Jul 21 2023

Why Securing the Cloud Will Take Time for the Pentagon

Vetting cyber solutions is labor-intensive, and the National Security Agency currently is searching for weaknesses in zero-trust overlays in the cloud.

Before the Department of Defense can shift from perimeter network defenses to cloud security, it must first verify that its zero-trust security systems work in the cloud.

National Security Agency red teamers began attacking the systems within the clouds of the Joint Warfighting Cloud Capability contract winners — Amazon Web Services, Google, Microsoft and Oracle — in search of weaknesses starting in the spring.

The DOD’s Zero Trust Strategy, released in November, made clear the department’s five-year plan to employ a layered approach to securing critical assets known as defense in depth, which continuously monitors networks for intruders, limits their movement and improves cybersecurity incident response. Red team testing will verify that the defense-in-depth method aligns with the pillars of zero-trust security before the Pentagon continues adding zero-trust capabilities and solutions in the cloud.

Click the banner below to learn about the benefits of hybrid cloud environments.

Military Branches Get Creative with Cloud Security

Like the rest of government, the DOD increased remote work during the pandemic and finds itself needing to ensure that personnel and warfighters can securely access the cloud wherever they are in the world. Defense in depth will enable the Pentagon to improve mobility, tactical communications and ease of use while enabling BYOD among the workforce.

Military branches are getting creative in adapting to this new environment by leveraging Commercial Solutions for Classified, an NSA program allowing agencies to quickly procure the trusted, layered commercial cyber solutions they need to protect classified data however it’s being accessed. Meanwhile, the Army is allowing BYOD on the Non-classified Internet Protocol Router Network (NIPRNet) for exchanging unclassified information among the private network’s users, and the use of mobile devices across branches is being enabled with their public key infrastructure for managing encryption. The branches also have added data protection in the cloud or at the edge.

For a major cloud provider to add a cyber solution at one of the DOD’s four impact levels (ILs), which indicate the severity of a potential compromise of the associated information systems and data, takes time. While branches can modify their security policies to shorten the time this process takes, it’s unlikely they’ll do so simply to ensure that CSfC offers all of the same commercial, off-the-shelf solutions already available.

That said, the number of approved products on IL listings continues to increase monthly.

MORE FROM FEDTECH: CSfC solutions deliver intel DOD can trust.

Cloud Security Starts with the Education of DOD Personnel

Managing zero-trust security systems in the cloud is significantly different than doing so on-premises and will require the education of users, managers and administrators.

Personnel also will need cyber hygiene training, especially due the DOD’s ongoing issue of technical debt. Space Force chief technology and innovation officer Lisa Costa said her branch plans to “leap over” that technical debt by moving to software-defined networking and modern, constantly evolving systems, but the workforce must be schooled in how to operate and maintain them.

Complicating training matters further is that different branches use different technologies and methodologies. While the Army instituted BYOD for NIPRNet, the Air Force implemented Desktop Anywhere through VMware’s Horizon commercial desktop and app virtualization product.

The DOD needs to increase its partnerships with industry — much like the National Institute of Standards and Technology has to rapidly deploy new frameworks — if it wants to hit its milestones for implementing zero-trust security in the cloud sooner and be confident its workforce has adjusted to the shift.

This article is part of FedTech’s CapITal blog series.

CapITal blog logo

Joseph Gruber/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.