Written by Justin Neroda, John Pisano, and Dan Tucker
Abstract
The deputy secretary of defense recently called on defense organizations to move as quickly as possible to the commercial cloud, saying our national security depends on it. But three security requirements are particularly difficult for defense organizations to meet. We take a closer look at what they are and how the Department of Defense can overcome them on its way to successful large-scale cloud adoption.
The Department of Defense (DOD) is pushing hard to move to the commercial cloud on a large scale. But defense agencies may be headed straight toward three hidden roadblocks. Security requirements that are little understood—and far from easy to meet—could stop their cloud migration efforts cold.
In September 2017, Patrick Shanahan, the deputy secretary of defense, issued a memorandum calling on DOD organizations to move as quickly as possible to the cloud—particularly the commercial cloud—to keep pace with fast-moving technological innovations that are “changing the character of war.”
Shanahan made it clear this is a matter of national security. Adopting emerging technologies like the cloud, he said, is essential to preventing “any potential adversaries of the United States from surprising us or overtaking our military advantage.”
Before a defense organization can migrate its systems to the commercial cloud, however, it must satisfy a range of security requirements intended to keep those systems—and the DOD network as a whole—safe from cyberattacks. In our work moving defense services to cloud technologies, we have seen that three of those requirements are particularly difficult for defense organizations to meet.
Navigating the three can be a cumbersome, often confusing process for many organizations, made even more difficult by a lack of expertise and resources. Those security requirements—though unquestionably necessary—now stand as looming obstacles to large-scale DOD cloud adoption.
In our work with defense organizations, we’ve identified the three roadblocks and seen first hand how to overcome them in moving to commercial cloud. Here are our key insights:
The requirement: Before a defense organization moves to the cloud, it needs to comply with the standards in the DOD’s Cloud Computing Security Requirements Guide. Such compliance is a requirement for an Authority to Operate (ATO).
The roadblock: While authorizing officials may have deep experience achieving an ATO for on-premises systems, the quickly changing landscape of cloud security regulations and environments offered by commercial cloud service providers can be difficult to navigate. As a result, identifying the best option which balances security with high velocity delivery of capability can require protracted analysis—posing a major hurdle for accelerated, large-scale cloud migration in the DOD.
How to overcome the roadblock: Provide the authorizing officials with the expertise they need by creating centers of excellence across the defense services to share lessons learned, accredited reference architectures, and best practices.
The requirement: Defense organizations also need a cybersecurity services provider (CSSP), an external entity that continuously monitors a computing environment to make sure it meets security requirements. While defense organizations currently have CSSPs for their non-cloud systems, to move to the cloud they need a provider capable of handling that type of environment.
The roadblock: The DOD’s current CSSPs simply do not have the resources to offer monitoring in the cloud on a large scale (they typically only support systems not in the cloud).
How to overcome the roadblock: Fund current CSSPs to add the cloud role. Look to commercial CSSPs to provide some portion of the services, reducing the burden on DOD and speeding large-scale cloud adoption (presently, no commercial CSSPs have been approved for the DOD).
The requirement: A CAP is a connection, or gateway, between the Defense network (the NIPRNet) and the commercial cloud provider. It ensures that data moving back and forth meets security requirements, and that the defense organization is not exposed to security threats.
The roadblock (There are actually two): 1) The DOD has only one such access point, which does not have the ability, by itself, to handle a large-scale migration to the commercial cloud. 2) The process of getting into a CAP is complex and difficult for many organizations to navigate.
How to overcome the roadblock: 1) Increase capacity by creating multiple access points (“mini-CAPs”). 2) Simplify the process by automating some of the steps, and creating centers of excellence to share lessons learned and tap the expertise of seasoned experts, or “migrators.”
These three security requirements—largely confusing, and mostly off the radar—threaten to blindside the DOD’s critically important move to the commercial cloud. However, through our work with defense agencies, we’ve seen how the process can be successfully navigated. With knowledge sharing, targeted funding, and a few technical changes, the DOD can overcome these obstacles to achieve that same success on a large scale.
Digital Lead
