The Department of Defense (DoD) has made significant headway in adopting a multi-cloud architecture, and that movement is introducing powerful new capabilities. However, cloud providers and agency IT officials need to work together to prevent cloud complexity from negating cloud security, according to DoD cloud experts.
During MeriTalk’s Cyber Central event on May 17 in Washington, D.C., top DoD officials explained that the department’s move to multi-cloud investment and adoption has brought the growing role being played by zero trust cybersecurity into sharper focus.
Dovarius Peoples, chief information officer for the U.S. Army Corps of Engineers, said the department has begun to adopt the theoretical aspects of zero trust – inherent distrust which requires constant validation of users, devices, and general access. The next step is operationalizing zero trust in a hybrid cloud environment.
“At the Corps of Engineers, we work closely with state, local as well as Federal and department. So, we must understand what access is needed, what data is needed, and then how do we properly secure that data in our hybrid cloud environment,” Peoples said, adding that the Corps is identifying use cases and “building out [processes] to properly implement those type things.”
However, to get there, partnership with cloud providers is critical, according to Peoples.
“That’s where we’re beginning, seeking good input from our cloud partners to identify how to properly secure it and build it out, operationalize it,” he said.
Ryan McArthur, the Joint Warfighting Cloud Capability (JWCC) program manager at the Defense Information Systems Agency (DISA), reiterated Peoples’ comments on partnerships in securing the cloud.
According to McArthur, in ensuring partnerships with cloud providers are efficient – especially cloud providers under the JWCC contract – the first step is “understanding what they all bring to the table then identifying the best practices across the board.”
Recently, DoD also reported it will conduct security capabilities of the four multi-cloud contractors with “red team” attacks. The systems will be put to the test by ethical security professionals who act as adversaries to test and attempt to defeat cybersecurity controls and protection.
“On our side of the house, we are trying to see where those holes are and identify where we are not getting data from those cloud providers or third-party vendors at large for the Department of Defense,” McArthur said.
As agencies continue to accelerate migration to secure cloud services Scott Frohman, the DoD program lead for Google, explained that cloud providers and agency IT officials must work together to prevent cloud complexity from negating cloud security, especially in multi-cloud environments.
Frohman emphasized that “there are steps agencies can take to ensure that strong partnership in implementing multi-cloud environments.”
- Step one: Understand agency objectives.
- Step two: Recognize multi-cloud means different providers with different hardware; look at the software layer to achieve that consistent workload.
- Step three: Decide between open core or open source.
“[Additionally], as you go down the path of choosing a vendor and choosing a strategy, make sure that you go with an organization that is a leading contributor to that open repository,” Frohman said.