The Department of Defense wants to tap into the commercial cloud to create a flexible and efficient computing environment, yet doing so will require additional security measures designed to address requirements directly related to sensitive and classified data.

"DISA [Defense Information Systems Agency] and the DoD have carefully studied existing standards and practices, such as ISO 27001, CSA STAR and the FedRAMP guidance set, to determine their suitability for DoD purposes," said Stacy Cleveland, vice president of global practices for Hewlett-Packard Enterprise Services' U.S. public sector division. She noted that the agencies have already identified shortcomings within these standards, particularly in the areas of boundary defenses, privileged users, audits and incident response. "To address these concerns they have created new standards to protect the DoD data that moves to commercially hosted cloud services," she said, adding that DISA and the DoD are currently "exploring the right balance of security and risk" in multitenant environments.

"We believe that DoD agencies are poised to take advantage of cloud services in 2015," said Steven Spano, general manager for defense and national security at Amazon Web Services (AWS). Spano, a retired Air Force brigadier general, noted the military is no longer looking to the commercial cloud just for storage capacity and compute power. "With their increasing understanding of what cloud offers, they are now seeking better ways to improve their missions while enhancing security and reducing costs by leveraging data analytics and other tools."

Easier said than done

Commercial cloud computing is an easy concept to visualize, said Fernando Luis Perez, deputy for future plans and operations at Army Cyber Command. "However, implementing commercial cloud solutions in a manner consistent with current Army security doctrine will be a challenge to develop," he added. "The development will be determined by the type of service requested by the user — software as a service, infrastructure as a service [IaaS] and platform as a service — and the level of security of the data in the cloud service."

Perez noted the Army, like other DoD organizations, needs to consider a wide range of security issues as it moves into the commercial cloud. "[The] Army must address policies and procedures for Web security requirements, resolution of standards-based contract language at all levels, risk decision tradeoff between contract costs and minimal-security standard requirements, and the increased costs needed to resolve manual reporting processes and integrate [the] CSP into an automated risk-management framework or continuous monitoring accessibility," he said.

DoD and DISA cloud security interests go well beyond enhancing a cloud service to protect the data being stored or accessed. "It is about actually using those [service] capabilities to create an application environment within the cloud ecosystem that meets the DoD security guidance," Cleveland said. She pointed out this process includes "crystallizing the relationship between the agency and the CSP [cloud service provider] and establishing the oversight required by the agency to ensure compliance with requirements on a proactive basis."

Cleveland noted it's the CSP that's responsible for creating the capability to deploy and operate IaaS and other cloud resources securely. "There is also a systems integration role that must be fulfilled, sometimes provided as an add-on to the CSP service, responsible for configuring and operating the IaaS resources along with the application/data in a secure and compliant manner," she noted. "Finally, the [DoD] is responsible for performing the certification and accreditation activities to ensure the IaaS resources and the application/data are configured and operated in compliance with their requirements."

James Ryan, president of cyber defense consulting firm Litmus Logic, said good governance is the biggest challenge DoD and DISA face as they develop their commercial cloud security strategy. "Clouds are organizations — dynamic and full of people making decisions daily that are relevant to cybersecurity," he said. "How can the DoD govern [what] is an inherently governmental function without ultimate authority?" He noted the current military mindset is generally one of command and control, and that leading in the cloud without total authority over every decision will be a culture shock for many people within DoD organizations.

DoD organizations are already leveraging cloud solutions to conduct more efficient and cost-effective software and applications testing and development.

Photo Credit: Spc. Randis Monroe/ / Army

Good governance will be a highly important attribute within the commercial cloud since, according to Cleveland, the cloud — whether public, private or hybrid — amplifies the impact of any vulnerability arising from a weakness in a single server, service or application programming interface. She noted "security must be built into data and applications to mitigate this risk and that the risk management framework should be applied to accelerate the certification and accreditation process." Cleveland added that insider threats within the cloud construct also tend to be difficult to address with traditional security measures.

Further complicating the move into the commercial cloud is the fact that metrics for cloud computing security practices remain in development, at least so far as the Army is concerned. "At this time we do not have any metrics to measure data to determine cloud computing security practices as effective," Perez said.

Fine-tuning security requirements

DoD has created a high bar for cloud security, according to Spano. "At Levels 1-2 there are 25 additional security controls on top of FedRAMP, and for Levels 3-5 there are 43 additional security controls," he said. "Some of the DoD requirements necessary to protect data at Levels 3-5 include AWS Direct Connect routing to the DoD's network, comprehensive computer network defense coverage and common access card integration."

In a recent C4ISR & Networks webcast, "How the Military uses Cyber Security to Bring Total Visibility to Networks," Roger Greenwell, director of DISA's field security office, said the agency has spent the past several months updating its cloud security model, creating a new security guide and reducing the number of security levels from six to four "...so that we can reduce the complexity that the DoD customers are having in terms of using the model.", he said. He noted that The updates will make "it easier for industry and cloud providers to understand their requirements and what DoD is looking for," he added.

Spano is pleased that DoD and DISA have recognized that existing procurement and approved vendor processes slowed adoption. The upcoming changes to the cloud security model, which is evolving into a cloud computing security requirements guide, "should clarify the security requirements with which commercial cloud providers must comply," he said.

"We are moving to the pace DoD is setting in its journey toward cloud adoption," Spano said, noting that AWS is currently working with the agency to provide guidance and to clarify any misperceptions regarding evolving legal and acquisition mandates. "We are confident DoD will reach the same rate of adoption, savings and mission benefits that many of our government, health care, education and nonprofit agencies are already experiencing," he said.

Spano said AWS has already seen DoD organizations leveraging cloud solutions to conduct more efficient and cost-effective software and applications testing and development. "Developers are able to quickly spin up a testing environment in the cloud, while agencies only pay for the compute and storage used in the testing," he said.

"It's this sort of ease and automation that can support an effective DevOps development model, enhancing the speed at which software and applications can be objectively developed, tested and then deployed as needed, either in the secure unclassified cloud environment or even a private classified environment."

Risk versus reward

Cleveland said while DoD and DISA have worked to make their risk framework more robust, the cloud remains an environment in which risk is different and harder to predict than in a conventional data center. "The DoD's commercial cloud adoption in the next two years will likely favor workloads that can be moved to private or community cloud offerings," she said. "This is an area where proven service providers can step up to advise and help transform the traditional IT practices currently in place in these government data centers."

Considering the importance of the security issues at play, Ryan predicts that DoD will continue its present course of slowly easing itself into commercial cloud computing. "It is human nature to dip our toe in first before we jump in with both feet," he said. "There are a lot of moving parts and budget constraints to navigate."