Agencies’ Journey to the Cloud Requires Tackling Cybersecurity Concerns 

Cloud Use Helps Labor Move Its Overall Security Initiative Forward

The Labor Department will, in rare instances, leave some information on-premises. But it is primarily focused on using cloud capabilities from multiple providers for new workloads, says Noell Rebelez, cloud services program manager within the Labor Department’s Office of the CIO.

Some aspects of cloud use have helped the department advance toward its security goals. Segmenting certain workloads, for instance, has fed into its efforts to implement zero trust security based on continuous authentication.

Cloud use has also had a marked effect on the agency’s long-term planning, Rebelez says.

“One of the biggest impacts has been the granularity of cost,” he says. “I know exactly where every penny’s going, how it’s being used. Even projecting out, helping with our budgeting reviews, that’s been a huge help for us.”

“Architecting and finance are inextricably linked,” he adds. “If you architect without taking into account the financial side, you tend to end up paying more for cloud than you would have on-prem.”

The GAO report noted the Labor Department was one of two agencies to fully document identity, credential and access management policies for all four of its Infrastructure, Software and Platform as a Service systems — a practice, according to Rebelez, that’s helped the department increase automation.

With more distinct permissions and a subsequently smaller area that needs to be protected, the agency can suggest products that will fit specific customers’ needs, allowing them to develop and introduce new functionality to the public faster.

“Initially, during our first years in cloud, it was a lot of prescriptive guidance that we would give to our customers: ‘If you’re looking for this type of app, you want to build it in this manner,’” Rebelez says.

“But as they got more educated about cloud and we created what we’re calling essentially products — templates for known patterns of popular applications or deployments — we were able to do more of a self-service type of model.”

In response to the GAO report, Labor officials outlined actions they were currently taking or had planned that would address some of the recommendations, says Hinchman.

“We’re definitely still digesting it, trying to find where we can raise some of our scores in the lower areas,” Rebelez says. “Some things are already in place; a lot of the responses really spoke to what we were going to do. It’s just the timing of the report versus getting things to completion.”

LEARN MORE: The importance and role of data analytics in cybersecurity. 

Agencies Can't Rely on Exclusive Sources to Boost Cloud Cybersecurity

When updating infrastructure and moving to a multicloud environment, agencies can draw from a number of resources to help them establish a solid security approach.

Among them: the Cybersecurity and Infrastructure Security Agency’s Trusted Internet Connections initiative, which offers guidance on how to apply the latest security measures, says Laura Stanton, assistant commissioner for the Office of Information Technology Category within the Federal Acquisition Service.

FAS offers dedicated special item numbers to identify General Service Administration contractor products and services, which simplify the process of obtaining cloud-related professional labor resources. It’s also introduced an option for buying cloud computing services on a consumption-based, pay-as-you-go basis, Stanton says.

“That helps the government get more closely aligned with how the commercial sector buys and manages cloud services,” she says.

The structure could potentially provide greater scalability and allow federal agencies to obtain cloud services that offer improved security, among other features.

Working with cloud vendors who have been approved by the Federal Risk and Authorization Management Program can also be helpful, because security controls have been factored into the FedRAMP authorization process, says Adelaide O’Brien, research vice president for government digital strategies at IDC Government Insights.

While federal policy and guidance requires agencies to use FedRAMP for cloud systems when conducting risk assessments, security authorizations and granting authority to operate — saving the cost and time involved in handling that work on their own — the agencies GAO examined had fully implemented FedRAMP requirements for only four of the 15 selected systems.                              

“The FedRAMP security controls are based on NIST SP 800-53 baselines and contain controls, parameters and guidance above the National Institute of Standards and Technology baseline that address the unique elements of cloud computing,” O’Brien says.

“Cloud service providers are required to maintain and validate the security posture of their service offering through vulnerability management, including monthly operating system, database and web application scanning reports,” she continues. “They also conduct an annual assessment and report incidents.”

While helpful, FedRAMP essentially provides just a starting point, Stanton says. Agencies still need to develop an internally approved authority to assert any additional security requirements that are specific to the agency.

For federal agencies to effectively secure cloud environments, staying on top of the latest cybersecurity provisions will be key, Hinchman says.

“The effort to move into the cloud is huge right now, and there’s no good way to track even how much money is being spent because agencies are just starting to figure out how to track cloud use within their organization,” he says.

“As the government embraces the cloud, it’s important to remember that it’s not just the technology side, but also the security of that technology, and how important that is for both ensuring agency missions and providing secure citizen services.”

EXPLORE: How Federal Agencies can boost security against threats.