Want Secure Cloud Deployments? GSA's Cloud.gov Leader Offers Best Practices

It is now clearer than ever that the White House wants agencies to move to the cloud. It has been seven years since the Obama administration launched its "cloud first" policy but the Trump administration is pushing for more aggressive cloud migration.

In December, the Trump administration's American Technology Council issued its IT modernization report, which uses the word "cloud" 242 times in 60 pages. The report calls for improvement in contract vehicles to enable agencies to acquire commercial cloud products that meet government standards, and calls for accelerated adoption of cloud email and collaboration tools.

But how can agencies best move to the cloud, and do so securely? Agencies need to adopt a series of best practices that increase the automation and security of their cloud environments, according to Shashank Khandelwal, acting director of cloud.gov, who spoke at FCW's "Security Innovation in the Cloud" workshop on Jan. 30 in Washington, D.C.

Best Technical Practices for Cloud Deployments

There are a series of technology best practices that can make cloud deployments easier and more secure, according to Khandelwal. The cloud.gov service, run by the 18F digital services organization inside the General Services Administration, is a Platform as a Service offering that helps agencies easily build and deploy cloud-native applications.

Khandelwal said the cloud.gov team —  consisting of only 15 to 20 people — has implemented best practices for cloud-native security that has helped the team automate its security compliance. "That's how we were able to achieve our security compliance with a small team," he said.

When the cloud.gov team translated its best practices into security compliance language, that helped get the service certified as secure by the GSA's Federal Risk and Authorization Management Program (FedRAMP).

First, Khandelwal said the agencies should put everything in "version control," including their infrastructure and network configuration; continuous integration and deployment pipelines; virtual machine setup and quantity; software configuration; code; team and user documentation; and diagrams.

"Version control software keeps track of every modification to the code in a special kind of database," Atlassian, an enterprise software company, notes. "If a mistake is made, developers can turn back the clock and compare earlier versions of the code to help fix the mistake while minimizing disruption to all team members."

Cloud.gov Acting Director Shashank Khandelwal speaks at the cloud security workshop. 

Version control serves as "the foundation of everything we do at cloud.gov," Khandelwal said. "If you don't have this, it makes it harder to do other things," he said.

Additionally, agencies should adopt an "infrastructure as code" approach so that they can know what code they are deploying in cloud environments and inspect it reliably. This approach means "operations teams can automatically manage and provision through code, rather than using a manual process," TechTarget notes. Doing this also "radically simplifies our continuation management controls," Khandelwal said.

"We can keep our infrastructure configuration as code in version control because it uses those Infrastructure as a Service APIs," he added, referring to application programming interfaces. "This is fundamentally cloud native."

Next, Khandelwal promoted continuous integration, which requires developers to integrate code into a shared repository several times per day. It allows cloud teams to automatically test security functions and run security tools, he said. This approach "forces compliance for vulnerability scanning and security functionality verification," according to Khandelwal.

Likewise, Khandelwal advocated continuous deployment, which, Atlassian notes, delivers "features and fixes to the customer as soon as the updates are ready." That allows cloud.gov to automatically patch systems quickly and reliably with "no human hands in production." Fast patching makes vulnerability management, much easier, Khandelwal noted.

Finally, Khandelwal said agencies should use "immutable infrastructure," meaning that if an agency wants to change a component or configuration, instead of updating it in place, they would completely replace it. This "reduces configuration drift and mystery employments," and enables "reliable and repeatable deployments from trusted code," he said.

Without this in place, Khandelwal said, when agencies make changes to servers or other configurations and they are not documented correctly, the next time such a change is made, errors will be introduced. That can create security vulnerabilities. Immutable infrastructure makes it harder for malicious actors to gain a foothold.