DISA to Spend Summer Exploring Security in the Cloud

The Defense Department is teaming up with a well-known cloud computing giant to resolve security concerns.

Over the next several months, the Defense Information Systems Agency (DISA) will partner with Google to learn how to implement critical security capabilities in a cloud computing environment. The pilot program, involving selected members of DISA’s staff, will explore how the U.S. Defense Department will implement security when it begins to offer cloud computing services to the military in the future.

The pilot program is the result of a Cooperative Research and Development Agreement (CRADA) signed between DISA and Google last February, David Mihelcic, chief technology officer, DISA, says. “The goal of the CRADA is to discover ways we could take our DOD authentication services and be able to gateway those to other cloud services,” explains Mihelcic. He adds that the CRADA is a contractual agreement that allows both entities to do what he describes as, “exploratory work in this area.” Even though the scope of the pilot is specified in a contract, there is no money exchanging hands as part of the CRADA, he says.

According to Mihelcic, the pilot will involve taking DISA’s existing authentication services—public key authentication—and building a gateway service so a Defense Department user can authenticate to that gateway service. “At that point, the authentication can be passed to another service provider by using a standards-based protocol known as Security Assertion Markup Language (SAML).”

Mihelcic adds that the pilot also will explore automating the creation of computer user accounts along with accessing the Defense Manpower Data Center’s database of information on Defense Department active duty service members, reservists, civilian employees and agency contractors. “We can replicate that information out of the database and automatically provision computing accounts for people,” he adds, which should speed the process of bringing new personnel on board, saving time and money.

When asked why Google was chosen for the CRADA and the cloud security pilot program, Mihelcic explains that it’s a function of how Google does its own authentication. “They can take a standards-based protocol to allow you to pass authentication from one domain into another. We believe it’s not unreasonable to leverage that standards-based protocol, so that in the future, we can use it to pass off that authentication information between DOD authentication systems and other external providers.”

As a side benefit, Mihelcic adds that the partnership with Google also allows DISA to explore how the agency might use cloud computing to support other services, for example email and collaboration tools such as Defense Connect Online. To that end, the CRADA also includes authentication-enabled uses of the Google Apps for Government (GAfG ) office productivity suite as part of the pilot.

The 50 DISA staffers who are participating in the pilot are from the agency’s Joint Interoperability Task Command. Mihelcic says some members of the pilot group also will prepare the written evaluation and analysis once the pilot program is completed. “In the first phase of the process, they’re only going to process unclassified data. And they’re going to replicate doing their day-to-day business in the Google environment, as opposed to how they do it today, which is a combination of certain enterprise services, like Defense Enterprise Email and other applications. At the same time. DISA’s security office is working with Google to evaluate the company’s security architecture to determine whether Sensitive but Unclassified information can be processed within Google’s cloud. He says that if the risk is acceptable for such uses, an expanded group of as many as 200 DISA staffers will participate in a yet-to-be approved second phase in which they will perform day-to-day tasks involved Sensitive but Unclassified data within the GAfG.

The first phase of the pilot project began May , and is expected to run until June 30. Phase two, which includes an authentication gateway service, begins July 1 and is scheduled to run until September 30. “We hope to determine that the authentication gateway service is a solid architecture; that it is secure, and performs well, and that we can, in fact, pass authentication information between the DOD authentication service and the external service provider,” he says. The pilot also will determine the efficacy of using commercial cloud services and will provide input toward DISA’s plans to be the cloud computing broker for the Defense Department.

Mihelcic concludes that the Google CRADA is also part of a bigger push by DISA for a multiaward contract for cloud computing services. “We will be putting in place a solicitation for commercial cloud services that meet our security requirements that DOD users can access by way of the cloud broker process,” he says. “This pilot is helping to inform many parts of the overall process, especially the security requirements.” Mihelcic concluded that meeting those security requirements is one of the biggest unresolved hurdles to taking the Defense Department into the cloud.