Towards the middle of January, the Defense Information Systems Agency - a subdivision of the United States Department of Defense - released a new cloud computing security requirements guide, which we first heard talk of back in November. The primary purpose of this SRG is to make the process of acquiring commercial cloud services more efficient for DoD agencies (without undermining security, of course). Not surprisingly, this means that the SRG effectively renders obsolete the DoD’s original Cloud Security Model, under which only a few select vendors received authorization.
“In plain language, the new guide explains that components “remain responsible for determining what data and missions are hosted” by cloud service providers,” writes Frank Konkel of Nextgov. “Each use of cloud services will also require an enterprise IT business case analysis, with each analysis required to consider DISA-provided cloud services such as DISA’s milCloud offering.”
It’s a significant step forward for the organization, and one that cloud providers should pay close attention to. If you’ve the time, I’d recommend reading over the document (you can find it here). In the meantime, I’m going to offer up a few of the key takeaways hosts should draw from all of this.
You Are Responsible For Keeping Client Data Safe
At the end of the day, it’s your responsibility as a host to keep whatever information your clients store and manage in your cloud secure. That’s one of the first things laid out in the SRG - and it’s a principle that every host should understand. While you cannot control whether or not your clients bring in unsafe vendors or engage in unsafe security practices (you don’t have the same level of power as the DISA), your core platform nevertheless needs to be properly hardened.
Requirements Should Always Be Discussed – Security And Otherwise
As anyone who follows the organization well knows, the Department of Defense has something of a rocky relationship with the cloud. Back in 2013, the DISA axed a $450 million cloud computing contract due to a lack of follow-through and demand from the DoD. The deal would originally have required ten cloud providers to develop database hosting, web hosting, storage, and virtual servers.
It would have been a great deal for the chosen providers – but unfortunately, it never came to be.
“Initial indications are the demand will not require a contract with the ceiling estimated in this draft solicitation,” explained contracting officer Scott M. Stewart. “We are currently revising our acquisition strategy for satisfying requirements for hosting public non-sensitive data in commercial cloud environments. This strategy may result in a solicitation for a new contract at a significantly lowered ceiling or the leveraging of contracts previously awarded which contain the appropriate scope for meeting this demand.”
It goes without saying that someone should have seen this coming - government spending on IaaS offerings has, historically, been quite low. Somewhere along the line, communication must have broken down - someone didn’t accurately convey the DoD’s requirements (or the organization simply misunderstood them). As a hosting provider, this isn’t a mistake you can afford to make - resource and security requirements need to be hashed out with the client beforehand.
There Are Different “Levels” Of Security
One of the most noteworthy features of the draft document is that it takes care to distinguish between several different security levels where the cloud is concerned, based both on the scale of a particular system and the sensitivity of the data it manages. It’s worth mentioning that the DoD did already have a categorization system in place – the primary changes in the new SRG are differentiation in terms of scale. The new classification system will, for example, distinguish between national security systems and non-national ones.
So...what does all this mean for you as a host?
Easy – you need to understand what sort of clients your cloud serves. Chances are pretty good you’ve a fairly diverse client base; it also follows that each of your clients has their own unique set of security requirements. Be certain that you account for those requirements.
Security Is Nothing Without The Capacity To Follow Through
A bevy of cloud security measures looks great on paper - but as we touched on above, they’re more or less useless if one’s organization doesn’t have the capacity to enforce them. As a cloud provider, you cannot afford to be “all talk.” Security measures need to be strictly enforced to ensure that client data is kept safe and secure.
Historically, government organizations such as the Department of Defense haven’t had the best relationship with cloud security. An examination of their struggles – and the methods by which they overcome them – is a valuable case study for any cloud provider. Learn from their mistakes, and take stock of their successes, and your business will be better for it.
About Graeme Caldwell -- Graeme works as an inbound marketer for InterWorx, a web hosting control panel for hosts who need scalability and reliability. Follow InterWorx on Twitter at @interworx, Like them on Facebook and check out their blog, http://www.interworx.com/community.
Photo courtesy of Shutterstock.