Facing a growing number of cloud computing initiatives, Department of Defense officials want to ensure future contracts build in improved data protection standards and urge industry partners to bring emerging technologies to make use of improved analytics.

Programs such as the DoD’s upcoming multi-billion dollar Joint Enterprise Defense Infrastructure (JEDI) will require new standards for shared risk and oversight if the Pentagon is to take full advantage of commercial cloud products, according to officials at a Thursday AFCEA conference.

Cyber officials discuss cloud needs at the AFCEA Defensive Cyber Operations Symposium In Baltimore. Photo: Matthew Beinart.
Cyber officials discuss cloud needs at the AFCEA Defensive Cyber Operations Symposium In Baltimore. Photo: Matthew Beinart.

Gregg Kendrick, executive director for Marine Corps Cyberspace Command, believes that DoD may need to rewrite its acquisition process to best process future cloud initiatives.

“[Acqusition 5000] is too old. It’s too latent. It doesn’t work,” Kendrick said, referring to DoD’s current acquisition process guidebook.” “I don’t think we’ll get pushback from the acquisition community, because I think they’re struggling as well. This is where we need to private sector to help us.”

Kendrick joined several cyber officials on a panel at the AFCEA Defensive Cyber Operations Symposium in Baltimore who called for a revisioning of data oversight requirements as DoD continues to embrace placing more of its data on commercial cloud servers.

“I like the idea of having personnel onsite in regards to the different commercial cloud providers. We have to share those capabilities, as well. We have those physical and technical capabilities that we should merge into the cloud, but actually being there onsite and invested is critical,” Kendrick said, who believes the department should better define shared risk in future contracts.

Rick Howard, chief security office for Palo Alto Networks, urged DoD leadership to understand that protection of sensitive data remains the department responsibility even if it’s now shared on a commercial cloud platform.

Howard wants to see DoD deploy the same secure solutions it already uses for its data centers, mobile devices and network perimeter to cloud platforms, rather than developing new systems that may introduce vulnerabilities.

“When you go to the cloud, I’m going to clear up a misconception, the cloud vendors don’t own the data. You own your data. The cloud providers are never going to give you access to their environments if there’s a breach. That is on you. If there’s a breach, you have to be able to respond to it,” Howard said. “You don’t want to deploy more security stuff, you don’t have enough people to manage the stuff you already have. You want to deploy the same things that you have in the cloud.”

Brig. Gen. Stephen Hager, deputy commander of operations for Cyber Command’s Cyber Mission Forces, said future contracts must include clearly stated responsibilities for oversight, security and auditing methodologies.

Hager also discussed several emerging technologies DoD should look to pursue to make the most effective use of its data as it looks to move more information to the cloud, including Cyber Moving Target and Computation on Encrypted Data.

Cyber Moving Target would allow cyber forces to dynamically move secure data pieces around in an operating system in the event of attack, or entirely swap out an operating system before a detected adversary is able to plant malware into a portion of a network.

Computation on Encrypted Data capabilities let officials conduct computations on encrypted data within the cloud without having to decrypt the sensitive information.

“It’s a very interesting methodology. It’s very slow right now, but I think there’s some more research that can be done for that,” Hager said.

Hager also cited 3-D Visualization tools as critical area for DoD to explore to better spot anomalies within its big data analytics tools.

“Whenever I see these places with a bunch of screens and two-dimensional things where people are looking at network traffic, flow, bandwidth utilization. When you look at the gaming world and the medical world where they take in lots of data and they’ve put it in a 3-D format and they can look at it with new types of technologies that we have, the human brain can see anomalies much quicker,” Hager said. “As we go to the cloud, to get a dashboard to make these things easier for our commanders to understand intuitively and quickly. Those are the types of tools that we should be looking for.”