Department of Defense And Cloud Security Management

Migrating Department of Defense applications to public cloud platforms operated outside of the Department of Defense DMZ typically raise concerns about the efficacy of security protocols. Currently, the DoD data-centers rely on fire-walled barriers that are designed to prohibit interactions with those outside of its perimeter. The effectiveness of these safe-guards can be argued on a number of levels. The DoD contracts out the management of much of its data, meaning those in charge of their data are neither military nor civilian employees.

Regardless of this outsourcing, the transference of compute resources to third party platform providers will be subjected to stringent security guidelines. What may be viewed as a minor security incident could result in a revocation of security certification for the cloud services provider.

High level DoD executives realize that cloud computing offers a significant opportunity for cost savings, scalability, as well as fail-safe features that offer advantages when compared to the current DISA data-centers. Decision makers are now asking whether the externalization of the DoD workload to a public cloud cause a degradation in network security. Will the governmental auditors reject a public cloud because they cannot fully guarantee security? But the fact is that many public cloud offerings offer the same level of data security, obfuscation and redundancy that’s offered in the DoD’s internal data-centers.

DoD data-centers lock up server farms as well as associated power inside a physical structure in order to gain security. Additional controls installed include:

– Perimeter firewalls
– Demilitarized zones (DMZ) for isolating incoming transactions
– Network segmentation
– Intrusion detection devices and software for monitoring compliance with security protocols

Currently, there are a plethora of companies selling hardware devices and software packages claiming to increase data-center security. But as security threats rise, data-center management teams keep adding disparate security management devices, thus increasing not only operating costs but also the delays that are incurred as transactions travel their way through multiple security barriers.

The accumulation of these disparate security features only increase the vulnerability of systems and add to potential security loop-holes. Each data-center will ultimately have security measures that are unique to each individual situation. Therefore they are not amenable to coordinated and standardized oversight.

Cloud platform providers gain from the benefits of virtualization. Virtual machines from multiple providers are co-hosted on physical resources without any cross-referencing that can jeopardize security. This allows virtualization to be the key technology that enables the migration of applications into a cloud environment where security is provided via the hypervisor that controls each separate virtual machine.  A standardized third-party security appliance can be connected to this hypervisor allowing for consistent security services delivered to every virtual machine even if they run on differing operating systems.

Users must stop viewing protection of applications at the data center or server levels as the basis for achieving security. Instead, we have to view each individual virtual computer, with its own operating system and its own application as fully equipped to benefit from standardized security services.

A data-center may encompass thousands of virtual machines. Cloud security will be achieved by protecting virtual computers through their hypervisor on which they operate. This way, every virtual machine can be assigned a sub-set of security protocols that will carry its protection safeguards as well as security criteria. Take moving a virtual machine from a DISA data-center to the cloud, the security of a relocated virtual machine will not be compromised. Multi-tenancy of diverse applications, from varied sources is now feasible since the cloud can run diverse applications in separate security enclosures, each with their own customized security policies.

In a cloud environment the addition of a new application is simplified. Integration with security measures can be instant and seamless because a hypervisor already supports your current security protocols. And if a virtual machine can port its own security measures when migrating from one cloud to another, these integration efforts can be further reduced.

In Summation
Security services for a cloud environment can now be pooled and standardized to support a large number of virtual machines. Such pooled services can be managed to give DoD data-centers vastly improved shared security awareness.

But the overall management and monitoring of enterprise-wide security will still remain an intensive task. However, as compared with the current diversity in security methods, the transfer of applications onto a cloud platform will further reduce costs and simplify the administration of security.

Whether the Department of Defense can efficiently implement its own private cloud, or whether it will have to rely on commercially provided cloud providers is yet to be known. The DoD could rely on commercial firms for most cloud computing services, except for retaining the direct oversight over security. This could be accomplished by managing all security appliances and policies from DoD Network Control Centers that would be staffed by internal DoD personnel.

For more information regarding security of Cloud platforms and how the government is approaching Cloud Computing and Software-as-a-Service, visit

  1. Very nice site!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: