One of the major wrinkles to iron out in the Federal government’s move to the cloud has been security. Concerns regarding security have prompted some agencies to move cautiously, and the government to create whole programs dedicated to ensuring it. But cloud also provides some security advantages, which the Department of Defense (DoD) is taking advantage of to provide services to warfighters and small-business contractors.
The Defense Information Systems Agency (DISA), for instance, recently launched milDrive, a cloud-based storage service that gives warfighters in any location a place to securely store and share personal files. Users with Common Access Cards (CAC) or Personal Identity Verification (PIV) credentials can use milDrive on the Non-classified Internet Protocol Router Network (NIPRNet) to share access-controlled, unclassified files and documents from any device, including mobile devices such as smartphones or laptops, DISA said in an announcement.
The service offers 20 gigabyte and 1 terabyte drives that can be used either by individuals or groups. Carissa Landymore, DISA’s cloud storage program manager, said that “milDrive allows users to store all their files in the cloud. It really ensures warfighters have continuous, reliable access to files without regard to device or location.”
Meanwhile, the DoD is taking a similar approach to enable participation of small businesses by creating secure cloud environments for use by companies that aren’t big enough to build their own. Ellen Lord, DoD undersecretary for acquisition and sustainment, told a Defense Innovation Board meeting in March that the Pentagon will offer innovative small companies containers within a government cloud or a cloud hosted specifically for government in which they can work securely with controlled, unclassified information.
Lord noted that large companies don’t need that kind of service, since they have secure cloud environment of their own. “What I’m concerned with is, especially, the small companies who our innovation comes from, where when we sit down and talk to them about cybersecurity, we sometimes hear, no kidding,” that their nephew or some other relative does their cybersecurity, she told the meeting, according to a report.
DISA’s milDrive likewise is hosted in DOD-owned or -managed facilities, in this case one of two belonging to DISA. Data replication happens between the two sites, so that users always have quick access to their files. If they change anything offline, milDrive will synchronize the data when the user regains access, DISA said. The service also lets users share files with other authenticated users, and authorizes them even if they don’t have a milDrive license. “They won’t be able to manipulate the data because they aren’t a licensed user, but they will be able to access it via a shared URL,” Landymore said.
Another advantage of milDrive is that it saves DISA money on IT and administrative costs that would be incurred if it farmed it out to a vendor that would have to host and accredit local solutions. In addition to providing secure storage and sharing of files, the service reduces DISA’s mail server space requirement and optimizes use of network bandwidth.
Security concerns have dogged the Federal government’s shift to the cloud, for a variety of reasons. Some agencies have balked at giving up total control of their own data. Some have found legacy networks to be a significant roadblock, and others have expressed concern over what to do with “dark data,” such as emails and other items that hold no real importance to operations but nevertheless pose a potential security risk.
The government addresses those concerns through the Federal Risk and Authorization Management Program (FedRAMP), which standardizes the approach to cloud security. The General Services Administration also offers agencies tools and a roadmap for using FedRAMP to move to the cloud.
The National Institute of Standards and Technology meanwhile is working with an industry consortium on a trusted cloud model that “will not only provide assurance that cloud workloads are running on trusted hardware and in a trusted geolocation or logical boundary, but also will improve the protections for the data in the workloads and data flows between workloads,” according to NIST. The DoD’s recently released Cloud Strategy was designed with its Security Strategy in mind. And while some concerns over cloud security persist, DoD is finding places where the cloud can provide security.