Smartly migrating data to the cloud is an imperative for all of government, but shifting sensitive, mission-critical data into the cloud can be a security concern for federal agencies such as the Department of Defense (DoD).
Many federal agencies, including DoD, are transitioning to hybrid cloud environments using on-premises infrastructure in addition to cloud infrastructure, which raises questions about how to balance operational performance and cloud security. When working with different cloud service providers (CSPs) and systems integrators, agencies often have questions like, who is responsible for securing data, and when? How are security controls put in place? How should stakeholders balance mission access and cybersecurity?
If downrange access to data is difficult, users might struggle to access the critical information they need at the speed of mission relevancy. On the other hand, freely accessible data has its risks, especially for sensitive missions.
Managing sensitive data in the cloud to meet security and mission objectives requires a balance between cloud policies where users can access the data they need to accomplish their mission, and robust security policies ensuring mission-critical data is protected.
The Role of Cloud Security Policy
Most cloud security breaches come from misconfigurations being discovered and exploited, which end users are typically unaware of. Federal agencies need top-down policies and education to ensure configuration management and compliance to guard against developmental errors.
A zero trust approach will improve cybersecurity by setting rules and conditions for how data is accessed. For example, if a system administrator needs keys to access data, policies need to be in place to ensure they can demonstrate a legitimate need for the keys, a defined period for access, and a specific use for the data.
Effective cloud security comes down to building good security habits within an organization, such as designing cybersecurity at the front end of the development process (i.e., DevSecOps) and adopting zero trust principles. Automation and artificial intelligence (AI) can improve security processes while accelerating responses to intrusions and bad cyber actors.
74% of data breaches are due to human error regardless of whether that data resides in the cloud or in on-premises data centers, according to Verizon’s 2023 Data Breach Investigations Report. To address this, we emphasize the need for thoughtful cybersecurity policies, cyber awareness training, and a holistic approach to cloud security.
Tailoring Cloud Security with Industry Partners
As DoD standardizes cloud adoption through the Joint Warfighting Cloud Capability (JWCC) contract vehicle, balancing security responsibilities with different CSPs within a shared security model will be critical for mission success.
Depending on the cloud operating model being implemented (SaaS, PaaS, or IaaS), the shared security responsibility will vary for agencies and offices within DoD. For example, the DoD may find efficiencies in inheriting CSP security controls, having CSPs maintain responsibility for control operating system upgrades, and assume responsibility for routine scanning and patching.
Allowing CSPs to be responsible for the lower-level cloud security risks and address vulnerabilities as they appear, which helps organizations to minimize their IT tasks and improve remediation.
This approach then allows the DoD to focus on highly specific security needs, such as threat-hunting capabilities, controlling how new workloads are stood up, and tailoring identity, credential, and access management (ICAM) policies to protect sensitive data as it moves through the tech stack.
DoD in the Cloud
Implementing one consistent ICAM policy across the board can help defense agencies meet 2027 zero trust goals. This includes controlling who can stand up new workloads and implementing appropriate security measures around those workloads.
Key Takeaways for DoD
- Refine configuration management. Know the policies you want to have and enforce them holistically throughout your organization.
- Build natural cloud security habits. Start with actionable cybersecurity policies, then get the people in your organization comfortable with working in the cloud and using cloud security features.
- Leverage the full capabilities of the native cloud tools to successfully build out a secure cloud.
DoD can accelerate their journey in cloud security by partnering with a systems integrator who can align technology, processes, and policies for secure, modern cloud solutions that maximize mission impact and operational excellence. Defense networks will continue to be top targets for bad cyber actors. Thoughtful systems integration across the board helps ensure robust cloud security.