still reinforces that phishing-resistant methods should be the end goal for ICAM and zero trust.

“In a perfect world, and really aligning with the spirit and the direction of OMB as well as CISA, it means that you’ve really got to try hard to get this MFA in place,” Goulding said during Federal News Network’s Industry Exchange Cloud 2025.

Making progress on multifactor authentication

But some applications and use cases simply cannot support phishing-resistant MFA, particularly older systems that were never designed to accommodate hardware tokens, he pointed out. Temporary contractors also pose hurdles since agencies often cannot easily issue full Personal Identity Verification or Common Access Card credentials.

And in other cases — including legacy environments or remote devices — the technical limitations make deploying modern authentication methods challenging.

“Those are scenarios where organizations are employing, pretty much across the board, a migration plan to replace or migrate their applications and their systems to more modern systems that can accommodate fishing-resistant MFA. Of course, there’s an element of cost and logistics in doing that because you’re going to have to spend money to do it. You’re going to have to update processes. But it is a path that the majority of the organizations that we deal with are actually taking,” Goulding said. 

Doing away with excessive access privileges

The second key element of ICAM — eliminating standing administrative privileges — is forcing agencies to reevaluate the thousands of high-privileged accounts scattered across their networks. Privileged identities, often created out of convenience, represent one of the most exploited attack vectors, Goulding said.

Many organizations, particularly those running Linux and Unix environments where the administrators create local privileged accounts, typically have full privileges and are rarely monitored, making them a prime target for attackers, he said.

“The first step is eliminating those that are unnecessary and then allowing the administrator to use their existing identity. They may have an ID account, for example, that becomes the only account that they will use, and it needs to have minimum rights,” Goulding said. “The third thing is that you then give them the ability to elevate their privileges when they need to elevate their privileges for a legitimate administrative purpose.”

He added, “Those are three of the key things that we’re seeing agencies make tremendous strides in deploying.”

Embracing real-time continuous monitoring

The final must do, Goulding pointed out, is continuous monitoring and authorization. Admittedly, this remains a persistent challenge across the agencies, he said.

“No more point-in-time checks — you want to move more toward evidence-driven, ongoing verification,” Goulding said.

“We’ve actually been very successful in enabling our customers, both agencies and commercial, because our solution generates a stream of identity and access and privileged access signals. Things like elevation request: Elevation is important because if you’re doing least privilege, then you’ve got to give legitimate administrators the ability to elevate privilege just in time — when it’s necessary to do that.”

Session recording — long considered valuable but rarely used due to lack of staff to review recordings — is another area where monitoring is evolving. Goulding said artificial intelligence now allows agencies to automatically scan session recordings on Linux and Windows systems, flagging unusual behavior such as if shadow accounts are created or attempts are made to add additional privileges to a low-privileged, compromised account.

“These session recordings are gold, but they’re never actually reviewed. So automation can really help in making sure that that happens,” he said.

Looking ahead, Goulding warned agencies about “not falling into the trap of trying to cherry pick best-of-breed parts of a solution.” Instead, he recommended that agency teams embrace modern cloud-native software as a service platforms that can scale, update and integrate easily.

Discover more articles and videos now on our Industry Exchange Cloud 2025 event page.

The post Industry Exchange Cloud 2025: Delinea’s Tony Goulding on how to achieve 3 pillars of ICAM first appeared on Federal News Network.