OPM’s changing cybersecurity posture: From protecting the perimeter to protecting it all

With between 5,000 and 6,000 employees, the Office of Personnel Management belies its influence. And as it plans to “sprint toward the cloud,” it has selected its provider in order to, on two fronts, shed its legacy data center and legacy network.

“First, we are migrating current systems into the cloud where we can,” said Curtis Mejeur, senior adviser to the director at OPM,  on Federal Monthly Insights – Network Transformation and Modernization (via EIS). “That’s a lot about governance and a lot about how do we just move things off of the blades in the basement, into the providers spread throughout the US.”

And second, OPM is moving toward maximizing its cloud experience through “redevelopment.”

“So we’re slating for, hopefully, toward the end of the year to really deploy some new systems to the cloud using auto scaling, you know, really having an automated continuous integration/contiuous delivery (CI/CD) pipeline running, so that we’re getting the maximum value from that procurement,” Mejeur said on Federal Drive with Tom Temin.

Then, of course, there is cybersecurity. Long before stories on it inundated the mainstream media over the past few years, OPM, since 2016, was on the path to improvement.

“We did a phenomenal job of securing the data centers we had,” Mejeur said. “But now, just like everybody else, we’ve got to make that pivot toward the cloud, and really having cloud-enabled cybersecurity tools.”

Mejeur said the move is from physical firewalls to virtual ones, where Trusted Internet Connection (TIC) has gone from running in their data centers to running in their cloud provider.

“We need a zero trust architecture, so that it’s properly implemented all the way to the edge and all the way to the core,” Mejeur said.

With nearly 100,000 daily cyber attacks directed toward American individuals, as well as the public and private sectors, cybersecurity is serious business. Many have characterized it as today’s most important issue to help keep information safe and the American economy free from costly (successful) attacks. Mejeur’s language does not sugarcoat the goal.

“As part of this cloud initiative, we are looking to change our cybersecurity posture, kind of from protecting the perimeter to protecting it all,” Mejeur said.

Mejeur said OPM is taking a one-by-one methodology. The agency will go device-by-device through the network to implement its goal, by ultimately reaching the legacy items that are going to have to exist in a data center for a while.

“I’m a big fan of brutal honesty with what you have running in your network,” Mejeur said. “Often times you can take kind of this favorable lens, on whether you think you’re protecting all of the resources inside the network or not. And in order to get every device, you really need to go one-by-one, to verify that. You have that challenge response implemented, from soup to nuts.”