Internal cloud systems based on DoD servers promise stronger security in a more closely controlled environment, but at a higher cost than commercial cloud services. (Lance Cpl. Jackeline M. Perez Rivera / U.S. Marine)
The military would love to tap commercial cloud capabilities, for the same reasons that other kinds of organizations do, including cost and flexibility. However, the service branches need security measures that go beyond those prescribed by the Federal Risk and Authorization Management Program (FedRAMP), the government effort to speed cloud adoption by federal agencies.
The Defense Department has taken several steps to implement its overall cloud computing strategy, including designating the Defense Information Systems Agency (DISA) as its cloud broker. As currently structured, the DoD Enterprise Cloud Environment includes separate implementations and data exchanges on the Non-secure Internet Protocol Router Network (NIPRNet), Secure Internet Protocol Router Network (SIPRNet), and Top Secret Sensitive Compartmentalized Information (TS SCI) security domains.
The DoD’s Cloud Computing Strategy states that “all cloud services must comply with Department Information Assurance (IA), cybersecurity, continuity and other policies.” DoD will use commercial cloud services, according to the document, only if they “offer the same or a greater level of protection necessary for DoD mission and information assets.”
Geoff Webb, senior director of solution strategy at NetIQ, a security management software company, expects the DoD will continue expanding its utilization of cloud services in an effort to reduce costs and increase service agility.
“This expansion of use will undoubtedly include a combination of public, private, and shared cloud services, depending on the type of service and type of information being stored,” he said. “This [approach] will also enable them to continue to accelerate a move to mobile computing platforms — a move which is often tied closely to cloud services.”
Yet Webb expects DoD to continue storing its most sensitive information on a private, internal cloud infrastructure, noting the agency faces an “overarching requirement to protect some of the nation’s most sensitive data from private attackers, such as politically-motivated activists, as well as foreign nation-states and terrorist organizations.”