The journey toward the cloud is filled with challenges, but the benefits it brings make the struggle worthwhile. Today we talk about all things cloud adoption with Rob Brown, CTO at the US Citizenship and Immigration Services Group. We jump in with some introductory comments about who the USCIS are and what they do, with Rob giving listeners an idea of his role within the organization. We hear about the massive move toward digitization at USCIS and some of the biggest challenges the organization is facing as far as cloud adoption. From there, our conversation touches on the benefits of a multi-cloud approach, how USCIS is implementing Zero Trust with regards to cloud security, and how microsegmentation fits into all of this. Tuning in, listeners will also learn about the metrics Rob uses to assess the process of cloud adoption at USCIS, how the shift to the cloud has helped address the issue of siloing, and the benefits of implementing a unified pipeline grounded by standardization. We wrap up with some current initiatives Rob is most occupied with before hearing about how he likes to stay sharp using an approach grounded in experimentation and testing. Rob is filled with insights to help keep teams robust and agile during sticky situations, so be sure to tune in and hear them all.
“We have got a very good security team and a pretty savvy group of application developers and infrastructure folks that take security and shift it as far to the left as possible.” — Rob Brown [0:17:19]
“Standardization, to me, has been critical in creating some of these unified pipelines.” — Rob Brown [0:29:14]
Links Mentioned in Today’s Episode:
Secure applications from code to cloud.
**NOTE: Generated via ML. Expect crazy stuff to be translated that may have never actually been said by the host or guest :-) ***
[00:00:35] ANNOUNCER: This is the Cloud Security Today Podcast, where leaders learn how to get cloud security done. Now your host, Matt Chiodi.
[00:00:49] MC: We've had a lot of public sector guests on the show over the last couple of months. The reason I've chosen to do this is, quite frankly, I find the progress in the US government around cloud to be extremely interesting topic. I think that even if you are not in the public sector, and you’re private, that you can pull a lot of useful information and learnings out of these episodes.
On today's podcast, I am interviewing Rob Brown, who is the CTO at the US Citizenship and Immigration Services Group. We really talk about the transition that they have gone through, and just how they are extracting value out of the cloud. Rob, thank you for joining us.
[00:01:35] RB: Thanks for having me, Matt. Appreciate it.
[00:01:37] MC: Rob, first of all, for those of us who don't know all of these awesome government acronyms, I know we're going to be dropping a lot of them over the next couple minutes here in the podcast. First of all, what is USCIS? What do you guys do? What is your role at USCIS?
[00:01:51] RB: Sure. First, USCIS is United States Citizenship and Immigration Services. We are a component of Department of Homeland Security. Really, we provide – the official statement would be, we provide lawful immigration. I like to state that, because I am also a customer, we actually provide benefits to the globe. We actually provide, really provide the American dream, or the ability for folks to achieve the American dream by ultimately, providing citizenship through the various lifecycle of benefits that this agency, USCIS provides.
Myself, I actually hail from Canada, have gone through the process of being a – becoming naturalized, and thought it was such a great mission, I actually became an employee. What I do at USCIS is I’m actually the Chief Technology Officer. Really, where the focus on right now, a lot of focus on trying to streamline a lot of the benefits becoming digital, streamlining those processes. There's still a lot of trial-and-error processes that are at CIS. There's still a lot of paper in play here.
We've been actually working for a few years just trying to work not only streamline these processes, but also digitize a lot of this paper. Not easy when you're talking about going through a lot of the government bureaucracy. I feel at CIS, we've actually done a pretty good job. Being leaders in a lot of technology initiatives from DevSecOps, to artificial intelligence and machine learning, to adopting some pretty cool platforms, from Kafka to Kubernetes. Really helping other agencies use, or leverage what we've already done. It's a great place to work. Really enjoy it. Have an opportunity to constantly innovate and test and experiment and actually, start to turn real products and seeing some of these actual efficiencies and streamlining and digitization efforts actually come to fruition.
[00:03:59] MC: That's awesome. Tell us, you've been there a number of years now, I believe in this role. I know that from looking at some previous interviews that you've done, that you've actually accomplished, I think, quite a bit, and what I think is a pretty short period of time there. Maybe if you could, for the audience, what are some of the accomplishments at USCIS that you are most proud of, maybe around cloud, sitting, your time being there? Which ones really stand out?
[00:04:24] RB: Oh, absolutely. I think, one of the – it's not just me. Again, this is accomplishments large for the organization. This is definitely a team sport. Would not be able to do any of this with pretty skilled folks and good charisma, as well as good organic collaboration with folks. I think, some of the major accomplishments was really moving the majority of our data and data processing into the cloud. Then ultimately, democratizing that data and various manifestations. Just opening it up to the folks that really needed it.
Some of the challenges we had in the past, were just data copies all over the place. We've got seven large clearing houses across the US. Just think of terabytes of data and all over these clearing houses, sometimes in multiple copies just there. Providing a good common platform with the right governance and the right pipelines, and then the right tooling that is easy to use has really opened up that aperture of people making data-driven decisions, people that wouldn't even be looking at data, now actually leveraging data.
Then ultimately, as we move forward, we've got a big push for, and a plan to do citizen data engineering and data scientists. We can further expand a skill set in a safe, low drag way for folks to get even more out of the data. That's been a big enabler, just by having the cloud and having the infrastructure that we have in place, but also the people that make it happen.
[00:06:00] MC: I love that. It's awesome. Well, I didn't realize that you were originally – you're from Canada. That's pretty awesome. I was wondering, at first, you're like, “I'm also a customer.” I was like, “Huh? How how's that?” That's great. You actually are now on the other side of it, and you're actually helping to make it better for those that are coming through this process now and in the future. Thank you for doing that.
Any time that I've spoken folks from the public sector side, and we're talking about bringing cloud into their environments, now, I know you guys are a couple years into this now, but did you run into a lot of friction at the beginning with wanting to move these processes and data to the cloud? What was that like?
[00:06:37] RB: We have about, I would say, about 95, if not more of our applications today, and services are actually now being delivered from the cloud. We started this journey, maybe 2016-17 timeframe. We’re early adopters. I think, the primary driver of that was our former, or was the former CIO, Mark Schwartz did a great job in just rallying the troops and really pushing the envelope on cloud adoption, which was wonderful. It's storming the beaches. You need to have the Green Berets out there, just to rake the headway and set things up.
At this stage, which we've done, again, having 95% of our workload in a cloud, or clouds is pretty – I think, it's pretty phenomenal still. Some of the real challenges to get there, of course, were security, and still is always, it's always the unknown, and I can't touch and feel. The other big challenge in getting there was skill set. At the time, cloud was still burgeoning, and really was, again, from a skill set, a lot of folks just did not have that skill set. A lot of learning, a lot of classes, a lot of automation, a lot of Python. That was probably a large part.
I felt at some points, we became more of a university for a lot of groups than just a contract, or workshop, or sweatshop cranking out product, which was great that the culture was awesome. I mean, just that really good learning culture, and experimenting and sharing and communicating with the various challenges and having people jump in. “Oh, I did this over here. Try this.”
We're at a stage now where the pendulum, I think, has shifted a little bit. The current challenges really are, how do we start to really start to put levels of standards and governance in place, so we can be a little bit more corporate, mainly in being more cost conscious, as well as just how can we start to really thinking about reuse? How can we get folks to think about certain libraries and certain frameworks? That does tend to have a little bit of kill of innovation to some degree, but we still need to think a little bit more corporately, and how we move forward, start to think about, give developer the keys to AWS and there goes your monthly spend.
There's a little bit of that going on, and trying to create some good tagging standards that we've done, and as well as just some good automation scripts to help ourselves be in check. We don't have the manual cloud janitors all over the place. We've done a lot of work in automating that. That still has taken a lot of time. It's also a bit of a culture shift, which some folks, at least the front office definitely enjoy seeing some of the benefits. It does take away from that educational testing and experimentation mindset, not to say that it's been dampered, or killed at all. It's still very much prevalent, but there's always a little bit of a question. The culture challenges is probably something that's the hardest right now.
[00:09:49] MC: Rob, I want to in a minute, I'll come back to your comment on security, because I definitely want to drill into that a little bit more. You mentioned clouds, plural. Is multi-cloud, the multi-cloud efforts at USCIS, are they mainly geared more towards supplier diversity? Or is it why is that? You mentioned multi-cloud. I found an article that, I think, you were interviewed back in April, where you said, “I still believe multi-cloud is a ticket to ensure we're getting the best out of the best.” Maybe if you can unpack that a little bit more for us, that'd be great.
[00:10:23] RB: Yeah, absolutely. I think, having that marketplace keeps everybody honest; I think, first and foremost. I think, it's important to understand what that marketplace is, not only from cost, but what services, features, functions are available. It's not one cloud fits all. I think, the latest term that I read here recently was it’s, multi-cloud is really called Sky Computing. What does the sky computing really look like? What does that ecosystem starting to morph into?
I think, the great example, some of this has to do with security, some of this has to do with just customer experience, is a good example of best of the best, or getting the best value for our dollar, or even this is what people know, or security. It's a little bit of all. Is the general, just basic desktop apps, and having those served up from one cloud, versus perhaps, where you store the majority of your developed products and applications. That's possibly somewhere else, because it's either known by the skill set, or it's better bang for the buck, or the actual services far exceed anybody else.
[00:11:30] MC: Rob, let's go back to the security comment that you made, and maybe let's put that in the context of multi-cloud. Every cloud is different. They all have their nuances, AWS, Azure, Google. There is little to no standardization between the different large cloud service platforms. How did CIS handle that? How do you handle the security? What are some things maybe that if another agency is listening to the podcast, where do they start? How did CIS handle this?
[00:12:00] RB: We started down this path, because of there was a business need to be multi-cloud. The specific example, through much ado, and much pontification, and even a little bit of verbal back and forth, and in a constructive way was moving off of on-prem, or local apps. Again, let's just say office apps, to something that would be more robust and cost effective and take that. The term we all love so endearing is the undifferentiated, heavy lifting off of folks and move it to some other group.
From a security perspective, this was essentially almost an easier path, or the defining moment, again, really was just a local app. Where is the best place for it to be? That was our foray into really, the multi-cloud, or sky computing. Again, from a security perspective, the security folks were, again, from skill perspective, what they knew, how they can start to actually put some controls around it and actually look at compliance, it really was less work for them based upon the resources that they had. As well as the CX was far superior for – large for the majority of the community.
The other approach that we took ended up actually writing an 8(a) contract. Mainly, because our security team really did not have the skill set, or understanding of how to do basic blocking and tackling outside of the current CSP that we were in. The 8(a) really was a multi cloud security engineering contract. It was a few years ago, that I wrote this, and we got it out at a group command and start to actually work through what does that look like?
Is it a single GSS within one cloud to serve them all? Is it GSS per CSP? Or is it a mothership with some federated pods out there that are reporting back? There was other avenues to this based upon cost and based upon intake? How do you start to drive and move current demands to certain CSPs, or clouds? That contract, and the team running it along with the rest of the USCIS folks, helped set the foundation for us on really an approach some of the basic security constructs that make a lot of sense for us, as well as made, or helped our security folks have a higher level of confidence that movement into this sky computing, or multi-cloud arena was something palatable and doable. It was probably the most important piece to work through.
[00:14:42] MC: Maybe for some of our listeners, and myself included, maybe you can explain what is an 8(a) contract.
[00:14:48] RB: Really, it's an ability to do a direct award to a company. It has a certain dollar threshold. If you have the ability to do a certain – a director award to group for a body of work, that has other limitations or restrictions around it. It’s a faster way to get highly skilled folks in to do a pretty specific job, in a nutshell.
[00:15:13] MC: That makes sense.
[00:15:16] MC: Prisma Cloud secures infrastructure, applications, data, and entitlements across the world's largest clouds, all from a single, unified solution. With a combination of cloud service provider APIs and a unified agent framework, users gain unmatched visibility and protection. For our federal customers, Prisma Cloud is now FedRAMP Moderate. To find out more, go to prismacloud.io.
[00:15:45] MC: One of the things that's become really popular over the last, I'd say two years, and maybe this was probably even before, or a little bit after you guys started into the cloud journey, but I'm curious how zero-trust factors into how USCIS is approaching the cloud to make it more secure. Where are you guys out on your zero-trust journey? What does that look like for you?
[00:16:07] RB: We've had a few fits and starts over the past two years, I would say. We've made some experimental forays into zero trust on the networking side, on the application side, and just recently, within the past few months, have really started to move out on zero trust, looking at what's really coming up with the appropriate implementation plan, understanding, baselining our operational capabilities, and not codifying it, but getting agreement across all of the IT divisions that would be responsible, or have a party in zero trust, which we have done.
We've started to look at the baseline, or alignment of those operational capabilities as to what we have, or at least, what we think we have to satisfy those capabilities. Then ultimately, start to prove it out. We're at a stage now where I think, we've got a decent understanding and baseline aligned to a ZTA implementation plan with core operational capabilities. Now, it's testing those out, ensuring that meets the muster.
I think, we are pretty lucky. We've got, again, a pretty good, well, very good security team, and a pretty savvy group of application developers and infrastructure folks that really takes security and shifted as far to the left as possible. There's still coordination. There's still alignment. There's still a lot of unknowns, as just went large as to what it really is zero trust. Where, I think, we're at a stage now of coming up with that lingua franca, and that common lexicon. I think, it’s probably some of the most important things you can do. That's still underway and getting that lexicon out to all the parties at play and the stakeholders.
We've also started to do some experimentation. Pretty targeted experimentation and micro-segmentation. How does that look like? Can we start to develop patterns here that can be derived from either a framework, or potential libraries, something that could be contributed to in a git repo, or repos? that's where my head's at, and where we've actually started to move out on.
[00:18:15] MC: I'm curious. You mentioned micro-segmentation there right at the end, when we were on this soliloquy on zero trust. How do you see micro-segmentation playing into A, in the cloud and then B, around as your attorney strategy? How do you at least picture that? I understand that you guys may not have it today, but when you look at the next 18 to 24 months, what does that look like?
[00:18:38] RB: Well, first, I think it's probably the hardest nut to crack to some degree. Others may say differently. From where we sit and how we're structured, not only culturally, organizationally, our communication patterns, even I would say, our technical debt, it's probably going to be the most challenging. That's why I think, experimenting here is the most important place to experiment. I think, that coupled with some software defined networking constructs, cloud and otherwise, because we do have some constraints on basically, compliance and security constraints on what we can and can't do is pretty important.
I don't think any of this is seriously insurmountable or challenging. I think, it goes back to people and culture. Ideally, from some of these experiments, the goal is to again, come up with reusable patterns, find out where the chinks are and the most likely, those will be some of the legacy lift and shift apps that we've got in the cloud. We'll take those in stride. Work with the high-performing folks that do have a cadence of delivering multiple times a day or, at least a couple times a week, where we can get some good wins and test from there.
[00:19:48] MC: One of the things that I often get asked from customers and clients, public sector, private sector is you mentioned the number of challenges that USCIS had when moving to the cloud. I'm sure some of these are still challenges today. You mentioned security, the skill sets cost efficiencies. Is there a way that you are tracking progress on that? There's always been a lot of talks, and especially in security, around metrics, but also on the IT side of the house. Are there certain metrics that you will look at, at least at a high level, just to see, “Hey, we were at X at this date, and now we're at Y, or X minus Y.” How do you know if you're winning the ballgame? I'm curious, how you at least think through that.
[00:20:31] RB: I'll take it purely from a DevSecOps perspective. There are definitely metrics that we do look at. Deployment frequency, there's quality and quality is, “Okay, what does that really mean?” We've got a decent way to measure quality from static code analysis to some CX and UX measurements that we've got, as well as just the litany of other same old, same old from SLAs to MTTRs, and you name it.
We've been tracking this and actually, put a policy in place for this work. Geez, I think it was a contractor back at the time. This is probably five years ago. We have at least five years of data that's similar – I would say, it's very akin or very similar to some of the work that Jez Humble had done in the past, and some of those folks had done in the past with the DevOps playbook, and how do you measure DevOps. Really, a lot of big borrowing from those folks, and some maturing along the way.
Some of the other newer measurements that I think that are more important is, of course, just basic security and alignment to some of those release metrics over time, which always has seemed to have been disjointed, and not aggregated. We've started to do that collection. I think, the other area that to me is even more important is, as we're starting to move for more of a project-based, so you can imagine a agile fall, not that we're an agile fall, but that there are some of that that exists, I think the mentality from a personnel and contracting perspective is very agile fall.
As we look at more of the dynamic teaming and reteaming and slowly moving from, and moving into a product mindset, those sorts of metrics, or flow metrics, I think, are very important. Because they can illustrate where it's really not technical debt. A lot of this just has to do with churn, or contract turnover, or just general people, things. There's still a lot of maturity in that hygiene area that I think will make USCIS way more efficient, and be able to do a lot more.
[00:22:44] MC: A lot of organizations, they struggle with silos inside of them, right. Those silos can create friction. They can slow time to production. I guess, my question for you is, is how is the move to cloud, to DevSecOps? How has that maybe helped you to mitigate some of those challenges? Obviously, not, you guys aren't perfect. Nobody's perfect. I'm curious, how have you seen cloud actually facilitate, maybe doing away with some of those silos challenges, or at least addressing them?
[00:23:12] RB: Let’s go back to some of the learning aspects and the sharing of essentially, creating our own stack overflow, so people can share, learn and understand. That's definitely helped to bust some of the boundaries and the silos. That's only at a technical engineering level. The real silos get generated, I think, where the money flows, and who's ultimately making decisions as to what work should be done.
I think, the cloud has enabled the ability to see the work in flight through various standards, various platforms and tools, etc., that we've got in place. I think, it's starting at the from the top-down, and illustrating some of what's actually happening on the ground to business decision makers, so that they're able to – we'll be able to see, again, what's in flight, where are some of the team’s long poles are.
For example, if you have multiple teams working on one product, and there's a dependency, and just doing general on-prem type of work, typically, that was very difficult. Now with the appropriate standards and certain governance in place, I can start to highlight that work very quickly and very easily with cloud-like tools, as well as just with the cloud in general; from infrastructure, but also just releases and deployment.
As we start to centralize and aggregate on certain platforms, that just exposes it even more with the appropriate standards or metadata in place to track it. Working that at the higher level, and having the business decision makers in a group, so they can make data-driven based upon what we've just discussed, decisions on where should we move, or what's the priority, definitely will help.
I think, the cloud is also just helped in back to just enabling to some degree on the past side, not so much on maybe software delivery, but on the past side, leveraging more citizen development tool sets or platforms, that is given more exposure to more folks writ large. They may, instead of just building a whole app, they're able to – or take a old locally developed app and one of these service centers that exist, or clearing houses, these folks now have a capability in a safe manner with a unified pipeline, can now just build the facet, or feature, or function that they need pretty quickly. Communities of practice have sprung up around some of these efforts and platforms that have helped to break down a lot of these silos. That's still a work in progress, but I've definitely seen a lot of promise there.
[00:25:57] RB: I'm curious. You used the term ‘unified pipeline’, which is something that I think a lot of organizations are after, or somewhere in that process of trying to get to that. I'm curious from your perspective, and just some of the benefits you've seen, and we talked a little bit about DevSecOps, but how has working towards a unified pipeline, how has that helped with DevSecOps and automating some of the, maybe the security controls? Maybe, I don't know, you can throw in there. I'm curious to see, are you guys making heavy use of containers and infrastructures code? How does that all come together for you, guys?
[00:26:34] RB: Absolutely. It definitely makes a difference. Just, again, a little bit of history to provide more context. The adoption to the cloud, we're talking many years ago, again. It was very rogue. It was great for learning and great for sharing. Ultimately, what it ended up doing was probably creating some of the silos. Everybody had their own pipeline, everybody had their own Jenkins server, everybody had their own way of doing unit testing, everybody had their own suite of automation tools.
Everybody could be writing Java, and coding in Java. Didn't matter. Moving out on unified pipelines, and I would say for just for delivering a product that's either from an infrastructure perspective, from a machine learning perspective, to even just an application, or some platform that's delivering value from a citizen development type of manner, has definitely just paid some dividends. That's just a constant work in progress. We have been able to standardize on the majority of the platforms that we use, mainly from infrastructures code, application development, so that the security folks, so that the infrastructure folks, the networking folks, as well as just release management, and again, back to the business of IT, we can start to see really what's happening, and draw data from all of this information.
Having some of the standardized tools from tip to tail on it to say, from your product management, Jira, as an example, to deployment, which could be right now predominantly is Kubernetes clusters, has been very fruitful, but still a lot of work. As far as the security tooling, really, I think, we've embedded a lot of good security tools from some pretty simple to relatively advanced static code analysis tool sets to container scanning tools, either in stasis and a registry to at runtime.
Over line those to DHS STIGs, to various other compliance standards, so we actually get real-time information. At this stage, we're also working out with embedding this in the pipeline, the ability to do dependency management, writ large. I think, we've got about probably more than half the organization covered just in dependency management, which is wonderful. Embedding that, ideally into the IDE of the developers. Even before they do a pull request, they can see what nonsense they may be introducing into the environment.
The standardization to me has been very critical, and really creating some of these unified pipelines. Otherwise, best of luck, you're never going to know. Especially as you move into – if folks do move into a more of a decentralized, microservice serverless world, you're definitely going to need to have some level of orchestration, not just, of course, for your pods, or your containers, but also, for how it's being run and managed; the pipelines, as well as just the general product hygiene, writ large. That's really where I would recommend folks start and maybe also, start at the deployment and writ in the middle and have the various constructs in place, like security, quality, automation, as the core tenants of building out the frameworks in between.
[00:29:58] MC: When you think about cloud leaders in the federal government, who are some of your peers that you look to for best practices? Maybe open it up for some of us that day-to-day in public sector, what does that look like in terms of collaboration?
[00:30:13] RB: A lot of good collaboration I've had with a lot of my DHS colleagues, other CTOs at DHS, CBP, and ICE and FEMA and HQ, we all speak with frequency regularity, both formal and informal, which is great. It's nice to have those relationships and that network in place, because we share ideas all the time, not just with cloud, but just general organizational constructs. How do we communicate? How do we implement to reverse Conway's law a little bit better, and architectural principles to changing how we talk to each other?
A lot of folks just within DHS are very brilliant, very bright people. It's great to actually work with them and bounce ideas off of them. I would say right now, as far as some of the major initiatives that we're currently working on is, just what does cloud data sharing look like? That's a biggie for us, as you can very well imagine with a lot of the challenges that exist today and managing the various functional, mission-oriented facets of those organizations, and the data that would enable the other organizations to be faster, cheaper and better. The cloud data sharing is a biggie right now.
[00:31:29] MC: I love that. I love that. Well, Rob. I've loved our conversation today. One of the questions, or one of the things that I love to ask leaders is, how do you stay on top of things, right? Because all the research shows that leaders? My question for you is this. How do you stay on top of things in maybe from a cybersecurity perspective? Let's drill down to that. What do you read? What do you watch?
[00:31:52] RB: Definitely a lot of reading. I'm just a nerd. I would also say, least personally, experimentation and hands-on keyboard, definitely not much of a policy guy, or – that just bores the heck out of me. Actually, just really doing experimentation, testing products, doing AOA, so I can understand the value and benefit we're getting from certain tools, and platforms. Just going all out and balls out and testing this stuff out is to me, is I think, probably the best way to be in touch and stay in touch with technology.
Of course, reading is great and great ideas that's just get spawned from some of those late-night sessions, or early morning sessions on the porch. Applying them, or at least testing them, I think, has been really beneficial for me.
[00:32:43] MC: If our listeners want to connect with you, and maybe learn a little bit more about you, what's the best way for them to do that?
[00:32:48] RB: I think, the best way is through email, or probably just email, actually. Or, I don't even know. There's Twitter handles. Probably, LinkedIn is also another great way for reaching out as well. Love to talk to anybody who has some great ideas and wants to talk core tech, or advanced tech and plenty of things we'd like to talk about and find really good talent to actually come and help us at CIS. We need the help. It's a great mission and a lot of cool stuff going on. It's definitely not for the faint of heart. If you're into some cutting-edge tech, you're at least maybe bleeding edge, but it's a great place to work.
[00:33:28] MC: Sounds like you're hiring. Are you hiring?
[00:33:30] RB: Absolutely. Always.
[00:33:32] MC: All right, so the question is going to be, where do they go to look for jobs at USCIS?
[00:33:37] RB: There is usajobs.com. There's also areas within monster to go and find plenty of spots on. We announced a position here. I think, it was on Friday, to work in our software delivery group. That's probably the best place and just do a keyword search on USCIS and see what pops up.
[00:33:56] MC: Awesome. Well, Rob. Enjoyed having you today on the program. Thanks so much for joining us.
[00:34:00] RB: I appreciate it all. Thanks very much, Matt. Take care.
[00:34:02] MC: See you.