Cybersecurity in the Cloud
By RDML Danelle Barrett, USN, Navy Cyber Security Division Director, Office of the Deputy Chief of Naval Operations for Information Warfare (N2N6G) - Published, October 17, 2018
The Navy is committed to being “all in” on transforming operations and business processes to leverage cloud technologies across the information warfighting platform through to the tactical edge. The operational advantages to warfighting with cloud technologies vice legacy client/server models are far reaching and include the ability to use micro-web services across the enterprise, as articulated in the Compile to Combat in 24 Hours (C2C24) architecture, and to store authoritative data once and have them reused by many different systems in the context needed for speed and accuracy of decision making.
It aligns with objectives in the National Defense Strategy and with the Chief of Naval Operations’ desire to leverage commercial industry technology and best practices to improve the speed and capability delivery to achieve operational advantages. Navy can leverage the services offered by commercial cloud vendors for big data analytics, artificial intelligence, and machine learning, which they are providing at a pace and scale that cannot be matched on Department of Defense networks. These services can also reduce our attack surface and improve cybersecurity and protection of our data in that cloud operating environment.
The Navy “Cloud First” memorandum, signed out in February 2017, established the policy for the Navy to “design, transfer, host, operate and sustain Information Technology capabilities with Commercial Cloud Service Provider hosting environments to the maximum extent possible for classified and unclassified systems up to Secret.” Additionally, that document outlined the basic tenants for the security requirements of hosting data in the cloud, to include compliance with the US Government and Department of Defense’s Risk Management Framework and ensuring the cloud hosting environment has Defense Information Systems Agency Provision Authority.
Use of the cloud presents both risk and opportunity on the cybersecurity front. It requires a new understanding of risk and a construct of the shared cybersecurity model between the cloud vendors and the Navy to ensure protection of our pieces of the Department of Defense Information Network (DODIN) in the commercial cloud. Having a full understanding with our industry partners on this shared responsibility model and risk will ensure ambiguity is removed and roles and responsibilities are clearly defined, providing the highest level of protection of our information. This includes work the Navy is doing with our Defense Industrial Base partners to ensure that our information that they are using and hosting in the commercial cloud is appropriately protected.
In the C2C24 architecture, where applications are decomposed into micro services and follow stricter development guidelines, the processes for meeting cybersecurity testing and accreditation are done in the cloud. This not only allows us to field capability more quickly, it improves protection of information as the cybersecurity piece is built into the development and fielding processes in the cloud from the onset.
With these considerations and acknowledging the need for a new shared cybersecurity responsibility construct, the Navy is breaking ground on is how we execute Command and Control (C2) of our information in the cloud. Working with our commercial partners who we have cloud contracts with, we are clearly defining the swim lanes of this shared cybersecurity responsibility model to remove uncertainty over courses of action, expectations or accountability that could become a problem when there is a cybersecurity incident. This requires a very close day-to-day working relationship with the cloud service provider and clarity in contracts, as well as close coordination with application owners who are hosting their Navy information in the commercial cloud. Navy has established an internal governance structure to ensure that the operational side is properly managed and that cloud contracts contain the correct cybersecurity provisions. The Navy’s Program Executive Office for Enterprise Information Services (PEO EIS) was designated as the Executive Agent for the Navy Enterprise Cloud Brokerage and assists the seven authorized Navy Cloud Brokers with the contracting functions.
The Navy will continue to refine these C2 processes with commercial providers that is a “one-team” approach to mission assurance, and to share our lessons learned with the rest of the Department of Defense.