The Defense Information Systems Agency has set up a Defensewide directory of email addresses in support of its enterprise email system. But the real value in listing every military and civilian employee, contractor and retiree email address may be in securing information in a new way.
Alfred Rivera, director of DISA’s computing services directorate, said the 4.5 million-person directory replaces multiple Active Directory services under Microsoft Outlook, and gives the services and Defense Department agencies a way to manage employees’ roles and responsibilities.
Rivera, speaking Wednesday during a cloud computing conference in sponsored by 1105 Government Information Group in Washington, said the directory — also called an enterprise application forest — would require DoD employees, contractors and retirees to use their Common Access Cards (CAC) to securely log on to the software programs, in addition to the current requirement for network access.
“Then you start getting into the attribute-based access control processes where authentication against an application to a person is identified within that application service forest,” he said. “So Alfred Rivera is only authorized these applications identified in that service forest. Those would be laid out in that capability.”
Agencies are looking for ways to stop uncontrolled releases of information since the WikiLeaks event in 2010. Last October, President Barack Obama issued an executive order requiring agencies to do more to protect information.
More than secure information sharing
Rivera said the directory’s benefit to help move DoD toward secure information sharing was only part of the reason why DISA took on this herculean effort. He said without an all-encompassing listing enterprise email wouldn’t work well.
The Army is the first military service moving to DISA’s email in the cloud. The Army has moved more than 300,000 users so far, and will complete the move by May. Congress required the Army to submit one report and DoD to submit another about the cost benefits of cloud computing.
Rivera said the identity management capability will make it easier for others across the department to use the enterprise email or other cloud services in the works.
DISA is in the final stages of testing a new enterprise portal that includes SharePoint-as-a-service.
“We have hundreds and hundreds of SharePoint instances located across the globe and the department sees an opportunity if we can provide capability in a cloud architecture where we have common standard and a common architecture that everyone focuses on, we can save millions associated with that,” Rivera said. “We are in the process of completing the engineering designs. We are piloting it with the U.S. NetCom, which is the signal community for the Army. We have about 14,000 users located globally on this SharePoint instance and we are going through the right measurements and testing whether or not we are meeting the performance and latency requirements that the systems requires.”
He added the portal will go into production in late February for other services and DoD agencies to use.
Along with the enterprise portal, DISA is expanding its Rapid Access Computing Environment (RACE) to provide more than infrastructure-as-a-service, such as storage and computing power. He said DISA implemented content delivery services, letting services put data on one or more of the 62 nodes located around the world so they can pull data quickly and not have to wait for it to travel around the globe.
DISA also has a test and development platform in the cloud and is considering moving it out to a public or hybrid cloud.
In fact, Rivera is developing a white paper on how DoD could use hybrid clouds, which should be delivered to DISA Director Air Force Maj. Gen. Ronnie Hawkins and DoD CIO Teri Takai in the coming weeks.
DISA’s lessons learned on identity
Other agencies could benefit from DISA’s experience in managing identities in the cloud.
Agencies now are beginning to use their secure identity cards under Homeland Security Presidential Directive-12 and need to think about how they integrate with cloud computing services.
“We are running some test studies and cases at NIST to ensure you have that interoperability between your CAC card or your [HSPD-12] card and the cloud,” she said. “But for many of you, as you look at your mission, you have other consumers, you have other folks who you work with in your environment and they may have other authentication requirements and mechanisms that they want to put in place. How are these going to work with cloud?”
Dodson said along with secure identity cards and cloud interoperability testing, NIST is testing how best to manage cryptographic software keys in the cloud.
She said agencies and industry do not do a good job in managing cryptographic keys.
“In a lot of these cloud environments, they are supporting a lot of your privacy needs and some of your security needs using good strong cryptography,” Dodson said. “But if the cryptography is so good that you don’t have a good key management system and it stays encrypted forever, it’s not going to help you. As you think about that interoperability and portability when you move forward, you need to be thinking about this from a very large scale. That is a tough one to get right.”
Dodson also said agencies need to keep in mind their network connections to make sure their Internet connections are big enough to handle the data transfer through the cloud.
She said a recent NIST document addressing security and privacy in the cloud would help agencies manage risk as well.