The Department of Homeland Security‘s recent advances into the cloud played an integral role in its ability to continue operations during the ongoing coronavirus pandemic, said acting CIO Beth Cappello.
If it weren’t for the progress her predecessors made adopting cloud infrastructure and scalable capabilities, Cappello says, it would have likely been much more difficult to keep DHS personnel connected to data, systems, tools and co-workers.
“Frankly, if we had still been in our on-prem, roll-your-own email system when this new posture kicked off, I’m not sure we would have been nearly as successful,” she said during a recent SNG Live virtual event. “The ability to access the data and the systems and the tools from anywhere is critical.”
In a matter of days, DHS went from about 10,000 employees teleworking at a given time to upwards of 70,000-75,000 doing so on a daily basis during the pandemic using a virtual private network. And the flexibility and scalability of the cloud made that possible, Cappello said.
“If we think about where are all the different potential locations for our folks to work — whether it’s, you know, down at the southern border, in an international airport or in a regular office space in D.C. or, you know, these days at home — we have to be mindful of can you get to the data?” she said. “Do you have the right network capability to get to it? And most importantly, foundationally is it secure? So when I, when I think about where we are right now, those situations where my predecessors had migrated workloads to the cloud infrastructure and had put in additional capability, that’s all paying dividends for DHS and our ability to continue operations right now.”
Not all agencies were in such a position, said Mike Younkers, senior director of U.S. federal systems engineering for Cisco. Those like DHS “who had already thought about being able to scale their capabilities leveraging things like cloud technologies or elastic data centers of their own were able to react very quickly because they were able to scale in a very fast manner,” Younkers said.
But some “weren’t prepared at all,” he said. “They didn’t know what to do, they didn’t know how to make sure their employees had capabilities and then they struggled to understand some of their old technology — some of their older capabilities weren’t really able to keep up with the scale.”
Cappello said DHS’s work is not over, as there’s a chance the pandemic is far from over. The department’s cloud migration “is work that we’re going to have to accelerate somewhat if we think that this COVID event is going to be cyclical and we may have to go at different points in time back into a more enhanced remote work posture, then we’ve got to think about how we improve the ability to get at the data and ability to get at the tools, regardless of location,” she said.
The ‘perfect use case’ for zero trust, TIC 3.0
With the large-scale move to telework and the greater dependence on cloud computing during the pandemic, proponents of zero-trust security architecture may finally have a robust use case to show why it’s a winning cybersecurity strategy for a distributed, cloud-based enterprise.
“I think we get lost in the technology. We need to think about use cases. And I think we have a perfect use case right in front of us that if we ever needed to understand what is one of the aspects of zero trust that could help us, we now have a use case, this notion of at-scale remote working,” Younker said. “We absolutely have a use case to try to drive this forward. I don’t think we need to justify the capability or the thought process or the technology anymore. Now it’s about how do we implement it.”
Cappello said DHS has recently been approaching zero trust with curiosity. “Zero trust is something that we’ve been investigating at DHS and we’ve had several proofs of concept going on over the last six months,” she said. “And I think that’s going to change dramatically the way that we approach security, right, as we do enhanced cloud adoption and we’re looking at the different ways to use these technologies, wherever we are. We’re going to have to be more mindful of the security architectures and they have to change to keep up.”
Cappello and Younkers also stressed the importance of Trusted Internet Connections (TIC) 3.0 as agencies continue to work in a distributed manner. Developing TIC 3.0 use cases and meeting the requirements of the guidance “has to continue even in this in this new sort of posture,” Cappello said.
The Cybersecurity and Infrastructure Security Agency recently released special guidance for TIC 3.0 adaptations during pandemic telework.
Younkers agreed, especially with “the edge going away or the edge extending and looking at it differently.”
“I think this is where the TIC 3.0 architecture becomes really important because if I’ve done that work ahead of time and I thought through what it means to have my capabilities in various locations, then when I need to react quickly I can,” he said. “And so, otherwise, if I haven’t thought through it, if I don’t have this architecture or plan to move to migrate to this architecture already, then I’m stuck because now I know what I could do, but I don’t have the proper policies and procedures in place.”