How the U.S. Census Bureau leveraged cloud services to modernize security

The U.S. Census Bureau is perhaps best known for conducting the nation’s decennial census. Its primary mission, though, is to serve the American people by collecting and analyzing vital statistical data about the population and the economy to guide decision-makers and policymakers at all levels of government, including 90,000 state and local governments and virtually every industry.

It’s a lot of data — and by law, all of it must be kept confidential and protected. That keeps Beau Houser, the bureau’s chief information security officer, and his team of roughly 100 security specialists and developers focused not only on daily security threats but also on many projects to modernize the security of the bureau’s complex IT infrastructure.

When Houser joined the Census Bureau in the fall of 2019, following security stints at the Department of Homeland Security, the Centers for Medicare & Medicaid Services, and the U.S. Small Business Administration, he recognized several challenges faced by many federal agencies that needed immediate attention.

Among other concerns, improving and enhancing visibility into the bureau’s IT environment was needed to strengthen the ability to detect and respond to cybersecurity threats. The bureau also faces burdens with managing a large number of servers supporting enterprise log management, which requires extensive maintenance and resources. Additionally, the bureau’s security practices were centered primarily around compliance, which had become increasingly ineffective at protecting against new and rapidly evolving cyber threats.

Focusing on the challenge

While the Census Bureau had been actively migrating many IT operations to the cloud, Houser determined that one critical area to address was the need to “implement a different approach to enterprise audit and log management.”

Part of that was driven by new agency mandates issued in an August 2021 White House memo (M-21-31) outlining steps to establish a more mature log management system to detect, investigate and remediate cyber threats on-premises and across increasingly distributed third-party services. Prompted partly by the SolarWinds malware incident, the memo also required agencies to prepare to share incident information with other federal agencies to help the government respond to incidents more quickly.

Another factor was what Houser described in a recent interview as “a big data problem” involving multiple terabytes of data per day. Storing and analyzing that data required maintaining and patching roughly 50 aging servers dedicated to the enterprise logging service. “You’ve got logs coming from tens of thousands of devices — simultaneously feeding logs into a centralized repository. And we saw how critical it is for us to get that right to quickly recognize and respond when something bad happens.”  

Transformative solution

Houser knew the bureau needed a cloud-native enterprise logging solution aligned with its ongoing cloud migration strategy. Specifically, he sought a solution that met several critical criteria: It had to be flexible and scalable to manage and aggregate the massive amounts of log data generated by the Census Bureau’s operations during peak periods. It had to provide comprehensive visibility across the bureau’s entire IT environment. It needed to lower operating costs and complexity. Lastly, Houser wanted a software-as-a-service solution that reduced his team’s maintenance activities to allow more time to hunt potential threats proactively.

After a careful evaluation, the Census Bureau transitioned from an on-prem logging service to a cloud-native enterprise logging analytics solution, delivered and maintained as a service by one of the leading federal cloud and enterprise providers.

Improved outcomes

The transition, once complete, started paying dividends almost immediately, according to Houser, by providing:

• Full integration – “From a log source standpoint, we’ve been able to aggregate all logs from the entire enterprise,” said Houser. That includes logs from on-prem devices, the bureau’s data center, and other cloud services. “So you’re talking about a cloud-to-cloud communication from that standpoint.”

• Wider visibility – The transition provided a broader window on security data not just for security operations staff but also for operations and maintenance personnel who need this information for troubleshooting errors and communication bottlenecks. The security problems captured in the log files “are expansive,” he said, so it’s important that “there’s a lot of experts dealing with those problems and reviewing the logs to figure out exactly what’s going on. We’ve been able to improve our collaboration pretty significantly.”

• Greater granularity – Adopting advanced cloud-native solutions increases zero-trust capabilities that “allow you to be very granular with [user] access. It’s helping tremendously,” said Houser.  “Before, if you could read something, you could copy it. Now what we’re seeing is broken down even further, where you can give someone read access and deny them access to copy it.”

Zero-trust implementation

That added granularity also helps the Census Bureau apply conditional or attribute-based access policies versus role-based ones. “More and more cloud service providers are beginning to build those capabilities into their cloud natively,” Houser explained.

“Once you’ve got your authentication and policy engine in the cloud, you can configure those policies to say, ‘You’ve got to have this login with multi-factor. You have to be on this specific device. And you have to be coming from this geographic location.’ So, you open up a whole new set of attributes that you can use for that login process. We’ve seen so many attacks where someone takes over an account, and then they run through a system. If you have the conditional access set up, the account alone won’t let you in.”

Another advantage of a cloud-based software-as-a-service that Houser’s team is now working to capitalize on is the ability to configure endpoint products centrally. “So if malware hits a laptop, we can configure the automation to say, ‘Automatically download the forensics package, automatically quarantine the box, automatically do this step, and that step.’  So, you can create logic related to the workflow that the analyst would typically do.”

Lessons learned

In addition to achieving greater security practices and lowering operating costs, Houser believes working with cloud-native solutions to support zero-trust will yield additional benefits.

“As we continue moving down this path, we’re going to be able to really improve the user experience,” on par with the experience consumers routinely encounter engaging with their bank. There’s a lot of flexibility with zero trust. It sounds rigid when you say zero trust, but it’s very flexible.”

Additionally, Houser sees a longer-term benefit in picking up the tempo of technology deployment.

“The vendors in this space are all very, very capable. But at the end of the day, our IT folks have to maintain whatever we set up.” The challenge organizations increasingly face is “there’s not enough IT expertise — and certainly not enough cyber expertise” to keep up with the pace of change.

Leveraging cloud-native software-as-a-service solutions helps address that and allows new capabilities to be implemented quickly. “We’re always seeing new functions and capabilities creep into the portals we use to access the data. Queries get more optimized, intelligence gets more streamlined and integrated, and you’re able to do more AI and machine learning type activities that allow your analysts to focus on higher-level analysis.”

This report was produced by Scoop News Group for FedScoop as part of a series on technology innovation in government, underwritten by Microsoft.