Internal cloud systems based on DoD servers promise stronger security in a more closely controlled environment, but at a higher cost than commercial cloud services. (Lance Cpl. Jackeline M. Perez Rivera / U.S. Marine)
The military would love to tap commercial cloud capabilities, for the same reasons that other kinds of organizations do, including cost and flexibility. However, the service branches need security measures that go beyond those prescribed by the Federal Risk and Authorization Management Program (FedRAMP), the government effort to speed cloud adoption by federal agencies.
The Defense Department has taken several steps to implement its overall cloud computing strategy, including designating the Defense Information Systems Agency (DISA) as its cloud broker. As currently structured, the DoD Enterprise Cloud Environment includes separate implementations and data exchanges on the Non-secure Internet Protocol Router Network (NIPRNet), Secure Internet Protocol Router Network (SIPRNet), and Top Secret Sensitive Compartmentalized Information (TS SCI) security domains.
The DoD’s Cloud Computing Strategy states that “all cloud services must comply with Department Information Assurance (IA), cybersecurity, continuity and other policies.” DoD will use commercial cloud services, according to the document, only if they “offer the same or a greater level of protection necessary for DoD mission and information assets.”
Internal vs. External
Geoff Webb, senior director of solution strategy at NetIQ, a security management software company, expects the DoD will continue expanding its utilization of cloud services in an effort to reduce costs and increase service agility.
“This expansion of use will undoubtedly include a combination of public, private, and shared cloud services, depending on the type of service and type of information being stored,” he said. “This [approach] will also enable them to continue to accelerate a move to mobile computing platforms — a move which is often tied closely to cloud services.”
Yet Webb expects DoD to continue storing its most sensitive information on a private, internal cloud infrastructure, noting the agency faces an “overarching requirement to protect some of the nation’s most sensitive data from private attackers, such as politically-motivated activists, as well as foreign nation-states and terrorist organizations.”
Bob Gourley, a former Defense Intelligence Agency CTO who currently holds the same title at Crucial Point, a Manassas, Va.-based technology research, consulting and services firm, also believes that the DoD isn’t likely to entrust its most critical data to commercial cloud service providers.
“Internal clouds are the key concept, and DoD is moving to them at a brisk clip,” he said. “External or public clouds are not likely to be used for mission technology, but may see some increased use for administrative purposes.”
DoD finds itself in the difficult position of balancing budget issues, security concerns, and government IT policies encouraging commercial cloud adoption.
“The federal government as a whole has made it very clear that they wish to maximize the use of cloud where appropriate in order to reduce cost and improve agility,” Webb said. “The DoD is not exempt from this requirement, although ... the varying degree of sensitivity of data will add complexity in their planning.”
However, while commercial cloud adoption is still iffy for DoD, the department is rapidly moving toward implementing private cloud services, primarily at DISA-hosted facilities, said Trevor Hellebuyck, CTO for product management and architecture at Metalogix, a firm that develops content infrastructure software for cloud computing platforms. DoD has made real progress by consolidating data centers, migrating users to enterprise email, establishing Defense Enterprise Portal Services (a scalable, cloud-based collaboration capability that enables mission partners to share information through independently managed community and mission-focused sites), and working on Cloud Broker to provision services across the enterprise, Hellebuyuk said.
The DoD can rely on several generally accepted practices to protect data stored on an internal cloud, Webb said.
“I would anticipate they would focus heavily on data classification, user access control and monitoring, as well as encryption key management,” he said. “These disciplines would form the backbone of any good cloud data security program.”
Gourley believes that internal cloud adoption will help the DoD keep a tight lid on its most critical data.
“By fielding internal or private clouds, DoD is better able to watch for indicators of threat activity, and with new technologies, they will soon be able to put rules on gates to make threat indicators actionable,” he said.
Ensuring commercial cloud security promises to be difficult, since the approach introduces many variables that lie beyond the DoD’s direct control.
“The security challenge is ensuring that the data being put in the cloud is not just as secure as it is today, but more secure due to the greater potential for data breaches,” Hellebuyck said. “As more and more data is put external to organizations, more and more breaches will occur.”