The U.S. military, like other federal government entities, is transitioning to the cloud due to a variety of critical factors, particularly mission interoperability and diminishing budgets. However, military IT decision makers still have many questions impacting the pace of migration.
  • What are the real benefits of the cloud?
  • When is it best to move to a private or public cloud environment?
  • What are cloud service brokers and what role do they play?
  • How secure is the cloud and what can be done to assure the safety of some of the most sensitive data in the world?

To help provide answers to these questions, the U.S. Transportation Command (USTRANSCOM) hosted the 2014 CIO Industry Partnership Forum last week at Scott Air Force Base, IL. Brig. Gen. Sarah Zabel, USTRANSCOM CIO, invited industry representatives to brief more than 100 leaders from USTRANSCOM and other various Combatant Commands and additional special guests during this full-day event focused on cloud computing considerations for the military.

NJVC was honored to be invited by Zabel to present a special session on cloud security—an increasingly focus in cyber security. Steven Thomas, NJVC director, technical operations, and chief engineer on one of the company’s programs with a large defense and intelligence customer, led the presentation, which provided knowledge and lessons learned gained from experiences overseeing the move of the customer’s mission data and applications to the cloud. NJVC directed the transition of the customer’s data center environment from a legacy stove-piped set of physical servers to a modernized cloud architecture and managed service framework. NJVC also hosted and transitioned more than 300 distinct mission systems or production entities for this customer. This important work to transition systems between data center environments gives NJVC unique, first-hand cloud migration experience in support of one of the most demanding IT environments in the world, and allowed us to establish a proven, standard, scalable process to support any system migrating between physical and cloud architectures.

Among the key takeaways from Thomas’s presentation are:

  • After deciding to transition to the cloud, but before the migration of any data, an IT organization must begin the implementation of a five-stage strategic framework for cloud security to ensure secure mission operations within the cloud. The framework is composed of five stages: Assess, Plan, Transition, Sustain and Mature. All phases are absolutely critical to the development, and operation and sustainment of a secure cloud ecosystem.
  • Transitioning from a legacy physical, distributed IT environment to a cloud environment fundamentally changes an entity’s security threats, security exposure, security risk and security posture. Understanding the shared security model is one of the biggest hurdles to overcome in securing cloud environments. 
  • Cloud security responsibilities are shared by the cloud services provider or CSP (to maintain/patch the foundational services, networks and operating systems) and the customer (to secure and patch the application and data layers).
  • Before choosing a CSP, IT organizations must ask several essential questions specific to security, for instance, and at the most basic level, “Is security a stated service offering(s) and if so, what does that service(s) provide?”
  • Best practices in moving to the cloud are analogous to moving to a new home. Some examples are: Stop hoarding and remove clutter (decommission, don’t move unnecessary applications and missions), don’t move things that are broken or damaged (don’t move applications that have known security problems, for example) and change your locks once you move in (change all default passwords and admin passwords provided in the cloud).

Thomas emphasized that specific to the military, cloud environments should improve overall security levels and establish an enhanced security posture. However, certain factors must be considered: detection capabilities must be cloud-specific and provide near real-time data to consumers, authentication/authorization must be robust and be integrated with Department of Defense (DoD) identity management models, security sensors need to monitor both the interior and exterior of the cloud and send alerts to both the CSP and mission system owners, and operational capabilities must be constantly maintained and allow for agile rapid deployments. All organizations operating within a cloud need to leverage DoD and FedRAMP processes and approved security authorization requirements as a baseline when initiating, reviewing, granting and revoking security authorizations for cloud services. CSPs also need to meet DoD and FedRAMP requirements for contractual provisions, along with other important considerations.

 

For more information, please view Thomas' presentation below or contact us.