DISA, DOD say cloud migration needs security, commercial partnerships

Panelists at the 2017 Defense Systems Summit agreed that cloud operators need to start protecting the data itself, not just the domain perimeters, and partnering with commercial providers

“Cloud it or kill it” is the motto of Scott Air Force Base’s initiative to shift its programs onto the cloud, according to John Hale, Chief of DISA’s Cloud Portfolio Office, speaking on a panel at the 2017 Defense Systems Summit. Though not all efforts are as cutthroat, the panelists stated that as more data moves to the cloud, the future will depend on going beyond perimeter protection and working with commercial industry. 

“The problem that we face is: How do we provide the right level of security services to the applications as they shift into those worlds where there may be a little bit of a broken line between traditional security?” said Hale.

Perimeter protection in terms of the cloud and cyber space generally means monitoring and restricting networks, password protections, and other means of access denial. However, that is no longer enough, according to the  panelists. Going forward, cyber protection on the cloud will have to start with the data itself.

“We need to figure out what it means to implement data protections that will allow us to rollback that perimeter protection. We need to start shifting to data security from where we are today, but…we can’t just abandon our boundary at this point because we still need that boundary to protect us,” said Robert Vietmeyer, Associate Director for Cloud Computing and Agile Development, Enterprise Services & Integration Directorate, Office of the DOD CIO.

 In recognition of this fact, DISA recently created a program called the Secure Cloud Computing Architecture (SCCA).

“SCCA is specifically designed to address those areas between the security measures that commercial cloud providers provide natively and what the DOD expects you to be able to do for their security posture, so [SCCA] is supposed to fill the gap in the middle there,” said Hale. “Then we are pushing the commercial cloud providers really hard for them to natively fill those gaps also,” he added.

Indeed, these commercial cloud providers are the other factor in the future of the cloud. According to Hale, where before mission partners were asking for data infrastructure services, now the demand is for software as a service. The panelists agreed that now more than ever, industry providers are uniquely able to meet this demand.

According to Vietmeyer, acquiring the majority of a software program from commercial providers means that in-house engineers only have to build in the last level of specialization, saving time and money.

“If we are acquiring the platform…maybe even the core application layer with the software as a service model, we now potentially become responsible for only that differentiator that makes the defense mission possible and we can be much more agile about it,” said Vietmeyer.

Another key advantage of working with commercial partners is that because of their wide market base, they generate enough revenue to be able to invest in innovating new capabilities.

“The cloud enables us to…deliver new capabilities for the warfighting community and do it in a secure, dependable, repeatable way,” said Vietmeyer.