U.S. Special Operations Command (SOCOM) and the Defense Information Systems Agency (DISA) expect to roll out groundbreaking cloud capabilities next year, such as a SOCOM version of WhatsApp and a highly customizable DevSecOps platform to help the Fourth Estate shift to hybrid cloud solutions more quickly and securely.
The impetus of these cloud initiatives includes improved user experience, network visibility and control to meet mission demands, according to DOD cloud leaders.
“We need hybrid cloud because we need to be able to move workloads anywhere and everywhere at any point in time,” Army Enterprise Cloud Management Agency's Former Director Paul Puckett told GovCIO Media & Research in an interview.
The idea of hybrid cloud being more secure than legacy or on-premise IT infrastructure is a popular narrative in the IT community, but DOD cloud modernization leaders believe this is a myth.
For the defense community, hybrid-cloud migration is about improving efficiency and user experience. Hybrid cloud comes with a new set of cybersecurity risks, but also offers opportunities to strengthen cybersecurity posture in the long run and to capitalize on new capabilities and methods such as DevSecOps and zero trust.
Improving User Experience Without Compromising Security
SOCOM Network Modernization Chief Operating Officer (COO) Col. Joe Pishock said commercial cloud is “giving us options that we haven't had resident to SOCOM the last 15 years” with secure, cloud-connected communications in theater.
“The ability to extend, to go mobile, is greater because of cloud but then it presents challenges because I'm not really extending government services, I'm trying to extend collaboration tools or connect people with partners (not via SIPR or NIPRnet),” Pishock said in an interview with GovCIO Media & Research.
SOCOM’s cloud-enabled communications app — similar to Facebook Messenger, Signal or WhatsApp in the commercial market — intends to solve communication challenges between SOCOM and allied partners in theater. The app is currently in beta testing with U.S. Army Special Operations Command (USASOC) in the IndoPacific region after a successful deployment in Europe.
Pishock describes it as “a suite of collaboration tools coming out of a tactical mission network.”
“SOCOM exists for human-to-human interaction, and that is enabled by IT,” he said.
If SOCOM doesn’t create its own secure, collaborative communication tool, service members and allied partners will resort to those commercial apps, which come with a wealth of cyber and information security risks that the service can't fully control.
“All of that is basically prohibited by regulations, but people are still going to do it,” Pishock said. “If we can do better than a third-party app, then we're trending in the right direction — something that at least goes into an environment where we have the potential to control it or influence the data. No policy in the world seems to prevent third-party apps from emerging and that's where (we need to) do better.”
Creating its own app allows SOCOM greater visibility and control while providing the user experience requested by service members and allied partners.
The app is successful because a limited number of people can access it and SOCOM can iterate the app across service components “with a lower level of risk … not at the level of NIPRNet (DOD’s unclassified network),” Pishock added.
One persisting challenge involves determining the best way to secure the app. Because the app doesn’t live on the Department of Defense Information Networks (DODIN), it’s not subject to the same security regulations, despite security being a crucial component of communications with allied partners in a mission environment.
Typical cybersecurity measures such as scanning and patching don’t really apply, Pishock said, so SOCOM must innovate to meet mission demands.
"How it's secured is what we're trying to figure out,” he said. “How do we meet the intention of the information security and cybersecurity and do so in such a way that we can't follow the letter of the law because we don't have any law for these spaces yet? How do we do that, small scale?”
SOCOM CTO Mark Taylor believes a zero trust approach to cybersecurity will be the answer to some of these questions.
“Zero trust is the baseline principle of how we need to treat all networks, whether they be cloud-based or something internal moving forward,” he said in an interview with GovCIO Media & Research. “DOD is still trying to figure out what it looks like. It's not a widget you buy, it's several tools you buy working in concert. Zero trust is the method. Having a strict identity management or ICAM strategy in place is the foundation for that. Zero trust is the Y2K of 2022 for the government.”
How DevSecOps Can Optimize Hybrid Cloud Security
At DISA, the upcoming DevSecOps platform — called “Vulcan” — aims to maintain cybersecurity while enabling swift hybrid cloud migration and improved collaboration for the Fourth Estate.
Alex McFarland, DISA’s technical lead for the Vulcan program, said Vulcan “gives people what they need to level themselves up.”
“We're trying to provide tools that make the work they're doing visible to ease collaboration across silos,” he told GovCIO Media & Research in an interview. “The goal is to make change safe through automation … and by improving safety, improve velocity.”
Dave Lago, a product manager at DISA’s Hosting and Compute Center (HACC), described Vulcan as a set of “self-service tools” for DevSecOps to ensure DOD components integrate security policies into the beginning stages of software development, especially regarding configuration management.
“It's an economic play, all these teams need software development, DevSecOps tools, and it's cost-prohibitive to do it yourself,” he told GovCIO Media & Research in an interview.
“This will be consistent and is consistent with what the Thunderdome team is doing,” he added, referencing DISA’s Thunderdome zero trust prototype.
One of the major goals of Vulcan is to increase visibility of network assets and applications and allow teams to respond quickly to known vulnerabilities and tweak lines of code within an infrastructure-as-code (IaC) environment to improve efficacy, efficiency and security.
“IaC allows for representation of the environment that's codified in text files, which can be checked for vulnerabilities before you deploy,” McFarland said. “Surfacing all that knowledge and that collaboration, I think, is what really kind of addresses our largest issue. It will increase, it will improve visibility in terms of like an audit trail (of code changes) and what we're doing and how we deliver and improve sharing and all the rest.”
Hybrid Cloud Security Challenges Come Down to Configuration
Improved user experience, network visibility and control are frequently cited as top cloud modernization goals for armed services and DOD components as they explore hybrid-cloud solutions, including the U.S. Army, which will continue its aggressive cloud push in fiscal year 2023.
For Puckett, hybrid cloud isn’t more secure than legacy or on-premise IT infrastructure and vice versa. The Army isn’t interested in hybrid cloud for enhanced cybersecurity, but rather improved mobility, visibility and control over assets and users, which will allow the Army to develop more agile cybersecurity strategies and responses.
“Now we've got our cyber with visibility into the entire cloud ecosystem simply at the account level and now they can see and be able to manage risk in real time and how they defend the network,” Puckett said. “But then part of that is us working with them, it's getting visibility turned into understanding, it's building those skill sets.”
Like DISA’s Vulcan leads, Puckett considers IaC and configuration-as-code (CaC) as “100% an imperative” for developing a sound hybrid cloud security strategy.
“For instance, the way that we deploy from a [secure cloud computing architecture] (SCCA) component in cArmy (the Army’s global cloud environment managed by ECMA) is we are leveraging IaC and CaC to the greatest extent possible in order to have repeatability and high confidence in the configurations that we're putting out in the environment,” Puckett said.
Puckett believes operational imperatives will drive risk in hybrid-cloud environments, which means authorizing officials and commanders need to evaluate cloud versus legacy IT tradeoffs and manage expectations about what a secure hybrid-cloud environment should look like.
Cloud security breaches often come down to poor configuration management, he added. In Puckett’s view, breaches tend to happen at the same rate in the cloud as they do in on-premise infrastructure.
“If you look at the Capital One breach, people would blame the cloud service provider for the issue,” he said. “It's like, well, the issue was a misconfiguration on the user side of the house, not the provider side of the house. Oftentimes you get these labels of things being insecure or even go take it further and say this data is really sensitive, so I'm not going to put it in the cloud, I'm going to put it on premise. And that would imply that simply being physically located on premise makes it more secure. And I'd ask the question, have we ever had data breaches for services and data running on-premise? And the answer is yes, right? So is it inherently more secure? No. I'm able to physically touch the server, but when it comes to access to the data, the system as it's designed, if you're not patching or updating those capabilities and you're connected to any type of network, you are vulnerable. And so there's training that has to happen for people to understand.”
Although cloud migration doesn’t necessitate better cybersecurity, the key to holistic cybersecurity improvement is increased visibility and translating cybersecurity data to actionable knowledge.
“Part of our challenge even today, there's so many logs and alerts and all these different things,” Puckett said. “How do you know what matters or what doesn't matter? I think that's a challenge that's always really existed, which is why you see so many companies that have tools or like we can help you make sense of all this information, we can help you make sense of it. It's not just visibility, it's understanding.”
Puckett also believes zero trust can help translate knowledge of a hybrid cloud’s security state into action.
“Hybrid cloud, if we’re going to be thoughtful about it, requires we move on the zero trust journey,” he said. “It’s a journey of removing implicit trust over time. Moving to a hybrid-cloud environment is just another opportunity to get after that hard work.”