At the Defense Department, the exploration of commercial cloud is gaining momentum with a new security requirements guide, a handful of pilot programs and a test run of cloud access points that will be a nerve center going forward.

DoD's cloud strategy has evolved significantly in recent months, including by declaring the Defense Information Systems Agency would no longer be the Pentagon's cloud broker, empowering defense components to do their own cloud-service buying. A new security requirements guide released in January streamlined the security classifications for data and vendor requirements. With the promise of savings and improved mission effectiveness, DoD leaders are now accelerating their adoption of commercial cloud services, starting with public-facing data.

The department also has five pilot programs under way, including one testing out higher-security level 4 data with Amazon Web Services dealing with sensitive data. So far, AWS is the only provider to meet the requirements to do so, but officials hope that the pilots will help to better define how DoD does cloud.

One of the biggest emerging issues in DoD's cloud strategy is the use of cloud access points, where commercial providers will connect to the secure DoD network. Outside of a couple small pilot programs being run by DISA and the Navy, the access points still are in development, but they will be a requirement for commercial providers doing high-security cloud business with the Pentagon as officials look to reduce the attack surface for potential breaches.

"The cloud access point currently is the leveraging point of our information assurance defense [for] applications that run in the cloud," said Pete Dinsmore, deputy CTO for mission assurance at DISA. All traffic, either from Internet-facing users or DoD users using virtual private networks to access DoD networks, "comes through the cloud access point to protect users from malicious software."

According to DoD CIO Terry Halvorsen, the cloud access points remain under construction as officials use the pilots to figure out the best way forward. But they're looking to move fast, Halvorsen indicated.

"When I get that right, I actually further reduce my security problem," he said. "Some of it is just about physical footprint. If I have fewer points where I connect to the broad commercial network, it's easier to secure. DISA is moving very quickly; this is actually one place where I'm happy with the movement. We can't tell industry the exact solution yet – we really have to make sure we've done the right threat analysis. But I suspect that within the next 90 days we'll be able to start standing up the cloud access points."

Share:
In Other News
Load More