James Thew - Fotolia
The Department of Defense released three new documents on cloud security guidelines via its Defense Information Security Agency. Are there any lessons enterprises can take from these new cloud security guidelines?
The Department of Defense's cloud security guidelines include the "Draft Cloud Computing Security Requirements Guide," "Draft Cloud Access Point Functional Requirements Document," and "Draft Concept of Operations for Cloud Computer Network Defense." If the DoD were a business, it would have over 2 million employees and an annual budget that exceeds $500 billion. Because the DoD is highly vulnerable to potential information leaks, it is safe to say other organizations can learn much from it and its guidance.
The "Draft Cloud Computing Security Requirements Guide" discusses common vulnerabilities and mitigation methods. It focuses on impact levels and security objectives, risk assessment of cloud services, security requirements, network defenses and incident response. The guide also outlines high-level requirements, however, a set of associated documents -- the "Security Technical Implementation Guides" -- are more detailed and product specific.
The "Draft Cloud Access Point Functional Requirements Document" will be especially useful to enterprises deploying hybrid clouds. The DoD has hardened the DoD Information Network to external threats, but it still wants to take advantage of cloud computing services. This document addresses the security risks to the DoD Information Network that are linked to cloud services, and describes cloud access points -- which are controls designed to monitor, detect and block malicious activity before it reaches the military's primary information network.
The "Draft Concept of Operations for Cloud Computer Network Defense" focuses on reporting and incident response when cloud services are involved. The document covers issues around defending the DoD Information Network from attacks originating in the cloud, as well as protecting the DoD's resources in the cloud.
The DoD has a unique set of requirements, and the details presented in these cloud security guidelines should be understood as guidance for its internal use and as guidance to military contractors. Other organizations should view them as starting points that can be adapted to their specific needs and resource constraints.
Ask the Expert:
Have a question about cloud security? Send it via email today. (All questions are anonymous.)
Check out SearchCloudComputing's security best practices for cloud lockdown
Dig Deeper on Cloud Computing Frameworks and Standards
AWS vs Microsoft: US JEDI contract dispute develops into war of words between tech giants
AWS slams lack of White House cooperation in JEDI cloud contract investigation
AWS hits out at narrow scope of DoD’s planned re-evaluation of JEDI cloud contract
US Department of Defense requests time to re-evaluate section of AWS and Microsoft JEDI bids
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading