Cloud migration and cybersecurity are interconnected issues and currently front of mind for the U.S. Department of Defense. In November 2022, the Pentagon released its Zero Trust Strategy, an implementation plan that lays out the methodologies and approaches the department will mount to reach a full-scale version of the cybersecurity mandate President Biden issued in May 2021.
Just weeks after the ZT Strategy, in early December, the DOD debuted the Joint Warfighting Cloud Capability contract, which enlists the services of four technology giants — Microsoft, Amazon Web Services, Oracle and Google — under a $9 billion effort. JWCC gives DOD components access to a wide range of cloud storage and programs from the aforementioned companies.
According to David McKeown, acting principal deputy chief information officer at the DOD and a 2023 Wash100 Award winner, the department’s dual missions to migrate applications to the cloud and ramp up cutting edge cybersecurity practices are extremely crucial in today’s geopolitical climate. Due to threats from near-peer adversaries like China and Russia, the U.S. must constantly pursue a more agile and more resilient cyber infrastructure, McKeown told a virtual audience at ExecutiveBiz’s Cloud Security Forum on March 22.
McKeown, who additionally serves in the two-hatted role role of DOD deputy chief information officer for cybersecurity and senior information security officer, said that he hopes that the JWCC will centralize cloud offerings for department. He explained that IL2 — or the non-controlled unclassified information plane — is the only clearance level at which agencies are permitted to conduct cloud activities by themselves.
“There are a lot of benefits behind this multi-cloud thing, including the resiliency and each of the cloud service providers have different offerings that they bring to the fight, and we can leverage all of those as we go forward,” McKeown stated.
He continued, saying that after cloud accreditation is complete, workload security can be ensured if a user follows the three principles laid out in a cloud security guide based on the DOD’s cybersecurity reference architecture.
The first principle is to “reduce risk from the inside out. Implement least privilege, eliminate unnecessary security controls, and then isolate workloads and data both logically and physically, inside.”
Secondly, the DOD recommends increasing mission assurance through resilience. In doing so, McKeown says, the strengthened systems will aid in measuring the architecture’s ability to perform and recover, particularly in the case of a cyber incursion. The third principle is to enable modernization. This means integrating, establishing and enforcing data tagging and accelerating the movement to secure cloud services.
The third principle especially bears a good deal of overlap with the tenets of zero trust, McKeown noted, which, through efforts such as the aforementioned ZT Strategy, the Pentagon has “[taken] great steps to define what we mean by zero trust.”
McKeown outlined a trio of pathways the DOD has put forward to achieve full zero trust. ‘Code one,’ as the inciting step is referred, involves uplifting one’s current environment: “Add in all of those capabilities and integrate them to achieve the zero trust effect in your current environment,” per McKeown.
Code two is the adoption of commercial cloud solutions — the key intersection point between cybersecurity and cloud — which is made much more achievable through the JWCC initiative. Finally, code three for the enacting of effective zero trust is constructing a custom cloud on premises, which mainly targets the highest levels of classification, because the department can’t jeopardize top-secret data in an ephemeral cloud set-up.
Department-wide utilization of zero trust is intended to be in effect by 2027 at the Pentagon. McKeown, however, offered a tantalizing prediction during his remarks.
“We think our partnership with these cloud providers may in fact accelerate our goal to get the zero trust earlier than 2027,” he previewed, adding, “We’re very optimistic about that and very happy that all of these cloud service providers are willing to partner with us.”