Military Branches Get Creative with Cloud Security
Like the rest of government, the DOD increased remote work during the pandemic and finds itself needing to ensure that personnel and warfighters can securely access the cloud wherever they are in the world. Defense in depth will enable the Pentagon to improve mobility, tactical communications and ease of use while enabling BYOD among the workforce.
Military branches are getting creative in adapting to this new environment by leveraging Commercial Solutions for Classified, an NSA program allowing agencies to quickly procure the trusted, layered commercial cyber solutions they need to protect classified data however it’s being accessed. Meanwhile, the Army is allowing BYOD on the Non-classified Internet Protocol Router Network (NIPRNet) for exchanging unclassified information among the private network’s users, and the use of mobile devices across branches is being enabled with their public key infrastructure for managing encryption. The branches also have added data protection in the cloud or at the edge.
For a major cloud provider to add a cyber solution at one of the DOD’s four impact levels (ILs), which indicate the severity of a potential compromise of the associated information systems and data, takes time. While branches can modify their security policies to shorten the time this process takes, it’s unlikely they’ll do so simply to ensure that CSfC offers all of the same commercial, off-the-shelf solutions already available.
That said, the number of approved products on IL listings continues to increase monthly.
Cloud Security Starts with the Education of DOD Personnel
Managing zero-trust security systems in the cloud is significantly different than doing so on-premises and will require the education of users, managers and administrators.
Personnel also will need cyber hygiene training, especially due the DOD’s ongoing issue of technical debt. Space Force chief technology and innovation officer Lisa Costa said her branch plans to “leap over” that technical debt by moving to software-defined networking and modern, constantly evolving systems, but the workforce must be schooled in how to operate and maintain them.
Complicating training matters further is that different branches use different technologies and methodologies. While the Army instituted BYOD for NIPRNet, the Air Force implemented Desktop Anywhere through VMware’s Horizon commercial desktop and app virtualization product.
The DOD needs to increase its partnerships with industry — much like the National Institute of Standards and Technology has to rapidly deploy new frameworks — if it wants to hit its milestones for implementing zero-trust security in the cloud sooner and be confident its workforce has adjusted to the shift.
This article is part of FedTech’s CapITal blog series.