Since May, the Defense Department has more than doubled the number of approved commercial cloud computing providers.
The military services and agencies now have more than 50 vendors to choose from to buy commercial cloud services at low and moderate security levels.
That’s a good start for DoD.
“For low-risk stuff, we actually access those clouds over the internet. When we move into moderate risks, we’ve actually worked direct connects into the commercial providers,” said Rob Vietmeyer, DoD’s government lead and strategic adviser to the chief information officer on enterprise cloud computing, at the National Institute of Standards and Technology’s Cloud Computing Forum and Workshop on Sept. 15. “In commercial data centers, we can do our network peering. We’ve tied it into our perimeter defense for our Non-classified Internet Protocol Router Network (NIPRNet) environment so we can firewall and filter for some of that traffic so we can protect the NIPRNET from any of the threats that may originate in that cloud environment.”
Now the challenge is to figure out how to move above security level 3 to levels 4 and 5 for high-impact systems. While 88 percent of the systems across government are considered low or moderate risk, the majority of high-risk systems reside in DoD or the Department of Homeland Security. Since DoD has the most high-impact systems in government, and moving those to commercial clouds is more complicated.
The Federal Risk Authorization and Management Program (FedRAMP) released the standards baseline for these high impact systems in July, and included a number of new stricter controls to meet DoD’s needs, but there is more the military needs to do.
The Pentagon wants to take to ensure the security, reliability and accessibility of these mission critical systems in the cloud.
John Hale, the Defense Information Systems Agency’s chief of enterprise applications, said at a recent AFCEA Washington, D.C. chapter breakfast that a new secure cloud computing architecture (SCCA) will help them move to off-premise commercial services.
“The secure cloud computing architecture (SCCA) is a suite of enterprise-level cloud security and management services. It provides a standard approach for boundary and application level security for impact level four and five data hosted in commercial cloud environments,” Hale said in an email to Federal News Radio after the event. “Our goal is to deliver an assured computing environment, capable of dynamically responding to the department’s rapidly evolving mission needs. As the same time, we want to build economies of scale for a functional and operational perspective, to maximize the return on IT investments across the department.”
The SCCA ties back to a point Vietmeyer said at the NIST event as well.
One big challenge the Pentagon — and probably most agencies — face is how best to do application security in the cloud.
“In the DoD, we’ve built a lot at the perimeter. We’ve hardened our networks. We’ve hardened our data centers. But we relied upon those data center operations to do a lot of the application security,” Vietmeyer said. “As we are picking up our applications and moving those out into the commercial environments, we are finding this gap in terms of skill set, tooling, implementation approaches on how do we actually do application level cyber operations in these commercial environments?”
He said the cyber workforce has worked mostly at the perimeter and data center or enclave level and do not have the skill sets to secure apps in the cloud.
Hale said the SCCA is one potential solution to this broad challenge.
The architecture would provide physical security at strategically located cloud access points, and virtual security stacks for applications and data, as well as a suite of shared services to include privileged user management.
“Together, the components will eliminate the requirement for DoD components to develop and sustain custom application-level security solutions and fast-track their authority to operate, to quickly move into the commercial cloud,” he said. “DISA is in the early stages of development and testing, and will deploy a pilot instance of SCCA in January 2017. A select number of DoD applications will be evaluated, and we expect to deploy our production environment in the first quarter of fiscal 2018.”
Hale said the current approach to cloud security focused on access points, serving as a gateway to the commercial environments.
But as more services and agencies moved applications to the cloud, they needed a virtual set of common capabilities for security operations.
“Our mission partners needed a way to secure applications and data in a virtual manner, much like what you would see in a traditional data center. We want to make it easier for the DoD to leverage cloud offerings at impact levels four and five, and believe SCCA will be a facilitator of cost savings,” Hale said. “Making the cloud even more appealing to mission partners that may not have the security requirements available to transition to a commercial cloud environment. The DoD will retain operational responsibility for applications and data hosted in the cloud. SCCA will serve as the conduit between the DoD and commercial providers, protecting DoD networks from cloud environments, and providing continuous monitoring and reporting for security assessments.”
Vietmeyer said DoD is looking at how to virtualize web-access firewalls, application scanning and reporting tools, standard malware protections in a cloud environment and tie them back into the Pentagon’s security operations center to ensure they are responsive to incidents in the cloud.
He said this is all part of the culture change of transitioning from internal data center protections to cyber in the cloud.
Another big challenge in moving to the cloud is specifying who is responsible for dealing with cyber incidents when they happen.
Vietmeyer said early cloud deployments and considerations were similar to software licenses, but as more applications and data goes into the cloud, the relationship between customer and provider is becoming more complicated.
“Right now, we are inheriting a lot of risks with these contracts and efforts. We haven’t thought through and make it easier enough to capture a lot of the metrics and service level agreements that need to be in place to ensure ongoing dependability of operations and security as we make this transition,” he said. “We took a look at telling the contracting officers at least in a quick look here are the type of contracting clauses at a high level you need to put into the contract. Things like how to handle security. We talked about incident reporting so if there is an incident, how does that happen? What are the responsibilities between us and our vendors? We have at least a basis now for our standard contracting. We are working a guide book for our requiring authorities.”
He said the guide book will help the mission folks understand what are the key areas and considerations they need to make in going to the cloud.
“What we are finding is that moving to the cloud looks more like a program than it does buying a software license,” Vietmeyer said. “We have a Pathfinder project right now where we are looking into moving into the Office 365 cloud with some Air Force and Defense Logistics Agency communities. We are about a year into that project from contract award. We still haven’t been able to start onboarding users yet because of all the level of integration that needed to happen. We had to improve some of the security implementation. We had to work the network connections. We had to work integration with our directory services and authentication mechanisms. Turns out there is a lot of work that happens in most of these cloud environments that is folks approach it as just a software license, they will be in for a rude awakening when they realize what it really takes to implement these type of things.”
DoD’s efforts around the SCCA and its related initiatives to define and ensure the security at the application layer will help pave the future path for civilian agencies. It’s just a matter of how fast can DoD get there in order to share those experiences more broadly.