Federal agencies are employing automation, artificial intelligence (AI), and centralized information-sharing strategies to optimize and secure migration to the cloud.
Federal agencies have many options when migrating to the cloud: infrastructure-as-a-service (IaaS), software-as-a-service (SaaS), platform-as-a-service (Paas), or a mix. Different cloud providers offer different types of capabilities and come with unique security needs.
For larger agencies, like the Department of Homeland Security, managing cloud services in a way that allows for streamlined information-sharing and consistent security practices can be a challenge.
“The DHS CIO is ultimately responsible for managing the security and efficiency of IT spend across the department,” said DHS Deputy CIO and Acting CIO Beth Cappello at a GovernmentCIO Media & Research IT Modernization event last week. “We most recently stood up a network security center, which is bringing together tier one and tier two network operations security management options. One of the tenets of that organization is to have this visibility as our components manage their cloud platforms.”
At DHS, Cappello said, security comes first when shifting to the cloud. That’s why her team calls it “SecDevOps” instead of “DevSecOps” at DHS. Zero trust architecture has become a mainstay of security at the agency, although the agency is pacing itself with an incremental approach.
“There's been a lot of conversations going on about the recent SolarWinds breach, but these are the things we're concerned about over time,” she said. “We're certainly looking at the best ways to manage our security and environment as we enhance cloud adoption. I've also had the CTO team working on some very specific security architectures that can then be shared throughout the department.”
George Linares, CTO at the Centers of Medicare and Medicaid, said agency mission informs cloud services decisions at CMS. Cloud services and applications grow complex quickly, he said, so security is key.
“Cloud releases new services all the time — CMS is trying to create a balance between the platforms and infrastructures,” he said at the event. “Infrastructure-as-code has changed how we deploy code. You can deploy much quicker, but there is a learning curve. One of the initiatives we're trying to do that the cloud has afforded us to do is the automation of those security controls. In the past everything has been very people driven. We can sort of move security to the very beginning by checking the configurations at the infrastructure level.”
Securing data in the cloud is a big priority at CMS for compliance purposes, but also to streamline work. Maintaining real-time visibility and continuous monitoring are key drivers of both IT modernization and cybersecurity.
“In the cloud, you can create each consumer to have their own CPU power to consume data as much as they want to based on their need without affecting anyone else that may be next to them,” Linares said. “We are moving in that direction. Federal agencies, they all get audited, so we have to be able to provide a trail of who asked for data, who accessed data, and we have to have processes and controls in place to show we are secure and the data is being used in the context that services the business of the agency.”
Because the Defense Department is a multi-vendor, multi-cloud environment, Defense Information Systems Agency (DISA) Director and Program Manager for Cloud Computing Sharon Woods said the agency is learning how to optimize the different cloud services and address distinct security requirements.
“We're still learning a lot about how to consume at different layers, like the platform layer,” she said during the event. “How do you take it up a level from infrastructure so you have a level of control, but SaaS doesn't offer the level of control you need over requirements? That's where IaC is a really interesting proposition to how you get the most out of the cloud depending on the level or the stack you're at.”
Due to DOD’s specific security requirements, tracing users across the cloud and emphasizing constant authentication via the zero trust approach are key security practices. Automation and AI, Woods said, can really help.
“One of the key pieces of [security] is the identity and authentication part,” she said. “One of the things we did was develop a cloud-based identity solution that provides authentication, that works in tandem with the department’s identity solutions, and it's a repository. If you have no means of tracking the identity, you have no way of knowing if that's the same person. Now you have this powerful capability of tracking personas and layering on top the cloud security tools, many of which are based on AI, so you have this automated capability to identify potential security issues and dig deeper.”