In the past year or so, the U.S. Department of Defense (DoD) has made a number of changes to make it easier for DoD agencies to buy cloud services, including accepting some additional risk for less mission-critical data.

The Defense Information Systems Agency (DISA) and the DoD Chief Information Officer also have published a cloud security requirements guide (SRG) to provide more standardized definitions across the Department to facilitate cloud adoption.

A recent news release stated, “As DISA advances cloud capabilities for the Department of Defense (DOD), it embraces the opportunities to use commercial cloud solutions to reduce operational costs, release available resources, enhance standardization, and increase agility and responsiveness to the changing needs of mission partners.” While there is a sense of momentum and excitement across the DoD about moving to the cloud, the emerging model of doing so faces numerous challenges, such as:

  • Lack of a unified model for deploying continuous monitoring across hybrid cloud environments
  • Authorization processes that are not easily replicated across commercial cloud services providers (CSPs)
  • Fragmented and non-standard security reporting processes between organizations and CSPs
  • Lack of risk awareness and single-pane-of-glass-visibility for stakeholders
  • Barriers for mission owners to adopt innovative services and technologies from CSPs
  • Cybersecurity approached as an “add on” and not embedded into cloud solutions
  • Inefficient compliance reporting model that results in “sprawl” across CSPs and agencies

Based on our experience as a CSP with provisional authority to operate from both the Federal Risk Management Authorization Program (FedRAMP) and DISA, CGI has developed a framework for enabling secure cloud solutions for DoD mission owners. This framework is based on continuous, repeatable, agnostic, transparent, evolving and secure attributes:

framework attributes

Continuous

A standard model is needed for continuous monitoring in cloud environments. Current continuous monitoring services also need to be integrated to support new hybrid environments.

Repeatable

Repeatable models for implementing commercial cloud solutions are needed and should include cloud-ready continuous monitoring solutions that are rapidly and consistently delivered.

Agnostic

An agnostic cloud provider approach is needed to enable business, technical and security requirements to drive decisions, avoid vendor lock-in, and use advanced decision support models and consultative services to identify optimal solutions.

Transparent

A continuous monitoring model is required for real-time, situational understanding across hybrid cloud provider networks, security postures, performance and spending.

Evolving

The cloud provides unprecedented capabilities to adapt to rapid change in mission and technology, so agencies need to adopt and integrate new services available from CSPs quickly and easily.

Secure

A cybersecurity layer must be embedded to ensure control in a “borderless” enterprise.

Through such a security framework, DoD agencies and other government organizations can build a comprehensive layer of defense designed to secure their cloud-based IT portfolios.

CGI offers a unique combination of cloud and cybersecurity expertise, along with our CGI Unify360 hybrid IT management suite and CGI AssureIQ risk-based approach to continuous monitoring, to support our federal government clients’ move to the cloud.  

This graphic depicts CGI’s optimal hybrid IT security compliance reporting model.

About this author

Picture of John Nemoto

John Nemoto

Vice-President, CGI Federal Emerging Technologies Practice

As the Cloud Practice Lead within CGI Federal’s Emerging Technologies Practice, John supports client relationship development for the federal market, as well as opportunities around the globe. He oversees technical delivery and consulting services and the CGI Unify360 hybrid IT management suite. His CGI career ...

Comments

Securing cloud based IT portfolios is a critical point for furthering the amount of small businesses that will move to the cloud. Access to the right data and security of the Business data are fundamental requirements for any business using cloud services.

Submitted by careerevolve on December 5, 2016

Add new comment

Comment editor

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
Blog moderation guidelines and term of use