U.S. Citizenship and Immigration Services offered agencies to take a piecemeal approach in determining which applications to migrate to the cloud and also keeping in mind proper security controls. The agency, which is currently in a multi-cloud environment, is re-architecting applications for platform-as-a-service (Paas).
“We do have some hybrid cloud projects going on at some of our service centers that support some local operations,” said USCIS Branch Chief for Enterprise Cloud Services Steven Grunch at a FedInsider event. “A large portion of our applications came to have a very good fit in the cloud, whether a commercial region or on a PaaS. However we do have some legacy applications and some very specialized applications that are used by different stakeholders in our organization, and we've had a really hard time moving them just because of the way they operate, how they're used. We have a small pocket of apps that seems to be served better and can serve customers better by having them run locally rather than trying to migrate them to a public cloud region.”
Agencies moving to the cloud should keep mission priorities top of mind, he said, in order to sift through which applications to migrate to the cloud. Grunch also advised agencies to set up security controls immediately rather than waiting until after applications and data fully transition to the cloud.
“We spent a lot of time on multi-cloud strategy and implemented our cloud strategy and integrating security at the get-go,” he said. “Whenever we deploy a workload to the cloud, or we're selecting a workload for one cloud the other, the security requirements, the behaviors and what we expect in the cloud from that subscriber or stakeholder, is monitored right away. We've taken a lot of effort to set up our security monitoring and cloud monitoring to be able to detect events and record and analyze different security events.”
Grunch warned against relying solely on cloud service providers’ security controls and emphasized mission-critical priorities as the deciding factor for additional cloud services to avoid ballooning cloud costs.
“Each cloud does security implementation a little bit differently,” he said. “The logging, some of the monitoring aspects are a little bit different, as well as if you were to run conversion infrastructure on-prem. The other thing I would caution against or warn other agencies about is cost containment. The more cloud and infrastructure you have, it becomes expensive in a number of different ways. Not only do you have to keep track of all the infrastructure and assets you're deploying, but you also have to come up with cost models to be able to pay for it or recoup costs from stakeholders as they're provisioning infrastructure components or services within the cloud.”