Nine Steps Toward Tactical Cloud
The U.S. Department of Defense (DoD) is considering adopting cloud solutions and implementing zero-trust principles for tactical command and control systems. The deployment of tactical cloud solutions will improve flexibility, scalability and interoperability. Additionally, they will enable the development of mission partner environments and help the DoD achieve unified networks with federated data fabrics.
The benefits of cloud environments are well documented. Cloud solutions are scalable and elastic, meaning the DoD can add or remove computing and data storage resources as needed. The DoD can employ cloud solutions to be more agile and deploy new capabilities to respond to changing needs quickly.
Cloud solutions offer push-to-provision, containerized environments where organizations can rapidly deploy and tear down storage, servers and services securely. This makes them ideal for establishing mission partner environments with varying access control and classification needs. Using the cloud, the DoD could manage tailorable, episodic mission partner environments and, with zero-trust principles enabled, provide exquisite device, resource, application and data management.
The DoD could enable faster deployment of applications and services through the tactical cloud. The cloud offers common application protocol interfaces (APIs), enabling easier integration of new applications and automated data threads within software-defined networks. These APIs empower developers to quickly add new features and functionality to their applications. Cloud services often provide comprehensive documentation and support, making it easier for developers to use their services. Unifying networks and data fabrics can occur with greater ease through a common cloud environment.
Cloud solutions can reduce some costs associated with infrastructure and maintenance by eliminating the need for physical infrastructure and staffing costs while facilitating resource sharing across multiple departments and services. Over the long run, shifting these capital investment costs from government-owned to commercial-owned entities can reduce the overhead on DoD budgets and make room for other command, control, computers, communications, cyber, intelligence, surveillance and reconnaissance (C5ISR) investments.
Cloud solutions also improve user experience. Cloud solutions allow users to access their data and applications from any location and device. Developing a DoD tactical cloud environment would enable access to cloud-hosted applications from tactical network assemblages and end-user devices connected through commercial cellular and internet connections. This would increase availability and access while presenting new tactical use cases.
The following steps can aid the DoD in delivering tactical cloud services.
Step 0. Identify stakeholders and approval authorities for the tactical cloud environment, tactical C5ISR mission command systems and data owners. Whoever owns the risk to mission ultimately will determine who gets approval to employ a tactical cloud. Likewise, various stakeholders develop, operate and maintain mission command systems. Finally, data flowing to and from the tactical edge may not reside solely within a tactical cloud environment. Working with these partners through events like the Project Convergence series is a great way to solve collective C5ISR modernization and integration problems.
Step 1. Identify and prioritize the types of tactical data and workloads required by units, and headquarters should be migrated to the cloud. Begin by ensuring they are suitable for a cloud environment. If an application is not cloud native, it must first be containerized and tested within a cloud environment. Some applications and services may not be suitable for the cloud. Similarly, many business process applications do not need to reside in tactical cloud environments. Work profiles can remain consistent for users but vary based on the role they are currently playing (i.e., operating on an objective vice sitting at a desk in a headquarters).
Step 2. When designing a tactical cloud solution, consider the entirety of the unified tactical network and federated data fabric needs between DoD, coalition and mission partners. Involving network and data engineers early in developing tactical cloud solutions can help identify constraints and limitations that affect cloud engineering. Cross-domain solutions, data-sharing restraints and message compatibility needs should be addressed throughout the design process. Furthermore, in tactical environments, where network connectivity may face denied, disconnected, intermittent or limited bandwidth environments, cloud-hosted data and workloads may not be appropriate. The consideration of forward-edge compute for cloud services may be required in this case.
Step 3. Evaluate the security capabilities of different cloud service providers and select one that meets the DoD’s security requirements. The FedRAMP Program Management Office implements the Federal Risk and Authorization Management Program. This program, by Federal Information Security Modernization Act and OMB Circular A-130, provides a standardized approach to security authorizations for cloud service offerings. Based on these requirements, consider what roles and responsibilities corporate partners and DoD organizations must operationalize within their respective risk management frameworks.
Step 4. Develop a comprehensive security plan that defines measures to protect data and workloads in the cloud. This plan should include access controls, data encryption and incident response protocols. Cybersecurity overwatch does not end within the cloud environment. It must extend to the transport, network and end-user devices through which cloud data and workloads ultimately will travel. Tactical cloud solutions will likely be delivered to end-user devices. As such, appropriate security measures must identify these associated risks and develop appropriate controls.
Step 5. Implement zero trust, multifactor authentication and other security controls to ensure that only authorized users can access sensitive data and systems. Comply-to-connect for both a device and its tactical cloud applications can limit risk. Additionally, management of user profiles through zero trust not only buys down risk through controls over what applications, services and data users can see, but it also enables new methods to develop mission partner environments. Finally, within the tactical cloud environment, the use of zero-trust protocols can limit risks of lateral movement within networks and environments, thereby reducing potential cyber risks should other risk management controls fail.
Step 6. Work with cloud service providers to establish clear lines of communication and incident response protocols. The use of tactical cloud solutions during times of military crisis will require cooperation between private and public organizations. If a security breach or other issue occurs, DoD organizations will require close coordination with industry partners. They must establish criteria for determining the severity level of an incident and the appropriate response actions. The DoD should establish a secure and dedicated communication platform for DoD and cloud service provider personnel to discuss incidents, share information and coordinate response activities. Additionally, all parties should develop a pre-established incident response plan that outlines specific roles, responsibilities and processes that must be followed during an incident.
Step 7. Organizational implementation will require updated business processes, C5ISR governance models and training. The use of cloud solutions will enable new use cases across staff functions. As new use cases emerge, disruption will occur and business processes will require revisions. Additionally, just as the administration of varying networks requires common agreements between approval officials, so will the use of cloud solutions, particularly in tactical environments. Finally, DoD users will need training to deliver and administer cloud infrastructure and manage its resident in these solutions.
Step 8. Oversight of cloud environments must address several challenges. If the DoD takes all the necessary precautions to develop secure cloud solutions, some risks will always be involved. This is because it is impossible to eliminate all potential security threats or vulnerabilities. Some of the main risks that may remain even after the DoD has taken steps to secure its cloud environment include the following:
User threats: Users with access to sensitive data or systems may intentionally or unintentionally compromise security. This may be caused by U.S. service personnel or by mission partners. Beyond monitoring users within the cloud environment, endpoint detection and response (EDR) measures should also be considered to mitigate the threats of end-user devices. By containing the danger at the endpoint, EDR helps eliminate it before it can spread. An active monitoring tool integrated into existing DoD cybersecurity overwatch measures can help reduce these risks.
Cyber attacks: Hackers may attempt to gain unauthorized access to the cloud environment, either through technical means or by exploiting vulnerabilities in the system. Cybersecurity overwatch of tactical cloud environments should include a variety of measures, such as implementing strong authentication and access control measures, utilizing encryption to protect data in transit and at rest and implementing a comprehensive incident response plan. Additionally, the DoD should educate users on best practices, use automated tools to detect and respond to malicious activity and deploy a patch management process.
Data breaches: Sensitive data may be inadvertently exposed or accessed by human error or system failures. To mitigate these risks, the DoD should establish a comprehensive data security policy, implement strong access control measures and enable vulnerability scanning and patch management. Additionally, the DoD must monitor systems for suspicious activity and deploy automated logging systems to track user activity, along with establishing a data breach response plan, which outlines the steps to be taken in the event of a breach.
Compliance issues: The DoD may need to comply with relevant laws, regulations or policies governing the use and protection of sensitive and classified data. The DoD must ensure that sensitive data is securely stored and encrypted in an appropriate location. This could include using cloud-based storage solutions or on-premise data centers. Additionally, the DoD must confirm that only authorized personnel can access and share sensitive data. This could consist of implementing access control and data-sharing policies. A core tenet in developing and deploying any tactical cloud solution concerns the proper tagging and classification of data. The more this process can be automated the greater the likelihood that appropriate compliance will occur.
The deployment of tactical cloud solutions has the potential to unify data fabrics and networks within the DoD. They also can enable mission partner environments through rapid deployment, containerized security measures and relatively low cost. To fight and win in future conflicts, where machine speed decisions may matter most, the DoD needs to begin adopting cloud solutions for tactical command and control systems.
The views expressed by the three authors are theirs alone and do not represent the views and opinions of the Defense Department, U.S. Army or other organizations with which they have an affiliation.
Army Lt. Col. Ryan Kenny, Ph.D., commands the 112th Signal Battalion (Special Operations) (Airborne), the world’s only airborne signal battalion. He is an AFCEA member who has contributed articles and columns to SIGNAL Magazine.
Chief Warrant Officer 3 Wavell Williams Jr., USA, serves as a systems integration officer and enjoys collaborating, discussing and executing change utilizing emerging technologies.
Col. Paul Sparks is the U.S. Army Special Operations Command G6 chief information officer. Responsible for providing a modern, secure, agile, trusted and reliable command and control communications enterprise in support of Army Special Operations Forces mission command, conducting worldwide special operations across the range of military operations anytime, anywhere. He holds a master’s in National Security and Strategic Studies from the Naval War College.