The Department of Veterans Affairs (VA) is working to ensure robust cybersecurity across multiple cloud providers, said an agency cybersecurity leader at FCW’s Cybersecurity Summit on Thursday.
“We’re not just talking to one vendor at a time,” said Royce Allen, chief cybersecurity architect for the Office of Cybersecurity Policy and Compliance within the VA. “The goal is to have multiple managed services from multiple vendors supporting us at all times, to keep it fair at the acquisition level.”
Allen said that as part of the VA’s cloud-first initiative, the department established its own VA Cloud within both Microsoft Azure and Amazon Web Services. In addition to acquisition concerns, she pointed to the various use cases of different cloud services.
This type of vendor policy is not new to the VA. Allen noted how the department works with many smaller vendors, and said her team for the department’s enterprise architecture had 45 contractors. “We’re all one team. There’s no ‘this is my company, this is yours’ – we’re all one team.”
Allen also described how her time with the National Security Agency influenced her to improve collaboration between agencies within the department. “One area where I feel I have great influence is bringing partner organizations together and helping them create greater sharing of information.” She said the VA is looking to meet NSA’s Community Gold Standards for cybersecurity.
Running parallel systems is among the other security challenges of moving to the cloud, but Allen noted the importance of keeping legacy systems running until applications and data have truly been moved. She said that while it may introduce some more risk, “you want to make sure you capture all those things you need.”
For other agencies looking to move to the cloud with an eye towards security, Allen suggested that agencies partner with multiple vendors, learn from other agencies, and “plan, plan, plan. Understand your environment, and the risk that you’re going to be accepting to transition to that environment.”