DOD tackles information security in the cloud

The move to cloud computing has been a long time coming, and the federal sector has been slow to get on board with virtualized services. However, government agencies are facing compulsory use of cloud computing, and at the Defense Department, officials are determining how to make it alongside the military's security needs.

Federal CIO Vivek Kundra released a 25-point plan in December for reforming government IT, and it included a requirement that agencies adopt a cloud-first policy for new IT deployments.

For DOD, the plan boosts efforts to overcome cultural and policy problems and technological barriers associated with information sharing and joint capabilities, officials say.

“We believe that initiatives such as the federal CIO’s plan to reform federal IT are accelerating DOD toward cloud computing and shared enterprise service,” said Dave Mihelcic, the Defense Information Systems Agency's chief technology officer.

However, cloud computing problems are numerous, beginning with security. DOD handles a significant amount of sensitive data, a situation that complicates the migration of data — and control — to a server that resides off-site.

Because of the inherent security problems, DOD is considering running cloud computing in-house, with services managed by contractors or through commercial products and services. It appears that all of those options or a combination of them are likely to be part of military cloud computing.

DISA is choosing a private cloud, which could eventually be available across DOD, that contracted services will support, Mihelcic said.

“In order to secure not only our classified data but also our official-business sensitive but not classified data, we are implementing a private cloud to support these requirements,” Mihelcic said. “This private cloud is under positive DOD control, hosted in our secure Defense Enterprise Computing Centers, managed by appropriately cleared and certified personnel, directly connected to the DOD’s enterprise networks and securely configured to meet DOD's Security Technical Implementation Guides.”

Mihelcic said that to facilitate a public/private partnership, DISA is establishing secure interaction zones that provide a protective layer through which DOD partners can access information and services hosted in the department's private cloud.

Both cloud environments will require public key infrastructure authentication, and they eventually will also implement attribute-based access control. The two security controls “give us the ability to broadly share information while still limiting access to the appropriate set of users,” Mihelcic said.

The Army is also pursuing cloud capabilities. The Army Program Executive Office for Enterprise Information Systems will issue solicitations for the Army Private Cloud (APC2) program, which is intended to facilitate noncommercial enterprise application hosting, though the military service has not announced a schedule for the program. Contract opportunities to provide modular data centers, which could be deployed in theater, are also in the works, said Hari Bezwada, Army PEO-EIS portfolio integration officer and CIO.

"The Army has 160-plus installations and over 400-plus NIPR access points," Bezwada said. "Cloud computing is becoming one of the tools of getting control of those assets. APC2 and the containerized data centers will provide both fixed and tactical approaches to cloud computing."

Bezwada said he's floating the idea of a DOD IPv6 network built from the ground up specifically for military use. Such a plan could deal with security and bandwidth problems, which he said were the Achilles' heel for cloud computing.

But DOD must first overcome a culture that is averse to sharing, and that starts with proof that the system is working, Bezwada said.

“It’s an illusion to think data is less safe because there aren’t two Army guys sitting there with it. We have to prove successes so that people saying, ‘You can’t do this,’ can understand and get on board and no longer be barriers,” he said. “Success breeds success.”