Upload
isiah-jones
View
1.122
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Masters actional thesis research project on DOD domain and Cloud Security issues
Citation preview
DOD and Cloud Security
Can the Cloud be Secure enough for all DOD components?
IST 594: Capstone Thesis Research Project
29 July 2012
By
Isiah Jones
Penn State University Graduate Student
Navy Information Assurance Officer (IAO)
Email: [email protected] (updated contact info February 2014)
Page 2 of 33
Acknowledgements
I would like to acknowledge and thank Dr. Edward Glantz for providing guidance throughout the
capstone and thesis process and requirements. The feedback of Dr. Glantz as well as the
coordinated peer reviews he created for the capstone course served to greatly assist me in
narrowing down and focusing my thesis research question. I would also like to think my
capstone cohorts for their feedback during the peer reviews. Additionally, I would like to thank
PhD candidate Nicklaus Giacobe for providing insights on other cloud and security awareness
research opportunities underway at Penn State and encouraging me to look at the Internal
Review Board (IRB) process as well as considering future research collaborations to expand
upon the DOD domain. Lastly, I would like to thank all my fellow DOD Information
Technology and Information Assurance colleagues for taking the time to fill out my fourteen
question survey to aid me in my data collection phase of this Master’s thesis capstone project.
Page 3 of 33
Table of Contents Acknowledgements ....................................................................................................................................... 2
Abstract ......................................................................................................................................................... 4
Introduction and Problem Statement............................................................................................................. 5
Literature Review .......................................................................................................................................... 6
Considerations of Cloud Migration........................................................................................................... 6
Government Examples .............................................................................................................................. 7
Cloud Community and Studies ................................................................................................................. 8
Outstanding Concerns ............................................................................................................................... 9
Research Methods and Plan ........................................................................................................................ 10
Initial Research Question and Actionable Questions .............................................................................. 10
Data Collection Methods ........................................................................................................................ 10
Sampling Requirements and Plan ........................................................................................................... 11
Methods to Analyze Data ........................................................................................................................ 11
Survey Questions .................................................................................................................................... 11
Survey Results and Analysis ....................................................................................................................... 12
Discussions and Conclusion ....................................................................................................................... 12
Works Cited ................................................................................................................................................ 14
Appendices .................................................................................................................................................. 16
Appendix A: Additional References Not Cited ...................................................................................... 16
Appendix B: Survey Intro and Recruitment letter .................................................................................. 17
Appendix C: Survey Questions Design .................................................................................................. 18
Demographic Questions ...................................................................................................................... 18
Cloud and Security Relevant Questions .............................................................................................. 19
Appendix D: Summary Survey Responses ............................................................................................. 21
Appendix E: DOD Cloud exposure by Demographics ........................................................................... 29
Appendix F: Project Gantt Chart ............................................................................................................ 32
Page 4 of 33
Abstract
In determining if all Department of Defense (DOD) components can implement Cloud
solutions securely, one must conduct an investigation on Cloud technology and DOD component
security requirements. It is also necessary to conduct data analysis that focuses on an
understanding of the Cloud and security within the various department components at all levels
of the organizations. This thesis project attempted to conduct peer reviewed research on the
capabilities and understandings of the cloud within the information technology field as well as
understandings and findings on implementing secure cloud solutions within organizations.
Furthermore, research focused on implementing secure cloud solutions within all DOD
components. Moreover, data collection in the form of a survey sent out to DOD component
personnel was conducted in addition to other cloud and security studies discovered and reviewed
within the larger information technology community.
Studies and data collection results show that it is possible to implement secure cloud
solutions, even within DOD. However, there are many considerations that must be understood
and taken into account if organizations, especially DOD components, intend to leverage cloud
computing capabilities. Some considerations include purpose and needs of the cloud and an
understanding of cloud technology and security requirements by decision makers as well as
information assurance, information security and cyber security personnel. Lastly, this thesis
report serves as a preliminary investigation for those interested in conducting more extensive
research on implementing cloud technology, securely and within the DOD domain. The report
specifically serves to answer the question Can the Cloud be Secure enough for all DOD
components?
Page 5 of 33
Introduction and Problem Statement
Within the US Federal government, particularly in the Department of Defense (DOD),
the need and mandate to reduce the IT carbon footprint and costs has become a growing trend
(Foley, 2009). Based on the nature of the mission and business of the DOD and its components
the issue of security arises. In order to accomplish the goal of security, reduced footprint and
cost, the DOD and all its components have begun to look at cloud technology as a possible
solution. According to the National Institute of Standards and Technology (NIST), the “Cloud”
is defined as a computing model that offers scalable, on demand services in a shared pool
environment to include network, software, services, data storage and applications that can all be
“provisioned” and released with minimal interaction from a service provider (Badger, Grance,
Patt-Corner, & Voas, 2012).
The NIST has several basic characteristics in order for technology to be considered a
legitimate cloud. Those characteristics consist of on-demand self service, broad network access,
resource pooling, rapid elasticity and measured services. They also have three major service
models such as software as a service (SaaS), platform as a service (PaaS) and infrastructure as a
service (IaaS). Furthermore, they have four major delivery models consisting of private cloud,
community cloud, hybrid cloud and public cloud (Badger, Grance, Patt-Corner, & Voas, 2012).
As one breaks down the cloud, concerns of confidentiality, availability, integrity, non-
repudiation, authentication and authorization arise.
As a US Navy Civil Service Information Assurance Officer (IAO) and CompTia
Security+ certified IT Security professional, I have observed that my fellow DOD Information
Assurance (IA), Information and Cyber Security (INFOSEC/CYBERSEC) professionals are
concerned that by nature it is impossible to completely secure the cloud at the same level as
traditionally physically managed technology. I became interested in cyber or information
security and assurance back in 2009 after hearing about the creation of USCYBERCOM and
wanted to expand my IT career experiences. Upon discovering the DOD Information Assurance
Scholar Program and finding that my Alma Mater was on the list I applied for the Master of
Professional Studies (MPS) in Information Science: Information Assurance and Decision
Support option through the Penn State University world campus program. After the first two
semesters I realized I wanted more focus on security issues specifically so I switched to the MPS
in Homeland Security: Information Security and Forensics option to give me more of the none
technical security aspects in addition to the IT security experiences. I also worked with my
command’s management to get out of my Navy Enterprise Resource Planning (ERP/SAP)
support duties and into a development opportunity with our information assurance (IA) branch.
By April 2011, I was moving over to the IA branch to learn about DOD IA issues and processes
while simultaneously continuing my MPS degree. I became an IAO and Host Based Security
System (HBSS) security analyst back up over the course of the year as I continued to grow more
into the IA field.
Based on my experiences and observations of my DOD IA colleagues I believe there are
many concerns with DOD components migrating to the cloud. Many of their major issues with
the cloud revolve around who creates, owns and hosts the cloud as well as its data and assets. I
Page 6 of 33
believe these issues or questions, among others, cause some of my more seasoned colleagues
throughout DOD and its components to be more skeptical of the push to move towards the cloud.
Literature Review
Considerations of Cloud Migration
As the Federal Government, especially all DOD components, moves further into the
cloud many decisions have to be made based on the characteristics, service models and delivery
methods possible within cloud computing. As before mentioned, within cloud computing there
are three primary service models of Software as a Service (SaaS), Platform as a Service (PaaS)
and Infrastructure as a Service (IaaS), each with several delivery methods and cloud service
providers. SaaS allows a consumer or customer to use software from a provider via the internet
where the software resides on a cloud infrastructure. This is a thin client, web based approach
where the customer or consumer does not control any of the underlying infrastructure, hardware
or software. PaaS allows the consumer to have control over applications and software but not the
underlying infrastructure of servers and networks. IaaS allows the consumer to provision some
control over operating systems and light network control to include firewall configuration upon
which the consumer can deploy applications and run necessary software (Badger, Grance, Patt-
Corner, & Voas, 2012).
Each service model can be deployed four major ways. First, the private cloud deployment
allows the consumer to be the sole owner and operator of the particular cloud service model in
use. This limits the sharing of cloud resources within various components of the consumer’s
internal organization instead of sharing with a community of external organizations. It also gives
the consumer more control over the physical location of assets and information within the cloud.
A community cloud consists of the sharing of cloud service models between organizations with
similar missions and or within the same industries or domains. An example would be if the
Defense Information Systems Agency (DISA) worked with a vendor such as Amazon to create a
DOD community cloud for any or all of the three primary service models. In a community cloud
the physical location of assets and data could reside with any of the community members. In a
public cloud the assets and data reside solely with a cloud service provider or vendor such as
Amazon, IBM, Microsoft, Google, Apple, VMware, and EMC. The public cloud is open to the
public via the internet and all data resides on publicly shared resources. Lastly, we have the
hybrid cloud which is an integration of two or more cloud deployment methods that allows for
segregation of data between each method while maintaining portability of the data between
clouds (Badger, Grance, Patt-Corner, & Voas, 2012).
Within the DOD, and with my experiences as a Navy IAO, it would be a safe assumption
that a private Cloud or hybrid solution would be of greatest interest to many DOD components.
As an IAO responsible for the integrity, availability and confidentiality of assigned systems I
would expect all DOD components leveraging all of the three major service options considering
the way our Non-classified IP Router Network (NIPRNET) and Secret Internet Protocol Router
Network (SIPRNet) operate today. In concurrence to deciding on cloud solutions, DOD leaders
Page 7 of 33
must be concerned about compliance laws and regulations imposed by several government
regulatory authorities. Ensuring that the most cost effective, secure and reliable solutions are also
in compliance with laws such as the Federal Information Security Management Act of 2002
(FISMA) and the Health Insurance Portability and Accountability Act of 1996 (HIPPA) , as
examples, is definitely of serious concern in any federal agency or department (Safari, 2012).
Government Examples
Over the past several years there has been a growing trend of government cloud
migrations, to include DOD components (Hoover, Cloud Security, Costs Concern Federal IT
Pros, 2012). These trends have included studies of security issues within the cloud as areas of
concern yet possible. The National Institute of Standards and Technology (NIST), Defense
Information Systems Agency (DISA) and National Security Agency (NSA) have all been leaders
among government organizations at implementing and or studying cloud issues especially
security issues and operations within DOD. The NIST in particular has been a national leader at
pushing both federal and private sector cloud best practices to include security issues (Hoover,
Feds Issue Comprehensive Cloud Security Guidance, 2012).
One example of such efforts is the May 2012 NIST publication “Cloud Computing
Synopsis and Recommendations” SP 800-146. This publication consists of a thorough analysis,
to include recommendations and risks of cloud implementation within the federal government.
SP 800-146 describes the various cloud service types such as SaaS, PaaS and IaaS as well as
security risks and open issues (Badger, Grance, Patt-Corner, & Voas, 2012). The NIST provides
a baseline for all federal agencies to build from.
Another example consists of an online cloud based collaborative development
environment called “Forge.mil” that DISA has developed as a cost effective, collaborative and
secure way for DOD and its contractors to share and re-use code for systems development within
DOD (Marsan, 2011). This effort is actively proving many possibilities for leveraging cloud
solutions within DOD and government as well as the capability to offer it securely within our
existing network infrastructure. It serves as one example for IA professionals, such as me, that
leveraging the cloud effectively, yet securely can be possible within the DOD network
infrastructure. This example of cloud usage is also an innovative way to use cloud technology to
enhance existing IT operations.
DISA has also been working on other cloud initiatives since 2008 when they created a
secured private cloud called “Rapid Access Computing Environment (RACE)” (Seffers, 2012).
DISA, in partnership with the NSA, has been working various cloud centric and mobile solutions
for DOD components, specifically forward deployed military forces. Secure technology is the
bread and butter of the NSA and DISA is the DOD’s lead technical service provider, so their
collaborative leadership on cloud efforts is paramount. They both also serve as major technical
and security service providers to the new United States Cyber Command (USCYBERCOM). The
Forge.mil and RACE efforts alone have begun to prove that a secure cloud infrastructure is
possible and alive within DOD. These efforts have even begun to open up new ideas on access
control, hosting and collaboration across DOD components to name a few.
Page 8 of 33
DISA and the NSA have not been the only DOD players in on the cloud action the past
few years. In 2010, the Air Force took an approach of creating a military grade cloud in direct
collaboration with one of the big private sector technology companies, IBM. Air Force decided
to leverage a secure cloud solution offered by IBM called “stream computing” as a way to
leverage cloud technology in their Information Assurance (IA), Cyber Network Defense (CND)
and vulnerability analysis operations (Brodkin, 2010). In this case it looks to be a DOD
component decided to hire private consultants to help them build a cloud solution for cyber
security operation needs. This is yet another innovative way to use the cloud for more than just
reducing network carbon fiber foot print and asset costs. This example also shows that some
DOD components are willing to take risks bringing in outside assistance and tools into a military
secured network environment to create innovative cloud solutions.
Cloud Community and Studies
In parallel to government agencies such as NIST, DISA and the NSA, several community
and private organizations have been created to study the cloud to include security issues. One
organization is the Cloud Security Alliance (CSA), a community of IT security professionals
interested in cloud and virtualization security. CSA is specifically concerned with the lack of
answers and advanced compliance laws and standards that specifically fit the new foot print of
issues the cloud has created. CSA is a useful community to subscribe to for cloud security news,
whitepapers, events and even an active blog (Cloud Security Alliance, 2012).
Another organization focused on cloud and virtualization issues is the Virtualization
Practice. They are a community of IT professionals and Engineers specifically interested in
Virtual and Cloud solutions. They are not specifically focused on security as is the CSA but still
a helpful source of information and contacts for Virtual and Cloud news, training, whitepapers
and an active blog as well (The Virtualization Practice, 2011). Both CSA and Virtualization
Practice bring together experts from around the world and across the spectrum to provide
research studies, dialogue and the creation as well as the promotion of standards specific to the
issues that cloud and virtual technology have created.
There have also been contributions to cloud security research by independent research
institutions such as the Ponemon Institute. Ponemon conducts research specifically on “privacy,
data protection and information security policy,” (Ponemon Institute, LLC, 2012). Back in 2009,
Dr. Larry Ponemon conducted a research survey and study on emerging cyber security trends. In
this study cloud and virtual technology security concerns were prevalent, especially within the
public sector. The purpose of the study was “to better understand if certain publicized IT security
risks are, or should be, more or less of a concern for organizations in the federal sector,”
(Ponemon, 2009). It served as a comprehensive study that would help federal IT execs in their
decisions on how to manage resources in a way that would continue to ensure the security of
their systems and data. In the mega trends study 39 % of respondents felt increased migration to
the cloud “exacerbated” existing and new security risks they faced in their organizations
(Ponemon, 2009). It is interesting to note, as seen in figure 1 below, that in comparison with
other security threats, cloud computing fell to almost the bottom of the list at 14 % concerning
the biggest contributing factors to the inability to protect sensitive information.
Page 9 of 33
Figure 1: Bar Chart of most significant security threat to sensitive information (Ponemon, 2009).
Figure 1’s display of the low ranking of cloud computing concerns implies an
understanding across the Federal Government, to include DOD, that cloud computing itself does
not inherently make systems and data less secure. It implies an understanding that there are
various cloud solutions, to include privately built, owned and operated DOD component clouds.
The report goes on with many more study results but it’s interesting to note that about 29% of
respondents were DOD personnel.
Outstanding Concerns
Despite examples of secure cloud solutions within DOD and government there are many
outstanding concerns and considerations for increased cloud usage. Issues such as organizations
maintaining legal, regulatory and compliance responsibility but losing control of the security and
risk management of their infrastructure to private cloud service providers (CSPs) is one issue of
great concern to DOD IA professionals specifically. Many of the technical, policy and
management of security of the IT infrastructure that DOD IA professionals influence and are
responsible for today would be greatly impacted as some cloud solutions would force DOD IA
professionals, such as me, to be at the mercy of the CSPs security and risk management practices
(Wild, 2012). This would require very detailed and accountable service level agreements and
understanding of ramifications if agreements are not met by the CSP. As an IAO, I know many
of my fellow DOD IA professionals would want some type of remote and physical visibility into
the security and risk management practices of the CSP. In a CSA blog, Andrew Wild offers up
some ideas I believe my DOD IA colleagues should consider as our respective agencies, services
and commands move to the cloud. That is transparency; meaning that user and CSP
communication will be of up most importance (Wild, 2012).
Page 10 of 33
Another area of concern for DOD IA professionals is the fact that despite DISA and NSA
involvement in existing DOD cloud solutions, there is still major concern with the cloud. The
NSA in particular is still very concerned skeptics of cloud within DOD. However, the NSA has
left the publications on cloud issues up to the NIST but they have provided technical security
inputs (Smith, 2012). NIST publications and statements have also repeatedly urged Government,
particularly organizations responsible for defense and security, not to relinquish cloud security to
CSPs and service level agreements (Hoover, Feds Issue Comprehensive Cloud Security
Guidance, 2012). As a Navy IAO, I am sure my colleagues would appreciate the NIST SP 800-
146 report recommendations and the NSAs input to help maintain our influence over the security
of our respective components’ IT operations. NIST and NSA efforts and publications will greatly
aid IA professionals with influencing executive decisions in regards to securely migrating to
cloud solutions.
Research Methods and Plan
During the course of research it is useful and creditable to collect research data from IT
professionals in the field. To accomplish this task, a data collection plan and a guiding research
question was needed to outline the types of data needed, how to collect the data and from whom
data would be collected. It is also needed to describe how the data would be used.
Initial Research Question and Actionable Questions
Can the Cloud be secure enough for all DOD components?
In order to answer the thesis research question one must consider the more detailed questions
that would support such answers. Some actionable questions that would have to be addressed are
as follows:
1. Do DOD components have a need or requirement for the Cloud?
2. Do DOD components have sensitive or classified data, information and systems that will
be impacted by migration to the Cloud?
3. Do DOD components understand Cloud technology and the various options or solutions
for implementing the Cloud?
4. Do DOD components have the in-house skills or funding for contract support to develop
private Cloud solutions?
5. Do DOD component IA professionals have the resources, training and tools to maintain
confidentiality, integrity, availability and non-repudiation within the Cloud?
Data Collection Methods
In order to collect data to support the thesis project an online survey was conducted using
SurveyMonkey.com. Survey Monkey’s advanced versions allowed the creation of an unlimited
number of different question types to include multiple choice, rating scale, matrix selection,
open-ended and demographic questions. No personally identifiable information was to be
Page 11 of 33
collected or distributed for this thesis project. However, some background information was
collected in relation to title, position, and DOD component organization. Additionally, no
classified information was collected or requested for this class thesis project. To protect
participants’ anonymity the IP collection features were turned off to avoid identifying a
respondent’s location and or computer used to complete the survey. The Survey was also
configured to only allow one response per computer so that participants could not answer the
survey several times from the same computer. Also, the SSL features were enabled for added
security. Furthermore, the survey could be completed from any location to accommodate those
participants that were not authorized to complete the survey on government furnished equipment.
Sampling Requirements and Plan
The survey attempted to target at least one IA/INFOSEC/CYBERSEC professional from
each of the four DOD services as well as DOD agencies and combatant commands such as
USCYBERCOM, NSA, DISA, DLA and DFAS. Therefore, the desired sample size was required
to be at least 9 respondents. If it was possible to successfully achieve more than the minimum 9
required respondents, the responses of additional respondents was to be included in data
collection and analysis.
The survey started within my Navy command, NAVSUP BSC, to leverage the contacts of
my fellow IA professionals within my command as well as my personal contacts both of whom
reside throughout various DOD components. Furthermore, it was expectant to also sample
feedback from other IT professionals such as IT leadership and management decision makers,
system administrators, enterprise architects, network administrators and database administrators.
The intent of the survey for data collection was to use the results collected from the various DOD
components and characterized demographics to aid in answering or refuting the research thesis
question.
Methods to Analyze Data
To analyze the survey data collected the tools provided by survey monkey such as charts,
graphs and other analytical tools were leveraged. The responses and open ended information
provided by all the services, various agencies as well as the IA vs. non IA responses were
compared leveraging cross tab and summary reporting features.
Survey Questions
Appendix B contains a copy of a survey introduction and recruitment letter created to
spark interest and understanding into what the survey was in regards to as well as why and when
it needed to be completed. There were 14 survey questions starting with some demographic
questions, some questions on cloud and some questions to gather basic understanding of DOD
security processes. A detailed list of the survey question design can be found in appendix C.
Page 12 of 33
Survey Results and Analysis
Appendix D contains a complete summary of survey question results. The minimum of 9
responses was surpassed. However, as seen in appendix D, figures D-1 to D-4, the majority of
responses were from Navy civil service IA personnel within the GS-11 and 12 pay grade ranges.
Nevertheless, viewing the complete summary results displays that there were some responses
that tapped into the other desired demographics. There were a total of 13 responses with a 100 %
response rate on all 14 survey questions.
As seen in appendix D, figure D-5, 76.9 % had an understanding of or involvement in
DIACAP and 92.3 % had an understanding of cloud technology. This implies some level of
DOD security process awareness in regards to security requirements checks that each DOD
network and system must undergo in order to be authorized to operate within the DOD
information grid. The data also shows that awareness and or basic understanding of cloud
technology or cloud computing has begun to make its way around DOD across several
demographics. With more responses it would be interesting to note the breakdown between DOD
components and personnel positions cross referenced with understanding of the cloud and DOD
security requirements. Some examples can be seen in appendix E, using Survey Monkey’s cross
tab analysis functions. An interesting positive to note in appendix E, figure E-3, 41.7 % of IA
responses have an understanding of the cloud. This is a positive sign for DOD cloud
implementations as IA personnel lead the way for all DOD cyber security operations and
policies. With greater response rates across more demographics one could conclude that secure
cloud solutions can exist within all DOD components that have an active and informed IA
personnel group. Such information is important in studying whether or not the capability and
understanding to implement cloud solutions currently exists within all DOD components.
Discussions and Conclusion
During the course of researching DOD and cloud security issues, it is apparent there are
differing views. It is also evident that there is a growing understanding of cloud technology and
implementation options. Furthermore, the need for understanding of security issues is expressed
from the highest levels of DOD. So much so that the DOD CIO has recently published a new
DOD Cloud Strategy that is intended to outline the cross component needs and requirements of
implementing cloud solutions within the DOD global information grid (GIG). The strategy
outlines the creation of a “Joint Information Environment” that all DOD cloud solutions must
originate from. This strategy implies a joint understanding and commitment at the highest levels
of DOD to implement in-house DOD cloud solutions (Department of Defense Chief Information
Officer, 2012). The DOD CIO has specifically designated DISA as the sole DOD cloud “broker”
responsible for coordinating, managing and leading all DOD cloud solution efforts (Defense
Information Systems Agency (DISA), 2012). The publication of the DOD Cloud Computing
Page 13 of 33
Strategy and the designation of DISA as the DOD cloud broker by the DOD CIO, illustrates that
the DOD is committed to pushing the cloud onto all DOD components going forward.
In parallel to the DOD CIO’s actions, the USCYBERCOM commander and NSA
Director, General Keith Alexander has decided that DOD cloud solutions should also be the
perfect place to migration and build more secure, cheaper and efficient cyber intelligence
capabilities (Sternstein, 2012). General Alexander feels secure cloud computing within DOD
would enhance secure intelligence information sharing and collaboration within DOD as well as
between DOD and the rest of the intelligence community.
Despite the difference in opinions between various DOD components as well as various
levels of each DOD component, one can conclude that cloud within DOD is coming and will be
used to increase network consolidation and reduction of costs. Both the DOD CIO and General
Alexander seem to drive the points of collaboration and reduced cost. It is useful to note that the
DOD now has a clear understanding and plan from the highest DOD IT, intelligence and IA
leadership levels of cloud security issues as well as cloud capabilities and initial cost to migrate
to the cloud.
However, it remains to be seen how this will trickle down to each of the various DOD
services, combatant commands and agencies. Nevertheless, as a Navy IAO, it is my
recommendation that all DOD IT professionals, specifically the demographics targeted for the
data collection survey, bring themselves up to speed on the Federal and DOD cloud computing
plans and initiatives. The DOD would be better served to have IT professionals in key specialties
more involved in DOD cloud efforts to maintain efficiency, cross component collaboration and
most importantly security.
Page 14 of 33
Works Cited
Badger, L., Grance, T., Patt-Corner, R., & Voas, J. (2012). Cloud Computing Synopsis and
Recommendations: NIST Special Publication 800-146. National Institute of Standards and
Technology.
Brodkin, J. (2010, February 4). Air Force building military-grade cloud network, with IBM's help.
Retrieved from Network World: http://www.networkworld.com/news/2010/020410-air-force-
cloud.html
Cloud Security Alliance. (2012). From CSA: Cloud Security Alliance: https://cloudsecurityalliance.org/
Defense Information Systems Agency (DISA). (2012, July). DoD Releases Cloud Computing Strategy;
Designates DISA as the Enterprise Cloud Service Broker. Retrieved from
http://www.disa.mil/News/PressResources/2012/DISA-DOD-Enterprise-Cloud-Service-Broker
Department of Defense Chief Information Officer. (2012, July). DOD Cloud Computing Strategy .
Retrieved from http://www.defense.gov/news/DoDCloudComputingStrategy.pdf
Foley, J. (2009, July 6). How Government's Grabbing THE CLOUD. InformationWeek, 33-36.
Hoover, J. N. (2012, January 23). Cloud Security, Costs Concern Federal IT Pros. Retrieved from
InformationWeak: http://www.informationweek.com/news/government/cloud-
saas/232500801
Hoover, J. N. (2012, January 25). Feds Issue Comprehensive Cloud Security Guidance. Retrieved from
InformationWeak: http://www.informationweek.com/news/government/security/232500472
Marsan, C. D. (2011). Collaborating in the Cloud. Government Executive, 33-35.
Ponemon Institute, LLC. (2012). Ponemon Institute. From http://www.ponemon.org/index.php
Page 15 of 33
Ponemon, D. L. (2009). Cyber Security Mega Trends: Study of IT leaders in the U.S. federal government.
Ponemon Institute LLC. From
http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/CA%20Security%20Mega
%20Trends%20White%20Paper%20FINAL%202%20%282%29.pdf
Safari, K. (2012). I.T. SERVICE MANAGEMENT, SAAS,AND THE PUBLIC CLOUD: SECURE ENOUGH FOR THE
GOVERNMENT? BMC Software, Inc.
Seffers, G. I. (2012, May). Fostering Technology Transformation. Retrieved from SIGNAL Online: More
than a Magazine: We're AFCEA.:
http://www.afcea.org/signal/articles/templates/SIGNAL_Article_Template.asp?articleid=2946&
zoneid=13
Smith, D. A. (2012, May 29). NSA security expert worries about mobility, cloud. Retrieved from Network
World: http://www.networkworld.com/news/2012/052812-nsa-cloud-mobility-259601.html
Sternstein, A. (2012, June 13). NSA Chief Endorses Cloud for Classified Military Cyber Program. Retrieved
from NextGov: http://www.nextgov.com/cybersecurity/2012/06/nsa-chief-endorses-cloud-
classified-military-cyber-program/56257/?oref=ng-HPtopstory
The Virtualization Practice. (2011). The Virtualization Practice: Virtualization & Cloud Computing News,
Resources, and Analysis. Retrieved September 27, 2011, from The Virtualization Practice:
http://www.virtualizationpractice.com/blog/
Wild, A. (2012, April 12). Cloud Security Requires All Hands on Deck. Retrieved from CSA: Cloud Security
Alliance Industry Blog: https://blog.cloudsecurityalliance.org/2012/04/12/cloud-security-
requires-all-hands-on-deck/
Page 16 of 33
Appendices
Appendix A: Additional References Not Cited
Amir Ali Semnanian, J. P. (2011). Virtualization Technology and its Impact on Computer
Hardware Architecture. 2011 Eighth International Conference on Information
Technology: New Generations.
DON CIO. (n.d.). DON Policy and Guidance . Retrieved from Dept of Navy: Chief Information
Officer: The DON IT Resource: http://www.doncio.navy.mil/Policy.aspx
Hinkley, C. (2012, March 19). Cloud Security - Myth or Reality? Retrieved from CSA: Cloud
Security Alliance Industry Blog:
https://blog.cloudsecurityalliance.org/2012/03/19/secure-cloud-myth-or-reality/
IDG Enterprise. (2012, April 2). Press Release: Research Indicates that Cloud Increases Short
Term Costs for Long Term Gains . Retrieved from IDG Enterprise.com :
http://www.idgenterprise.com/press/research-indicates-that-cloud-increases-short-term-
costs-for-long-term-gains
P. Hoffman, K. S. (n.d.). Guide to Security for Full Virtualization Technologies. National
Institute of Standards and Technologies, U.S. Department of Commerce.
Page 17 of 33
Appendix B: Survey Intro and Recruitment letter
Dear Colleagues, 9 July 2012
My name is Isiah Jones, a current Penn State University-World Campus Graduate
Student and Navy Civil Service Information Assurance Officer (IAO). I am conducting a survey
via Survey Monkey to support my Master of Professional Studies in Homeland Security-
Information Security and Forensics thesis project on “Can the Cloud be secure enough for all
DoD components?” This survey intends to target DOD IT/IM and IA/INFOSEC/CYBERSEC
personnel. The survey is specifically seeking responses from Military (Active, Reserve and
Guard), Civil Servants, Contractors and Foreign Nationals. Responses from Army, Navy, Marine
Corps, Air Force, NSA, DISA, DLA, DFAS, NGA, DIA, USCYBERCOM and other DOD
components. The survey and its target demographic are being used to gather Cloud and Security
awareness and understanding information throughout various DOD components. It may also
provide some awareness to our fellow colleagues that Cloud research and secure solutions in fact
are possible within the GIG per some of the UNCLASS information I have found for my project.
Survey participants are asked to complete and then forward the survey to colleagues with
relevant positions. Relevant positions would consist of but are not limited to IAO/ISSO;
IAM/ISSM; ISSE; CND; System Administrators; Network Administrators;
Developers/Engineers/Programmers; Database Administrators; Project/Program Managers;
System/Business Analyst; Enterprise Architects and management such as CIO, CISO, CSO,
IAPM, Supervisors, Commanders and IT Directors.
No personally identifiable information or classified information will be collected,
distributed or accepted for this thesis project. However, the before mentioned demographic
information will be collected in relation to title, position, rank and DOD component organization
affiliation. Additionally, to protect participants’ anonymity the IP collection features in Survey
Monkey have been disabled to avoid identifying a respondent’s location and or computer used to
complete the survey. The Survey is also configured to only allow one response per computer so
that participants cannot answer the survey several times from the same computer. Also, the SSL
features have been enabled for added security. Furthermore, the survey can be completed from
any location with internet access to accommodate those participants that will not be authorized to
complete the survey on government furnished equipment.
Lastly, the survey is strictly voluntary and consists of 14 questions that should take no
more than 5 to 20 minutes to answer. However, participants are asked to respond to all 14
questions. Nevertheless, if a question does not apply there are the options to select or enter N/A
or I do not know where appropriate. Moreover, please note this survey is intended to initially
support my thesis class project. Nonetheless, this thesis research could be incorporated into
larger and publishable research studies in the future. If you have any questions or interest in the
thesis project, a copy of my final report or future research collaboration, please contact me at
[email protected], [email protected] and/or find me on LinkedIn. Thank you again for your
participation and forwarding on to our fellow DoD IT and IA colleagues.
If interested in participating please click on the provided link below. Please complete the
survey by close of business 16 July 2012.
https://www.surveymonkey.com/s/Isiah_Jones_Navy_IAO_Penn_State_gradStudent
Page 18 of 33
Appendix C: Survey Questions Design
Demographic Questions
1. Please describe your primary association with the Department of Defense.
a. Military (Active, Reserve, Guard)
b. Civil Service
c. Contractor
d. Foreign National
2. If you selected Military or Civil Service Please select your Rank/Grade Range. If this
does not apply please select N/A.
a. E-1 to E-3
b. E-4 to E-6
c. E-7 to E-9
d. W-1 to W-5
e. O-1 to O-3
f. O-4 to O-6
g. O-7 to O-10
h. GS-1 to GS-4
i. GS-5 to GS-10
j. GS-11 to GS-12
k. GS-13 to GS-14
l. GS-15 to SES
m. N/A
3. Please select your major DOD component. Please note: If you are Military please select
your service not the agency or command you are currently assigned to. If you are a
contractor or foreign national please select the primary component you are currently
assigned to.
a. Army
b. Navy
c. Marine Corps
d. Air Force
e. NSA
f. DISA
g. DLA
h. DFAS
i. USCYBERCOM
j. Other (Please enter the name of a DOD agency not already listed above or part of
the above listed components.)
4. Please select your primary role, duty, title or position.
a. IA/INFOSEC/CYBERSEC/CND etc (including management/leadership i.e.
IAM/ISSM, CISO etc)
b. IT program/project management
c. Non IA Management/leadership (CIO, CFO, Commander, Director, Supervisor
etc)
Page 19 of 33
d. System Administrator
e. Network Administrator
f. Enterprise Architect
g. Database Administrator
h. Developer/Engineer/Programmer
i. System/Business Analyst
j. Other (Please enter other IT/IA related position or title not already listed above)
Cloud and Security Relevant Questions
5. Do you have responsibility, experience and involvement with DIACAP and/or FISMA
requirements?
a. Yes
b. No
6. Do you understand the concept and technological components of the Cloud?
a. Yes
b. No
7. Does your DOD component have a need or requirement to leverage the Cloud?
a. Yes
b. No
c. I do not know
8. Does your DOD component handle sensitive and/or classified information, data, systems
and/or technology?
a. Yes
b. No
c. I do not know
9. Does your DOD component have the resources to develop private Cloud solutions?
a. Yes
b. No
c. I do not know
10. As an IA/INFOSEC/CYBERSEC/CND professional do you have the training, tools and
resources you need to maintain confidentiality, integrity, availability and non-repudiation
of data, information, systems and technology within the Cloud?
a. Yes
b. No
c. I do not know
d. N/A (not an IA professional)
11. Do you have an understanding of Cloud technology to include implementation options?
a. Yes
b. No
Page 20 of 33
12. Are you aware of existing DOD components with secure Cloud solutions? (i.e. Forge.mil,
etc)
a. Yes
b. No
13. Could you list some of your DOD components unclassified requirements for a secure
Cloud solution? (open-ended comment box)
14. Could you list any unclassified Cloud solutions underway and what DOD components are
involved? (open-ended comment box)
Page 21 of 33
Appendix D: Summary Survey Responses
Figure D-1: Question 1 summary results
Page 22 of 33
Figure D-2: Question 2 summary results
Page 23 of 33
Figure D-3: Question 3 DOD component summary results
Page 24 of 33
Figure D-4: Question for primary role summary results
Page 25 of 33
Figure D-5: Questions 5 and 6 DIACAP and Cloud understanding summary results
Figure D-6: Questions 7 and 8 DOD Cloud and INFOSEC needs summary results
Page 26 of 33
Figure D-7: Questions 9 and 10 resources summary results
Page 27 of 33
Figure D-8: Questions 11 and 12 Cloud awareness summary results
Page 28 of 33
Figure D-9: Questions 13 UNCLASS cloud requirements feedback
Figure D-10: Question 14 UNCLASS existing cloud solution awareness feedback
Page 29 of 33
Appendix E: DOD Cloud exposure by Demographics
Figure E-1: Cross tab analysis of Cloud understanding and DOD primary association
Page 30 of 33
Figure E-2: Cross tab analysis of cloud understanding and DOD components
Page 31 of 33
Figure E-3: Cross tab analysis of primary duty and cloud understanding
Page 32 of 33
Appendix F: Project Gantt Chart
Page 33 of 33