DISA to Spend Summer Exploring Security in the Cloud

May 24, 2013
By Max Cacas

The Defense Department is teaming up with a well-known cloud computing giant to resolve security concerns.

Over the next several months, the Defense Information Systems Agency (DISA) will partner with Google to learn how to implement critical security capabilities in a cloud computing environment. The pilot program, involving selected members of DISA’s staff, will explore how the U.S. Defense Department will implement security when it begins to offer cloud computing services to the military in the future.

The pilot program is the result of a Cooperative Research and Development Agreement (CRADA) signed between DISA and Google last February, David Mihelcic, chief technology officer, DISA, says. “The goal of the CRADA is to discover ways we could take our DOD authentication services and be able to gateway those to other cloud services,” explains Mihelcic. He adds that the CRADA is a contractual agreement that allows both entities to do what he describes as, “exploratory work in this area.” Even though the scope of the pilot is specified in a contract, there is no money exchanging hands as part of the CRADA, he says.

According to Mihelcic, the pilot will involve taking DISA’s existing authentication services—public key authentication—and building a gateway service so a Defense Department user can authenticate to that gateway service. “At that point, the authentication can be passed to another service provider by using a standards-based protocol known as Security Assertion Markup Language (SAML).”

Mihelcic adds that the pilot also will explore automating the creation of computer user accounts along with accessing the Defense Manpower Data Center’s database of information on Defense Department active duty service members, reservists, civilian employees and agency contractors. “We can replicate that information out of the database and automatically provision computing accounts for people,” he adds, which should speed the process of bringing new personnel on board, saving time and money.

When asked why Google was chosen for the CRADA and the cloud security pilot program, Mihelcic explains that it’s a function of how Google does its own authentication. “They can take a standards-based protocol to allow you to pass authentication from one domain into another. We believe it’s not unreasonable to leverage that standards-based protocol, so that in the future, we can use it to pass off that authentication information between DOD authentication systems and other external providers.”

As a side benefit, Mihelcic adds that the partnership with Google also allows DISA to explore how the agency might use cloud computing to support other services, for example email and collaboration tools such as Defense Connect Online. To that end, the CRADA also includes authentication-enabled uses of the Google Apps for Government (GAfG ) office productivity suite as part of the pilot.

The 50 DISA staffers who are participating in the pilot are from the agency’s Joint Interoperability Task Command. Mihelcic says some members of the pilot group also will prepare the written evaluation and analysis once the pilot program is completed. “In the first phase of the process, they’re only going to process unclassified data. And they’re going to replicate doing their day-to-day business in the Google environment, as opposed to how they do it today, which is a combination of certain enterprise services, like Defense Enterprise Email and other applications. At the same time. DISA’s security office is working with Google to evaluate the company’s security architecture to determine whether Sensitive but Unclassified information can be processed within Google’s cloud. He says that if the risk is acceptable for such uses, an expanded group of as many as 200 DISA staffers will participate in a yet-to-be approved second phase in which they will perform day-to-day tasks involved Sensitive but Unclassified data within the GAfG.

The first phase of the pilot project began May , and is expected to run until June 30. Phase two, which includes an authentication gateway service, begins July 1 and is scheduled to run until September 30. “We hope to determine that the authentication gateway service is a solid architecture; that it is secure, and performs well, and that we can, in fact, pass authentication information between the DOD authentication service and the external service provider,” he says. The pilot also will determine the efficacy of using commercial cloud services and will provide input toward DISA’s plans to be the cloud computing broker for the Defense Department.

Mihelcic concludes that the Google CRADA is also part of a bigger push by DISA for a multiaward contract for cloud computing services. “We will be putting in place a solicitation for commercial cloud services that meet our security requirements that DOD users can access by way of the cloud broker process,” he says. “This pilot is helping to inform many parts of the overall process, especially the security requirements.” Mihelcic concluded that meeting those security requirements is one of the biggest unresolved hurdles to taking the Defense Department into the cloud.

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.


Share Your Thoughts:

Please be made perfectly aware, military and para-military personnel and server facilities, ..... for to fail to realise such information is priceless intelligence for mastery of perception control in the virtual environment, and to ignore it will always be catastrophic in the applied realities which seek to continue to prevail harbouring active dark secrets, which in enemy/competition and opposition hands/hearts and minds would reverse fortunes ......... in Cloud is there no hiding place for anything, and that is inclusive of that which you do not want the opposition and/or competition to know. There be no exceptions to that Universe Ruling Law.

It is because of that simple inescapable fact that the Live Operational Virtual Environment does not suffer the useless fool with useful tools and has its own Global Operating Devices and SMARTR IntelAIgents Systems with CyberIntelAIgent Server Services to share what IT knows and what needs to be known for Seeding and Feeding and Breeding of Novel and Noble Projects in Virtually Controlled Reality.

And methinks that be easily converted/diverted/perverted into a stealthy deadly heavenly weapon if one knows what one is doing and needs to be doing, and therefore should be of great interest to military industrial complex machines, no matter where they be resident and legal alien/resident evil and illegal around the globe, north, south, east or west.

In Madness and Mayhem is CHAOS in Command and Control of Creative CyberSpace, Computers and Communications with Clouds Hosting Advanced Operating Systems in Global Operating Devices ...... and Google doing No Evil is most welcome and hereby welcomed to Work, Rest and Play in ITSpaces with its Myriad Application Places.

Been there. Done that.

AFRL developed, accredited, and deployed a free LiveCD webSSO for small, fast, niche uses that provide CAC-in to Google. AFRL used it for ~6 months to provide CAC-in to its Google pliot. Its also DISA STIG'd, a testbed for advanced authentication technologies, and now a free project at software.forge.mil/sf/projects/secure_end_node_testbed_sent_a_l. Any group can now create their own.

AFRL also created and tested CAC-in using the AF Portal... fast, simple, and free. AFRL is using it now to provide CAC-in for its ~140 person GAfG pilot. The novel process can be adopted by anyone. AKO is conducting a similar test very soon. See https://www.milsuite.mil/book/message/441465 . The process can be automated so any group could obtain such a CAC-in service from those enterprise-class Single Sign On (webSSO) services in a few minutes w/out approval. For large GAfG domains, AFRL is also exploring an advanced solution which leverages the webSSO's account & identity management services to ease GAfG admin duties.

All the above solutions are for / were tested on Google Apps for Government domains, but they can be used for any SAML v2.0 compliant cloud for authentication.

The GAfG domains used are accredited / approved for CUI / FOUO / sensitive info.

No CRADA, contract, or such was needed. It was mostly a part-time effort of just one person. AFRL just used Google's published standards, added a few COTS elements, and some ingenuity. Easy.

Other GAfG pilots across the DoD have solved similar, and tougher issues wrt the cloud.

AFRL repeatedly offered its work to DISA.

Share Your Thoughts: