“DISA developed the Secure Cloud Computing Architecture (SCCA) with a focus on providing required security and management services - alleviating mission partners of the burden - and enabling mission partners to progress through the authority to operate process,” said Bernard del Rosario, chief of the Defense Information Systems Agency’s (DISA) Emergent Services Division during the AFCEA TechNet Cyber Symposium in Baltimore May 14.
What is the Secure Cloud Computing Architecture?
DISA’s Secure Cloud Computing Architecture (SCCA) is a set of services that provides the same level of security the agency’s mission partners typically receive when hosted inside one of DISA’s physical data centers.
All Impact Level 4 and 5 data, as defined in the Department of Defense’s Cloud Computing Security Requirements Guide (SRG), hosted in commercial cloud environments must use the Cloud Access Point component of the SCCA to connect to the Defense Information Systems Network (DISN). Impact Level 4 and 5 data must also be secured according to criteria defined in the SRG.
“Security in the cloud is sometimes an afterthought during the assessment and selection phases of a cloud migration,” said John Hale, DISA’s cloud services chief. “We encourage mission partners to consider who will secure and manage their workloads hosted in the cloud early on in the assessment phase. This way, security does not become a roadblock toward the end of an otherwise successful migration.”
SCCA has three components: Cloud Access Points (CAP), a Virtual Data Center Security Stack (VDSS), and the Virtual Data Center Managed Services (VDMS).
The CAP is included in the DISN rate, which means there is no direct charge to end users. VDSS and VDMS are charged in a traditional rate-based model.
“VDSS and VDMS are capabilities outlined within the SRG, however DISA does not require mission partners to utilize the agency’s enterprise offerings. Mission partners may develop or acquire their own, and simply provide DISA with documentation to gain access through the CAPs,” said del Rosario.
Each component plays a unique role in securing the network, applications, and user access in the cloud environment.
Cloud Access Points (CAP)
“The CAP is what connects the DISN or the Non-Secure Internet Protocol Router Network (NIPRNet) to the cloud environment,” said del Rosario.
The CAP has two major functions: It provides mission partners with dedicated connectivity to approved Level 4 and 5 commercial cloud providers, and it protects the DISN from any attack that originates from the cloud environment.
“The CAP does not protect cloud workloads or data. The remaining capabilities within VDSS and VDMS provide the security and management services required to protect cloud deployments,” said del Rosario.
Virtual Data Center Security Stack (VDSS)
VDSS serves as the virtual security enclave protecting applications and data hosted in commercial environments. It includes two core services: Web Application Firewall (WAF) and Next Generation Firewall.
Together, VDSS’s WAF and Next Generation Firewall detect and prevent threats facing web applications and workloads.
“If you imagine a traditional data center security stack, VDSS was created to mimic those same capabilities, just in a virtual fashion,” said del Rosario.
Virtual Data Center Managed Services (VDMS)
Management, security, and privileged user access are all handled within VDMS.
Five services fall within VDMS, including the Host-Based Security System and Assured Compliance Assessment Solution. They enable mission partners to configure and deliver security policies, push upgrades, and manage roles and security policies.
“VDMS is the hub for all management services like patch repositories and host based security services,” del Rosario said.
A copy of the Secure Cloud Computing Architecture presentation is available on DISA.mil.