IL5 Requirements Secure the DoD’s Move to the Cloud
The Department of Defense (DoD) is moving to the cloud at a pace not seen before for federal agencies. While shifting storage and computing capabilities to the cloud will bring many benefits to the warfighter, it also creates some unique security challenges for the agency. The DoD’s Impact Level 5 (IL5) requirements create a robust, multi-layered security framework that safeguards a wide range of sensitive information. This defense-in-depth approach ensures that if one security measure fails, other controls remain in place to mitigate breaches, maintaining the confidentiality, integrity, and availability of the data and systems that support the DoD’s mission-critical functions. Government Technology Insider sat down with Jerry Dotson, Vice President of US Federal, at Avaya and an expert in navigating the data security challenges with secure cloud solutions. In this conversation, we discussed how the DoD can leverage cloud solutions that meet IL5 requirements to protect its mission-critical unclassified data from cyberattacks and misuse.
Government Technology Insider (GTI): The Department of Defense (DoD) is moving rapidly to the cloud. What is driving this change?
Jerry Dotson (JD): This is an interesting question, because it really gets to the question of why an agency wants to move to the cloud and why the DoD’s investments are such a big deal? While many agencies are moving to cloud in response to the federal mandate, for many agencies like the DoD, the cloud serves as the foundation of their modernization plans.
Defense agencies are responsible for delivering unified communication and collaboration (UCC) across hundreds, or in some cases thousands, of bases of operation around the globe. This includes keeping tabs on hardware, operating systems, software updates, lifecycle management, procurement costs and more.
By moving to a cloud environment, defense agencies can create a centralized base of operations. In many instances, cloud can act as the foundation for other modern technology, such as automation and data sharing. But the cloud environment must be secure, especially for an agency like the DoD, which is charged with keeping the nation and the national interest safe. With a secure cloud environment, defense agencies can use automation to improve workflows, enable secure data sharing, improve efficiency, streamline communications, and prioritize budget management.
GTI: The cloud is often seen as being inherently more secure. Is this a correct assessment and what security challenges does the cloud bring with it for an agency like the DoD?
JD: Moving to the cloud doesn’t necessarily mean that data is secure. Because of the DoD’s mission they have created a security hierarchy to ensure that data in the cloud is protected.
There is a cloud security continuum used by the DoD. At the lowest level, IL2, agencies need to be able to support secure multiprotocol label switching (MPLS) delivery on an independent system. At IL4 and IL5, agencies need an infrastructure that supports the Non-classified Internet Protocol (IP) Router Network (NIPRNet); and IL6 for Secret Internet Protocol Router Network (SIPRNet) enclave.
The framework is there in the cloud to really address many of the security concerns of the various IL security classifications. The real tension comes with the availability of services and capabilities at different levels. It can be challenging to find industry solutions that work for the DoD’s security needs, because they require virtual or physical separation. Many of the platforms are multi-tenant, and the multi-tenancy piece is effectively removed at those levels. IL4 requires virtual separation. IL5 requires physical separation, which is more secure but is also substantially more expensive to deliver. The challenge is the availability of cloud solutions that support IL5 level security capabilities.
In the cloud, there are a variety of service solutions, such as infrastructure as-a-S(IaaS), Platform as-a-Service (PaaS), and Software as-a-Service (SaaS). However, SaaS solutions require vendors to deliver “end to end” security controls for Applications, Databases, Operating Systems, Virtual machines, hardware and physical controls.
GTI: How can the DoD bring more security to the cloud?
JD: The DoD’s IL5 requirements are a rigorous starting point because they require cloud solutions to support continuous patching, scanning processes, and remediating vulnerabilities within 15 days. Security savvy cloud providers, like Avaya, have tightened up a lot processes, all of the way back to the development, to better meet the DoD’s IL security requirements.
While it can take a lot of time and expense to expand SaaS security capabilities and certifications, it is a worthy investment to establish a robust cybersecurity posture. In addition to that, it’s important for the DoD and industry to work together so that we can identify ways to improve the certification processes and continue to evolve cloud security.
Another way that the DoD can bring more security to the cloud comes from IL4 and IL5 transport requirements. Latency, jitter, and packet loss are critical network performance metrics for transporting data using the NIPRNet. Improving these capabilities can also help to improve the speed and security of more demanding applications like voice and video.
GTI: What should the DoD look for in an IL5 solution?
JD: The DoD should always look for SaaS solutions that support the highest level of security. SaaS solutions provide the DoD with the ability to secure their entire platform top to bottom, across all bases of operation. However, as we go up the stack, the number of solutions that meet these requirements become fewer and fewer.
Military infrastructure is slightly different based on its global location, so the DoD needs solutions that can be customized to fit unique needs and circumstances to deliver time-sensitive applications in a secure environment. It’s about balancing the security capabilities of SaaS cloud solutions with their ability to deliver the fundamental needs of the mission.
It’s also important to understand the technical architecture to know how the SaaS solution is going to operate. Like I mentioned in the last question, IL4 and IL5 solutions need SaaS solutions that support the need for transportation while being mindful of latency, jitter, and packet loss.
It’s common to see an organization that begin to migrate to the cloud but overlook what it takes to get to the cloud securely. There’s a misconception that cloud is cheaper, and while there are aspects of it that can provide financial savings, there are a lot of costs to consider as a part of the migration process. Another misconception is that moving to the cloud should be super fast, when in reality the migration process can be very time-consuming and expensive. So, in order to ensure a successful migration, it’s important for defense agencies to take these factors into consideration and plan accordingly.
GTI: Do you have any final thoughts to share with our audience?
JD: On the journey to secure cloud solutions, it’s important that agencies look for solutions that work best for their mission and budgetary needs. Some defense agencies may find that a hybrid architecture works best for them, while others need to migrate everything to the cloud.
Cloud is continually evolving. The standards that are already in place are well established and set a secure foundation for data sharing and innovative technology. At Avaya, we’ve made massive investments to expand our ability to provide secure cloud solutions to meet the DoD’s IL requirements and FedRAMP requirements for other government agencies. I’m looking forward to seeing how cloud solutions will continue to evolve over the next decade.
Originally on Government Technology Insider