Exactly what military data should reside in the cloud?

The cloud promises to help the military achieve data storage efficiencies leading to cost benefits, but it first needs to figure out which types of information can safely reside in the cloud and which are best left in a conventional data storage environment.

Doug Gardner, technical director of the Program Executive Office for Mission Assurance and Network Operations for the Defense Information Systems Agency (DISA) in Fort Meade, Md., noted that efforts now being made to protect cloud data will eventually lead to better overall IT security. “You go to the cloud not just for the efficiencies that it might provide you in terms of using just the resources that you need as you need them, but also ... by going into an environment where you centralize the controls and the protections,” he said. “You’re able to beef them up relative to the decentralized model that we’ve been working with for a long time.”

Model Matters

As it looks to the cloud for its future storage needs, the Defense Department is evaluating cloud environments as well as the data that will likely be sent into them. Andy Purdy, chief cybersecurity strategist at CSC, a Falls Church, Va.-based technology consulting firm, notes that the type of cloud model (public or private), as well as the software and hardware used to safeguard data, all play major roles in creating a suitable cloud environment for various types of data.

Related coverage:

Cloud migration requires well-mapped acquisition strategy, panel says 

Intel community cloud faces bigger problems than security

Purdy feels that public clouds are still a danger zone. “Public clouds are exactly that—open to all—and should be treated as such from a risk and security perspective, meaning any type of data that’s sensitive in nature most likely should not be hosted on a public cloud,” he said.

While public clouds aren’t currently suitable for most types of military data, private clouds also need to be augmented with heavy-duty security technologies, practices and procedures to make them appropriate destinations for military-grade information. “A dedicated private cloud should be examined as a potential data store for sensitive information [only] if all the necessary security controls are in place,” Purdy said. He observed that private clouds rely on security policies governing the data they can store. “Certain policies may dictate how and when data may be transferred (or) disseminated depending on the classification of the data,” Purdy said.

A private cloud’s strong security architecture gives data a greater level of protection than would be available on its public counterpart. “The (private) cloud ... needs to be properly integrated with a number of DOD enterprise architecture standards,” Purdy said. “For example, DOD's common answers to anti-virus and malware management, such as McAfee Host Based Security System, need to be capable of withstanding a cloud storm attack,” a type of distributed denial-of-service attack, he added.

“The DOD really does try to implement [the] best practices that are being used across the rest of industry,” Gardner said. “I don’t know that we have any specialized things that aren’t popularly known by security professionals everywhere.” Encrypting data both at rest and in transit, as well as using access controls based on trusted credentials are other techniques DOD uses to protect cloud data. “We are trying to implement those (measures) within normal budget constraints and other tradeoffs,” Gardner said.

Yet another step toward providing a secure cloud environment is ensuring that the end user fully understands how the cloud is structured and used. “DOD practices [such as password management and network configuration] may also need improvements in order to meet cloud systems' needs,” Purdy said.

Mike Giesler, senior director of systems engineering in the public sector unit of NetApp, a storage systems vendor located in Sunnyvale, Calif., agreed that end users play a critical role in ensuring cloud data security. “While much of the cloud focus is around data and data centers, the conversation must also extend to what happens to this data when it is presented and accessed,” he observed. “For end users, processes and procedure play a key role in preventing inappropriate access to or corruption of cloud data.”

Gardner observed that the DOD already uses tight guidelines to determine exactly who can get into cloud-stored information. “We have levels of storage that are not just tied to our levels of classification, but are tied to further distinctions within those classifications in terms of 'need to know',” he said. “That can be a discriminator on what data you can access and what privileges you might have relative to an application."

Public versus Private

When adequate safeguards are provided, the cloud is suitable for storing nearly any type of military data, said Cedric Jeannot, president of I Think Security, a Waterloo, Ontario, Canada, security software vendor. “If the cloud is properly set up and maintained it can in some cases be as secure, or more secure, than on-premise servers,” he said.

While public cloud infrastructures aren’t currently useful for storing most types of military data, as mentioned earlier, Carl Wright, former chief information security officer in the Marine Corps's Designated Approval Authority, can think of one area where it actually makes little sense to use more expensive private cloud storage.

“One case where you can make the argument for [public] cloud services is around websites,” said Wright, who is currently executive vice president at Coraid, a cloud storage systems vendor headquartered in Redwood City, Calif. “Every military organization has a forward-facing website, with general information about that organization. I don't see any reason why that needs to be hosted in a government infrastructure.” Commercial-quality security technologies and practices are generally seen as adequate for keeping public cloud-hosted websites safe from hackers.

Although it may make sense to place public websites in the public cloud, the approach isn’t likely to lead to any significant performance or cost benefits. “It’s such a small piece of the overall information architecture,” Wright admitted. “I mean, it wouldn't save the government that much money.”

Despite the public cloud's current limited usefulness, DOD is looking forward to the day when all but a small fraction of the most sensitive military data is placed into them. “There’s a fairly significant set of pressures driving us toward trying to use the public clouds,” Gardner said. “Primarily, there’s a perceived set of efficiencies and cost advantages.”

Within working groups and informal discussions, DOD IT and security leaders are pinpointing the technologies and procedures that will enable military organizations to make greater use of the public cloud. “The challenge that’s being discussed across the DOD right now is what data would be appropriate for moving into a commercial public cloud and what controls we might realistically expect on a cloud that’s essentially not managed directly by the government,” Gardner said. “That’s a debate that’s ongoing; I’m not sure where that’s going to end up, but I know that there’s a lot of very thoughtful people that are starting to work that one out.”