The U.S. Department of Defense (DoD) has continued to move services into the Cloud, “driven by cost reductions, technical efficiencies and security considerations.” That’s right. One of the most secretive organisations on the planet, in this current political climate, on a significant war footing, thinks Cloud is more secure than on premise.
Better yet, the DoD is talking about it, offering a unique insight into the ability to leverage Cloud while protecting your state secrets.
Halvorsen’s office hosted the first of what it characterized as a series of DoD CIO Cloud Industry Days – meetings intended to promote a continuous, open dialogue with industry that will shape DoD’s approach to the business of information technology, or IT, and cyber. – Source
The latest stoppage on Cloud adoption has been security, notionally blamed on Snowden for blowing the lid on the Five Eyes global surveillance that involves malware, back-doors into IT giants, corrupting encryption, and a host of other dirty tricks. This fear factor has provided countless old-school IT shops a shrieky excuse not to go into Cloud and an army of old-school security personnel a job for a few more months.
Two important programs involved in DoD’s transition to the cloud are FedRAMP and the Federal Data Center Consolidation Initiative, or FDCCI.
FedRAMP is a government-wide program that offers a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.
FDCCI aims to reduce the number of federal data centers by optimizing them, consolidating them or closing them.
It’s all about data categorisation of course. With less sensitive data requiring less security and conversely, more sensitive data more layers of security, some of which may required providers to meet new proposals around protections.
The CIO says he’s wrestling with how much of DoD’s data is truly sensitive, using the example of budget data from 1949, which was sensitive at the time but is not sensitive now. Yet it is still stored with data that has relatively high security protection.
“I think [relatively sensitive data] is a much smaller portion of our data than we think it is,” he added.
Often the discussion about Cloud security is had in the wrong place. The security team. Now, I’m not trying to beat these guys and girls up, the issue is that the business doesn’t categorise data so the security team ends up in a default position of all being sensitive. Until business hands over the responsibility of categorising data to the appropriate team, they’ll just be confused all the time.
It’s also about government standards. Too many countries have confusing and contradictory advise from multiple central-government agencies when they need a U.S. approach like FedRamp or the U.K. version, G-Cloud. DoD is also using a Cloud Broker model, which far too many agencies still aren’t doing.
The Department of Defense (DoD) Chief Information Officer (CIO) is committed to accelerating the adoption of cloud computing within the Department and to providing a secure, resilient Enterprise Cloud Environment through an alignment with Department-wide Information Technology (IT) efficiency initiatives, federal data center consolidation and cloud computing efforts. – DoD Cloud Broker
The fact remains, if the U.S. DoD can safely move to the Cloud, and see it as a more secure option, then there is no excuse for the rest of us.