Aug 10 2023

Agencies’ Journey to the Cloud Requires Tackling Cybersecurity Concerns 

A recent study involving the Department of Labor and others offers examples of focus areas and those that may require more attention.

Cloud service offerings ranging from basic computing infrastructure to a framework paired with software applications and other elements can be a cost-effective way for federal agencies to access and share data, networks and other resources.

With an often wider footprint than onsite data centers of the past, the cloud can also expose agencies to additional cyber risks.

In May, the Government Accountability Office examined cloud security practices at four federal agencies: the U.S. Department of Agriculture, the Department of Homeland Security, and the Treasury and Labor departments, each of which uses a variety of cloud-oriented products, such as Tableau’s Dashboard as a Service.

The report touched on how these agencies — among the largest cloud users across government — documented incident response and recovery procedures, approached continuous monitoring and addressed other needs, says Dave Hinchman, GAO’s director of IT and cybersecurity.

In general, GAO found the agencies had done a good job of defining security response requirements and documenting identity, credential and access management policies and procedures, Hinchman says. The report included 35 best-practice recommendations as well.

However, in the more than two decades since the Office of Management and Budget issued its 2010 mandate to transition federal IT services to the cloud, agencies have found it difficult to address OMB’s requirements and implement continuous monitoring.

“Cloud is a much more accepted way of doing business now, but people are still trying to figure out how to do it,” Hinchman says. “If you’ve got stuff in the cloud, someone can hack into it. Your data is at risk.

“Agencies are great at putting out rules and procedures, but actually thinking about what to do to implement security is more challenging.”

Click the banner below to learn more about boosting data protection.  

Cloud Use Helps Labor Move Its Overall Security Initiative Forward

The Labor Department will, in rare instances, leave some information on-premises. But it is primarily focused on using cloud capabilities from multiple providers for new workloads, says Noell Rebelez, cloud services program manager within the Labor Department’s Office of the CIO.

Some aspects of cloud use have helped the department advance toward its security goals. Segmenting certain workloads, for instance, has fed into its efforts to implement zero trust security based on continuous authentication.

Cloud use has also had a marked effect on the agency’s long-term planning, Rebelez says.

“One of the biggest impacts has been the granularity of cost,” he says. “I know exactly where every penny’s going, how it’s being used. Even projecting out, helping with our budgeting reviews, that’s been a huge help for us.”

“Architecting and finance are inextricably linked,” he adds. “If you architect without taking into account the financial side, you tend to end up paying more for cloud than you would have on-prem.”

The GAO report noted the Labor Department was one of two agencies to fully document identity, credential and access management policies for all four of its Infrastructure, Software and Platform as a Service systems — a practice, according to Rebelez, that’s helped the department increase automation.

With more distinct permissions and a subsequently smaller area that needs to be protected, the agency can suggest products that will fit specific customers’ needs, allowing them to develop and introduce new functionality to the public faster.

“Initially, during our first years in cloud, it was a lot of prescriptive guidance that we would give to our customers: ‘If you’re looking for this type of app, you want to build it in this manner,’” Rebelez says.

“But as they got more educated about cloud and we created what we’re calling essentially products — templates for known patterns of popular applications or deployments — we were able to do more of a self-service type of model.”

In response to the GAO report, Labor officials outlined actions they were currently taking or had planned that would address some of the recommendations, says Hinchman.

“We’re definitely still digesting it, trying to find where we can raise some of our scores in the lower areas,” Rebelez says. “Some things are already in place; a lot of the responses really spoke to what we were going to do. It’s just the timing of the report versus getting things to completion.”

LEARN MORE: The importance and role of data analytics in cybersecurity. 

Agencies Can't Rely on Exclusive Sources to Boost Cloud Cybersecurity

When updating infrastructure and moving to a multicloud environment, agencies can draw from a number of resources to help them establish a solid security approach.

Among them: the Cybersecurity and Infrastructure Security Agency’s Trusted Internet Connections initiative, which offers guidance on how to apply the latest security measures, says Laura Stanton, assistant commissioner for the Office of Information Technology Category within the Federal Acquisition Service.

FAS offers dedicated special item numbers to identify General Service Administration contractor products and services, which simplify the process of obtaining cloud-related professional labor resources. It’s also introduced an option for buying cloud computing services on a consumption-based, pay-as-you-go basis, Stanton says.

“That helps the government get more closely aligned with how the commercial sector buys and manages cloud services,” she says.

The structure could potentially provide greater scalability and allow federal agencies to obtain cloud services that offer improved security, among other features.

Working with cloud vendors who have been approved by the Federal Risk and Authorization Management Program can also be helpful, because security controls have been factored into the FedRAMP authorization process, says Adelaide O’Brien, research vice president for government digital strategies at IDC Government Insights.

While federal policy and guidance requires agencies to use FedRAMP for cloud systems when conducting risk assessments, security authorizations and granting authority to operate — saving the cost and time involved in handling that work on their own — the agencies GAO examined had fully implemented FedRAMP requirements for only four of the 15 selected systems.                              


The percentage of federal agencies that use two or more cloud providers

Source: SAIC, “How the Federal Government Will Win with the Cloud,” January 2023

“The FedRAMP security controls are based on NIST SP 800-53 baselines and contain controls, parameters and guidance above the National Institute of Standards and Technology baseline that address the unique elements of cloud computing,” O’Brien says.

“Cloud service providers are required to maintain and validate the security posture of their service offering through vulnerability management, including monthly operating system, database and web application scanning reports,” she continues. “They also conduct an annual assessment and report incidents.”

While helpful, FedRAMP essentially provides just a starting point, Stanton says. Agencies still need to develop an internally approved authority to assert any additional security requirements that are specific to the agency.

For federal agencies to effectively secure cloud environments, staying on top of the latest cybersecurity provisions will be key, Hinchman says.

“The effort to move into the cloud is huge right now, and there’s no good way to track even how much money is being spent because agencies are just starting to figure out how to track cloud use within their organization,” he says.

“As the government embraces the cloud, it’s important to remember that it’s not just the technology side, but also the security of that technology, and how important that is for both ensuring agency missions and providing secure citizen services.”

EXPLORE: How Federal Agencies can boost security against threats.

Getty Images/Colin Anderson (photo), hakule (digital lines)

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.