As the military community increasingly turns to commercial cloud capabilities, the question looms large as to how they will maintain the security of Defense Department networks and data. One answer: the cloud access points that will serve as reinforced gateways between internal networks and the web.
The Defense Information Systems Agency's initiative in implementing cloud access points is gaining momentum as the number of commercial providers certified to operate at high-security levels continues to grow. More vendors means more options for the services to choose from to buy commercial cloud services — and more links between the separate networks and clouds.
"A cloud access point [CAP] provides two functions which enable DoD to leverage approved cloud service offerings [CSO] in support of sensitive DoD missions," said Jack Wilmer, DISA infrastructure development executive. "First, the CAP extends the Department of Defense Information Network [DODIN] into approved CSOs, and, second, the CAP provides protections for the DoD network from applications hosted in that CSO."
Currently, DISA's CAP capabilities are at initial operating capability and are in use in "two geographically diverse locations" that officials did not specify. But DISA's goal is to institute a strategy over the next six months that scales CAPs' use across DoD, Wilmer noted.
"A CAP being fully scalable and able to support the enterprise, to include the availability of the application protection enterprisewide, is scheduled to be ready by early 2016," Wilmer said. "We are working with the CSPs [cloud service providers], industry and stakeholders to plan long-term goals, how best to take advantage of industry best practices, and fully realize the virtualization and optimization of the CAP."
Only July 24, DISA released a new functional requirements document to guide implementation and security of CAPs across DoD. It was accompanied by an updated cloud security requirements guide and a concept of operations for cloud computer network defense.
It's a fast-moving initiative as more CSPs attain security accreditations necessary to operate at DoD's incrementally higher levels of data sensitivity, also known as impact levels. To get the accreditation, companies must meet all FedRAMP requirements plus additional DoD-specific requirements.
Roughly 25 CSPs are cleared to operate at level 2, which involves "noncontrolled unclassified information which includes all data cleared for public release, as well as some DoD private unclassified information not designated as controlled unclassified information or critical mission data, but the information requires some minimal level of access control," said DISA.
As the security approval of CSPs accelerates, so does the rollout of CAPs — by necessity, officials have said.
"Where we're at right now from a DoD perspective is we're getting the cloud access points in place, and we're starting to actually move forward and put the capability out into the space as more and more commercial providers come online with the right accreditation," Dave Bennett, director of DISA's implementation and sustainment center, said at an industry event in June.
With progress moving forward, DISA officials are focused on the security aspect perhaps above all else. In the wake of the recent security breach of the Office of Personnel Management's networks, all eyes are on government IT security, which at DoD centers on the DODIN.
"Implementation of the CAP will mitigate potential damages to the DODIN and provide the ability to detect and prevent an attack before it can reach the DODIN," Wilmer said. "The CAP will provide a consistent level of security that facilitates the implementation of commercial provided cloud services to support DoD mission applications."
Once fully operational, the CAPs are designed to perform intrusion detection and prevention, next-generation firewalling, network flow analysis, data loss prevention, and anomalous network behavior-detection to identify and prevent malicious behavior from the cloud environment, Wilmer said.
With such a fast-moving security landscape, don't expect the requirements, capabilities or key players to remain static.
"What do you do in the cloud from an application standpoint to provide security, versus what you do maybe at the CAP or access points? I think that's going to evolve over time," Dave Stickley, DISA services executive, said in June. ■