In the era of digital transformation, national security faces complex and multifaceted challenges. To address these challenges, the Department of Defense (DOD) is taking a vigilant approach to fortify the security of cloud infrastructure.
This approach seamlessly aligns with overarching national cybersecurity initiatives, which are focused on countering a multitude of emerging threats in the age of automation. Collaboratively, the DOD and other government agencies are dedicated to strengthening the ever-evolving cloud ecosystem, while navigating an increasingly intricate threat landscape.
To streamline and bolster these efforts, the DOD and other agencies should consider adopting these four established best practices in cloud security. These foundational principles will be key in advancing the DOD’s proactive “defend forward” strategy, which places great importance on gaining a strategic information advantage and ensuring swift responses within the dynamic realm of a cloud-centric environment.
Resilience As a Strategic Imperative — Zero Trust:
Collaborating with commercial cloud providers is crucial to advance zero trust (ZT) within the DOD. ZT serves as the bedrock for achieving our nation’s cyber goals. The DOD aims to align with ZT principles by 2027, which will require a significant shift in agency mindset. To meet this goal, the DOD can use multi-year roadmaps to assess its current ZT posture, identify risks, uncover duplicity, and seize opportunities for improvement. Additionally, advanced analytics can provide predictive insights and measure outcomes throughout the ZT journey.
Continuous Authority to Operate (cATO):
The DOD is shifting towards Continuous Authority to Operate (cATO) to replace the traditional Authority to Operate process. This move aims to reduce bureaucracy, enhance security for systems and data, and improve efficiency. The cATO approach is more dynamic and continuous, and it aligns with executive orders, policies and guidance. In addition, the DOD promotes a DevSecOps approach that integrates security practices into the development and operations lifecycle. By leveraging automation in collaboration with industry, the DOD can expedite the adoption and authentication of new applications and cloud services, enhance threat identification and mitigation, and reduce manpower requirements.
Put simply, the DOD has a tremendous opportunity to embrace automation across security artifacts to rapidly understand the state of compliance, achieve security objectives, and measure effectiveness. This includes actively and rapidly assessing security controls identified in ATO packages, automating time-consuming tasks, and assessing analytical errors to enhance overall executive decision-making.
A Skilled Cyber Workforce:
To execute its cyber strategy effectively, the DOD requires an agile and educated cyber workforce capable of navigating the complex threat landscape. However, the current shortage of skilled cyber expertise presents a significant challenge. To address these challenges, the DOD has implemented a cyber workforce strategy that creates a comprehensive framework for human capital initiatives. Collaborating with industry, allied nations and academia is crucial for recruiting and retaining skilled cyber professionals. Education expansion in AI, cloud computing, data management and secure software development are all priority areas. Additionally, recent legislation allows the DOD to recruit qualified civilian cybersecurity personnel, augmenting staff and providing upskilling opportunities in a reserve capacity.
DevSecOps:
DevSecOps is a method that aims to prevent vulnerabilities from entering production in the most effective and cost-efficient way possible. It involves establishing cybersecurity standards, guidelines and best practices during the requirements phase of the software development lifecycle to enable the swift detection of vulnerabilities. By adopting a structured yet adaptable approach, the DOD can improve its awareness, observability and capabilities to secure cloud-based applications effectively.
Although a majority of security risks come from user mistakes, many are preventable. Often, these errors stem from a misinterpretation of the shared responsibility model, which outlines the boundaries between cloud providers’ responsibilities for security of the cloud and consumers’ responsibilities for security in the cloud.
Transitioning to a secure cloud computing architecture promotes shared responsibility among all stakeholders and enhances the Department of Defense’s modernization efforts. This shift will not only strengthen national defense but will also establish a robust cyber foundation. Seizing these opportunities promptly will enable the DOD to outpace adversaries, fortify its cyber resilience, maintain a strategic advantage, and ultimately contribute to a safer and more secure country.
Shawn Kingsberry is VP of Cybersecurity at SAIC.
