While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
The Defense Information Systems Agency is pushing hard to automate its data center operations to free up staff to work on more difficult challenges, according to Jack Wilmer, infrastructure development executive at DISA.
Speaking last week at MeriTalk’s Data Center Brainstorm at the Newseum in Washington, D.C., Wilmer said the agency is leaning on technologies such as network functions virtualization and software-defined networks that can automate a number of tasks currently done manually.
“What we want to do is drive down costs and get more agile but also reapply the people currently doing that work and turn them toward harder problems,” Wilmer explained. “Our goal is to flatten that expense and avoid the ups and downs that come with demand.”
Automation is just part of DISA’s overall strategy for optimizing the Defense Department’s data center operations. He said the agency continues to explore the best ways to work with commercial providers that offer a break on price, but they must fit within the department’s security parameters.
He described a guide that DISA has developed to categorize data. The Cloud Security Reference Guide (CSRG) allows data to be put into different tiers. For example, data labeled as a “2” is unclassified, such as public affairs information or publicly available data from department websites.
Level 4 data includes personally identifiable information that is more sensitive. Wilmer said that type of information might be handled with an increased level of security, at a facility with some risk (such as a commercial facility), but with rules on how to handle it.
Level 5 data is mission-critical to the department’s efforts. Lastly, information under level 6 is classified and is not to be handled by anyone without the proper security clearances. These categories, Wilmer said, are intended to help different sections of the Defense Department determine what is best for their needs and the associated costs with them.
“As we get out of the scope of military command and control, we have to look at the security risks associated with each,” he explained. “We know that some of our data can be put in commercial facilities without much worry. But the question is, how do we gauge the importance of other data and provide it with the necessary security at the right cost for its overall importance?”
A major part of DISA’s data center strategy, Wilmer said, is to create a cloud access point with commercial providers. To that end, the department plans to extend its networks to the commercial clouds that give it an added layer of security.
The cloud access point will act as a gatekeeper to the Defense Department’s networks. Wilmer said that without the proper security measures, other applications hosted within the same commercial cloud could provide cybercriminals a gateway into the department’s networks. The cloud access point will provide an external barrier to the Pentagon’s networks, protecting them in case of such an attack.
“We see tremendous potential in the commercial cloud,” Wilmer said. “Our networks feature a lot of moving parts, and there are a number of necessary steps for us to take to be able to provide services through them in a secure manner.”