James Thew - Fotolia

DoD cloud security guidelines: What can enterprises learn?

Expert Dan Sullivan explains key takeaways from the Department of Defense's cloud security guidelines that enterprises can put into practice.

The Department of Defense released three new documents on cloud security guidelines via its Defense Information Security Agency. Are there any lessons enterprises can take from these new cloud security guidelines?

The Department of Defense's cloud security guidelines include the "Draft Cloud Computing Security Requirements Guide," "Draft Cloud Access Point Functional Requirements Document," and "Draft Concept of Operations for Cloud Computer Network Defense." If the DoD were a business, it would have over 2 million employees and an annual budget that exceeds $500 billion. Because the DoD is highly vulnerable to potential information leaks, it is safe to say other organizations can learn much from it and its guidance.

The "Draft Cloud Computing Security Requirements Guide" discusses common vulnerabilities and mitigation methods. It focuses on impact levels and security objectives, risk assessment of cloud services, security requirements, network defenses and incident response. The guide also outlines high-level requirements, however, a set of associated documents -- the "Security Technical Implementation Guides" -- are more detailed and product specific.

The "Draft Cloud Access Point Functional Requirements Document" will be especially useful to enterprises deploying hybrid clouds. The DoD has hardened the DoD Information Network to external threats, but it still wants to take advantage of cloud computing services. This document addresses the security risks to the DoD Information Network that are linked to cloud services, and describes cloud access points -- which are controls designed to monitor, detect and block malicious activity before it reaches the military's primary information network.

The "Draft Concept of Operations for Cloud Computer Network Defense" focuses on reporting and incident response when cloud services are involved. The document covers issues around defending the DoD Information Network from attacks originating in the cloud, as well as protecting the DoD's resources in the cloud.

The DoD has a unique set of requirements, and the details presented in these cloud security guidelines should be understood as guidance for its internal use and as guidance to military contractors. Other organizations should view them as starting points that can be adapted to their specific needs and resource constraints.

Ask the Expert:
Have a question about cloud security? Send it via email today. (All questions are anonymous.)

Next Steps

Check out SearchCloudComputing's security best practices for cloud lockdown

Learn more about the needs for cloud computing security standards and guidelines

Dig Deeper on Cloud Computing Frameworks and Standards