Cloud Use Helps Labor Move Its Overall Security Initiative Forward
The Labor Department will, in rare instances, leave some information on-premises. But it is primarily focused on using cloud capabilities from multiple providers for new workloads, says Noell Rebelez, cloud services program manager within the Labor Department’s Office of the CIO.
Some aspects of cloud use have helped the department advance toward its security goals. Segmenting certain workloads, for instance, has fed into its efforts to implement zero trust security based on continuous authentication.
Cloud use has also had a marked effect on the agency’s long-term planning, Rebelez says.
“One of the biggest impacts has been the granularity of cost,” he says. “I know exactly where every penny’s going, how it’s being used. Even projecting out, helping with our budgeting reviews, that’s been a huge help for us.”
“Architecting and finance are inextricably linked,” he adds. “If you architect without taking into account the financial side, you tend to end up paying more for cloud than you would have on-prem.”
The GAO report noted the Labor Department was one of two agencies to fully document identity, credential and access management policies for all four of its Infrastructure, Software and Platform as a Service systems — a practice, according to Rebelez, that’s helped the department increase automation.
With more distinct permissions and a subsequently smaller area that needs to be protected, the agency can suggest products that will fit specific customers’ needs, allowing them to develop and introduce new functionality to the public faster.
“Initially, during our first years in cloud, it was a lot of prescriptive guidance that we would give to our customers: ‘If you’re looking for this type of app, you want to build it in this manner,’” Rebelez says.
“But as they got more educated about cloud and we created what we’re calling essentially products — templates for known patterns of popular applications or deployments — we were able to do more of a self-service type of model.”
In response to the GAO report, Labor officials outlined actions they were currently taking or had planned that would address some of the recommendations, says Hinchman.
“We’re definitely still digesting it, trying to find where we can raise some of our scores in the lower areas,” Rebelez says. “Some things are already in place; a lot of the responses really spoke to what we were going to do. It’s just the timing of the report versus getting things to completion.”
Agencies Can't Rely on Exclusive Sources to Boost Cloud Cybersecurity
When updating infrastructure and moving to a multicloud environment, agencies can draw from a number of resources to help them establish a solid security approach.
Among them: the Cybersecurity and Infrastructure Security Agency’s Trusted Internet Connections initiative, which offers guidance on how to apply the latest security measures, says Laura Stanton, assistant commissioner for the Office of Information Technology Category within the Federal Acquisition Service.