Isiah Jones Dod Cloud N Security Thesis July 2012

DOD and Cloud Security

Can the Cloud be Secure enough for all DOD components?

IST 594: Capstone Thesis Research Project

29 July 2012

By

Isiah Jones

Penn State University Graduate Student

Navy Information Assurance Officer (IAO)

Email: [email protected] (updated contact info February 2014)

Page 2 of 33

Acknowledgements

I would like to acknowledge and thank Dr. Edward Glantz for providing guidance throughout the

capstone and thesis process and requirements. The feedback of Dr. Glantz as well as the

coordinated peer reviews he created for the capstone course served to greatly assist me in

narrowing down and focusing my thesis research question. I would also like to think my

capstone cohorts for their feedback during the peer reviews. Additionally, I would like to thank

PhD candidate Nicklaus Giacobe for providing insights on other cloud and security awareness

research opportunities underway at Penn State and encouraging me to look at the Internal

Review Board (IRB) process as well as considering future research collaborations to expand

upon the DOD domain. Lastly, I would like to thank all my fellow DOD Information

Technology and Information Assurance colleagues for taking the time to fill out my fourteen

question survey to aid me in my data collection phase of this Master’s thesis capstone project.

Page 3 of 33

Table of Contents Acknowledgements ....................................................................................................................................... 2

Abstract ......................................................................................................................................................... 4

Introduction and Problem Statement............................................................................................................. 5

Literature Review .......................................................................................................................................... 6

Considerations of Cloud Migration........................................................................................................... 6

Government Examples .............................................................................................................................. 7

Cloud Community and Studies ................................................................................................................. 8

Outstanding Concerns ............................................................................................................................... 9

Research Methods and Plan ........................................................................................................................ 10

Initial Research Question and Actionable Questions .............................................................................. 10

Data Collection Methods ........................................................................................................................ 10

Sampling Requirements and Plan ........................................................................................................... 11

Methods to Analyze Data ........................................................................................................................ 11

Survey Questions .................................................................................................................................... 11

Survey Results and Analysis ....................................................................................................................... 12

Discussions and Conclusion ....................................................................................................................... 12

Works Cited ................................................................................................................................................ 14

Appendices .................................................................................................................................................. 16

Appendix A: Additional References Not Cited ...................................................................................... 16

Appendix B: Survey Intro and Recruitment letter .................................................................................. 17

Appendix C: Survey Questions Design .................................................................................................. 18

Demographic Questions ...................................................................................................................... 18

Cloud and Security Relevant Questions .............................................................................................. 19

Appendix D: Summary Survey Responses ............................................................................................. 21

Appendix E: DOD Cloud exposure by Demographics ........................................................................... 29

Appendix F: Project Gantt Chart ............................................................................................................ 32

Page 4 of 33

Abstract

In determining if all Department of Defense (DOD) components can implement Cloud

solutions securely, one must conduct an investigation on Cloud technology and DOD component

security requirements. It is also necessary to conduct data analysis that focuses on an

understanding of the Cloud and security within the various department components at all levels

of the organizations. This thesis project attempted to conduct peer reviewed research on the

capabilities and understandings of the cloud within the information technology field as well as

understandings and findings on implementing secure cloud solutions within organizations.

Furthermore, research focused on implementing secure cloud solutions within all DOD

components. Moreover, data collection in the form of a survey sent out to DOD component

personnel was conducted in addition to other cloud and security studies discovered and reviewed

within the larger information technology community.

Studies and data collection results show that it is possible to implement secure cloud

solutions, even within DOD. However, there are many considerations that must be understood

and taken into account if organizations, especially DOD components, intend to leverage cloud

computing capabilities. Some considerations include purpose and needs of the cloud and an

understanding of cloud technology and security requirements by decision makers as well as

information assurance, information security and cyber security personnel. Lastly, this thesis

report serves as a preliminary investigation for those interested in conducting more extensive

research on implementing cloud technology, securely and within the DOD domain. The report

specifically serves to answer the question Can the Cloud be Secure enough for all DOD

components?

Page 5 of 33

Introduction and Problem Statement

Within the US Federal government, particularly in the Department of Defense (DOD),

the need and mandate to reduce the IT carbon footprint and costs has become a growing trend

(Foley, 2009). Based on the nature of the mission and business of the DOD and its components

the issue of security arises. In order to accomplish the goal of security, reduced footprint and

cost, the DOD and all its components have begun to look at cloud technology as a possible

solution. According to the National Institute of Standards and Technology (NIST), the “Cloud”

is defined as a computing model that offers scalable, on demand services in a shared pool

environment to include network, software, services, data storage and applications that can all be

“provisioned” and released with minimal interaction from a service provider (Badger, Grance,

Patt-Corner, & Voas, 2012).

The NIST has several basic characteristics in order for technology to be considered a

legitimate cloud. Those characteristics consist of on-demand self service, broad network access,

resource pooling, rapid elasticity and measured services. They also have three major service

models such as software as a service (SaaS), platform as a service (PaaS) and infrastructure as a

service (IaaS). Furthermore, they have four major delivery models consisting of private cloud,

community cloud, hybrid cloud and public cloud (Badger, Grance, Patt-Corner, & Voas, 2012).

As one breaks down the cloud, concerns of confidentiality, availability, integrity, non-

repudiation, authentication and authorization arise.

As a US Navy Civil Service Information Assurance Officer (IAO) and CompTia

Security+ certified IT Security professional, I have observed that my fellow DOD Information

Assurance (IA), Information and Cyber Security (INFOSEC/CYBERSEC) professionals are

concerned that by nature it is impossible to completely secure the cloud at the same level as

traditionally physically managed technology. I became interested in cyber or information

security and assurance back in 2009 after hearing about the creation of USCYBERCOM and

wanted to expand my IT career experiences. Upon discovering the DOD Information Assurance

Scholar Program and finding that my Alma Mater was on the list I applied for the Master of

Professional Studies (MPS) in Information Science: Information Assurance and Decision

Support option through the Penn State University world campus program. After the first two

semesters I realized I wanted more focus on security issues specifically so I switched to the MPS

in Homeland Security: Information Security and Forensics option to give me more of the none

technical security aspects in addition to the IT security experiences. I also worked with my

command’s management to get out of my Navy Enterprise Resource Planning (ERP/SAP)

support duties and into a development opportunity with our information assurance (IA) branch.

By April 2011, I was moving over to the IA branch to learn about DOD IA issues and processes

while simultaneously continuing my MPS degree. I became an IAO and Host Based Security

System (HBSS) security analyst back up over the course of the year as I continued to grow more

into the IA field.

Based on my experiences and observations of my DOD IA colleagues I believe there are

many concerns with DOD components migrating to the cloud. Many of their major issues with

the cloud revolve around who creates, owns and hosts the cloud as well as its data and assets. I

Page 6 of 33

believe these issues or questions, among others, cause some of my more seasoned colleagues

throughout DOD and its components to be more skeptical of the push to move towards the cloud.

Literature Review

Considerations of Cloud Migration

As the Federal Government, especially all DOD components, moves further into the

cloud many decisions have to be made based on the characteristics, service models and delivery

methods possible within cloud computing. As before mentioned, within cloud computing there

are three primary service models of Software as a Service (SaaS), Platform as a Service (PaaS)

and Infrastructure as a Service (IaaS), each with several delivery methods and cloud service

providers. SaaS allows a consumer or customer to use software from a provider via the internet

where the software resides on a cloud infrastructure. This is a thin client, web based approach

where the customer or consumer does not control any of the underlying infrastructure, hardware

or software. PaaS allows the consumer to have control over applications and software but not the

underlying infrastructure of servers and networks. IaaS allows the consumer to provision some

control over operating systems and light network control to include firewall configuration upon

which the consumer can deploy applications and run necessary software (Badger, Grance, Patt-

Corner, & Voas, 2012).

Each service model can be deployed four major ways. First, the private cloud deployment

allows the consumer to be the sole owner and operator of the particular cloud service model in

use. This limits the sharing of cloud resources within various components of the consumer’s

internal organization instead of sharing with a community of external organizations. It also gives

the consumer more control over the physical location of assets and information within the cloud.

A community cloud consists of the sharing of cloud service models between organizations with

similar missions and or within the same industries or domains. An example would be if the

Defense Information Systems Agency (DISA) worked with a vendor such as Amazon to create a

DOD community cloud for any or all of the three primary service models. In a community cloud

the physical location of assets and data could reside with any of the community members. In a

public cloud the assets and data reside solely with a cloud service provider or vendor such as

Amazon, IBM, Microsoft, Google, Apple, VMware, and EMC. The public cloud is open to the

public via the internet and all data resides on publicly shared resources. Lastly, we have the

hybrid cloud which is an integration of two or more cloud deployment methods that allows for

segregation of data between each method while maintaining portability of the data between

clouds (Badger, Grance, Patt-Corner, & Voas, 2012).

Within the DOD, and with my experiences as a Navy IAO, it would be a safe assumption

that a private Cloud or hybrid solution would be of greatest interest to many DOD components.

As an IAO responsible for the integrity, availability and confidentiality of assigned systems I

would expect all DOD components leveraging all of the three major service options considering

the way our Non-classified IP Router Network (NIPRNET) and Secret Internet Protocol Router

Network (SIPRNet) operate today. In concurrence to deciding on cloud solutions, DOD leaders

Page 7 of 33

must be concerned about compliance laws and regulations imposed by several government

regulatory authorities. Ensuring that the most cost effective, secure and reliable solutions are also

in compliance with laws such as the Federal Information Security Management Act of 2002

(FISMA) and the Health Insurance Portability and Accountability Act of 1996 (HIPPA) , as

examples, is definitely of serious concern in any federal agency or department (Safari, 2012).

Government Examples

Over the past several years there has been a growing trend of government cloud

migrations, to include DOD components (Hoover, Cloud Security, Costs Concern Federal IT

Pros, 2012). These trends have included studies of security issues within the cloud as areas of

concern yet possible. The National Institute of Standards and Technology (NIST), Defense

Information Systems Agency (DISA) and National Security Agency (NSA) have all been leaders

among government organizations at implementing and or studying cloud issues especially

security issues and operations within DOD. The NIST in particular has been a national leader at

pushing both federal and private sector cloud best practices to include security issues (Hoover,

Feds Issue Comprehensive Cloud Security Guidance, 2012).

One example of such efforts is the May 2012 NIST publication “Cloud Computing

Synopsis and Recommendations” SP 800-146. This publication consists of a thorough analysis,

to include recommendations and risks of cloud implementation within the federal government.

SP 800-146 describes the various cloud service types such as SaaS, PaaS and IaaS as well as

security risks and open issues (Badger, Grance, Patt-Corner, & Voas, 2012). The NIST provides

a baseline for all federal agencies to build from.

Another example consists of an online cloud based collaborative development

environment called “Forge.mil” that DISA has developed as a cost effective, collaborative and

secure way for DOD and its contractors to share and re-use code for systems development within

DOD (Marsan, 2011). This effort is actively proving many possibilities for leveraging cloud

solutions within DOD and government as well as the capability to offer it securely within our

existing network infrastructure. It serves as one example for IA professionals, such as me, that

leveraging the cloud effectively, yet securely can be possible within the DOD network

infrastructure. This example of cloud usage is also an innovative way to use cloud technology to

enhance existing IT operations.

DISA has also been working on other cloud initiatives since 2008 when they created a

secured private cloud called “Rapid Access Computing Environment (RACE)” (Seffers, 2012).

DISA, in partnership with the NSA, has been working various cloud centric and mobile solutions

for DOD components, specifically forward deployed military forces. Secure technology is the

bread and butter of the NSA and DISA is the DOD’s lead technical service provider, so their

collaborative leadership on cloud efforts is paramount. They both also serve as major technical

and security service providers to the new United States Cyber Command (USCYBERCOM). The

Forge.mil and RACE efforts alone have begun to prove that a secure cloud infrastructure is

possible and alive within DOD. These efforts have even begun to open up new ideas on access

control, hosting and collaboration across DOD components to name a few.

Page 8 of 33

DISA and the NSA have not been the only DOD players in on the cloud action the past

few years. In 2010, the Air Force took an approach of creating a military grade cloud in direct

collaboration with one of the big private sector technology companies, IBM. Air Force decided

to leverage a secure cloud solution offered by IBM called “stream computing” as a way to

leverage cloud technology in their Information Assurance (IA), Cyber Network Defense (CND)

and vulnerability analysis operations (Brodkin, 2010). In this case it looks to be a DOD

component decided to hire private consultants to help them build a cloud solution for cyber

security operation needs. This is yet another innovative way to use the cloud for more than just

reducing network carbon fiber foot print and asset costs. This example also shows that some

DOD components are willing to take risks bringing in outside assistance and tools into a military

secured network environment to create innovative cloud solutions.

Cloud Community and Studies

In parallel to government agencies such as NIST, DISA and the NSA, several community

and private organizations have been created to study the cloud to include security issues. One

organization is the Cloud Security Alliance (CSA), a community of IT security professionals

interested in cloud and virtualization security. CSA is specifically concerned with the lack of

answers and advanced compliance laws and standards that specifically fit the new foot print of

issues the cloud has created. CSA is a useful community to subscribe to for cloud security news,

whitepapers, events and even an active blog (Cloud Security Alliance, 2012).

Another organization focused on cloud and virtualization issues is the Virtualization

Practice. They are a community of IT professionals and Engineers specifically interested in

Virtual and Cloud solutions. They are not specifically focused on security as is the CSA but still

a helpful source of information and contacts for Virtual and Cloud news, training, whitepapers

and an active blog as well (The Virtualization Practice, 2011). Both CSA and Virtualization

Practice bring together experts from around the world and across the spectrum to provide

research studies, dialogue and the creation as well as the promotion of standards specific to the

issues that cloud and virtual technology have created.

There have also been contributions to cloud security research by independent research

institutions such as the Ponemon Institute. Ponemon conducts research specifically on “privacy,

data protection and information security policy,” (Ponemon Institute, LLC, 2012). Back in 2009,

Dr. Larry Ponemon conducted a research survey and study on emerging cyber security trends. In

this study cloud and virtual technology security concerns were prevalent, especially within the

public sector. The purpose of the study was “to better understand if certain publicized IT security

risks are, or should be, more or less of a concern for organizations in the federal sector,”

(Ponemon, 2009). It served as a comprehensive study that would help federal IT execs in their

decisions on how to manage resources in a way that would continue to ensure the security of

their systems and data. In the mega trends study 39 % of respondents felt increased migration to

the cloud “exacerbated” existing and new security risks they faced in their organizations

(Ponemon, 2009). It is interesting to note, as seen in figure 1 below, that in comparison with

other security threats, cloud computing fell to almost the bottom of the list at 14 % concerning

the biggest contributing factors to the inability to protect sensitive information.

Page 9 of 33

Figure 1: Bar Chart of most significant security threat to sensitive information (Ponemon, 2009).

Figure 1’s display of the low ranking of cloud computing concerns implies an

understanding across the Federal Government, to include DOD, that cloud computing itself does

not inherently make systems and data less secure. It implies an understanding that there are

various cloud solutions, to include privately built, owned and operated DOD component clouds.

The report goes on with many more study results but it’s interesting to note that about 29% of

respondents were DOD personnel.

Outstanding Concerns

Despite examples of secure cloud solutions within DOD and government there are many

outstanding concerns and considerations for increased cloud usage. Issues such as organizations

maintaining legal, regulatory and compliance responsibility but losing control of the security and

risk management of their infrastructure to private cloud service providers (CSPs) is one issue of

great concern to DOD IA professionals specifically. Many of the technical, policy and

management of security of the IT infrastructure that DOD IA professionals influence and are

responsible for today would be greatly impacted as some cloud solutions would force DOD IA

professionals, such as me, to be at the mercy of the CSPs security and risk management practices

(Wild, 2012). This would require very detailed and accountable service level agreements and

understanding of ramifications if agreements are not met by the CSP. As an IAO, I know many

of my fellow DOD IA professionals would want some type of remote and physical visibility into

the security and risk management practices of the CSP. In a CSA blog, Andrew Wild offers up

some ideas I believe my DOD IA colleagues should consider as our respective agencies, services

and commands move to the cloud. That is transparency; meaning that user and CSP

communication will be of up most importance (Wild, 2012).

Page 10 of 33

Another area of concern for DOD IA professionals is the fact that despite DISA and NSA

involvement in existing DOD cloud solutions, there is still major concern with the cloud. The

NSA in particular is still very concerned skeptics of cloud within DOD. However, the NSA has

left the publications on cloud issues up to the NIST but they have provided technical security

inputs (Smith, 2012). NIST publications and statements have also repeatedly urged Government,

particularly organizations responsible for defense and security, not to relinquish cloud security to

CSPs and service level agreements (Hoover, Feds Issue Comprehensive Cloud Security

Guidance, 2012). As a Navy IAO, I am sure my colleagues would appreciate the NIST SP 800-

146 report recommendations and the NSAs input to help maintain our influence over the security

of our respective components’ IT operations. NIST and NSA efforts and publications will greatly

aid IA professionals with influencing executive decisions in regards to securely migrating to

cloud solutions.

Research Methods and Plan

During the course of research it is useful and creditable to collect research data from IT

professionals in the field. To accomplish this task, a data collection plan and a guiding research

question was needed to outline the types of data needed, how to collect the data and from whom

data would be collected. It is also needed to describe how the data would be used.

Initial Research Question and Actionable Questions

Can the Cloud be secure enough for all DOD components?

In order to answer the thesis research question one must consider the more detailed questions

that would support such answers. Some actionable questions that would have to be addressed are

as follows:

1. Do DOD components have a need or requirement for the Cloud?

2. Do DOD components have sensitive or classified data, information and systems that will

be impacted by migration to the Cloud?

3. Do DOD components understand Cloud technology and the various options or solutions

for implementing the Cloud?

4. Do DOD components have the in-house skills or funding for contract support to develop

private Cloud solutions?

5. Do DOD component IA professionals have the resources, training and tools to maintain

confidentiality, integrity, availability and non-repudiation within the Cloud?

Data Collection Methods

In order to collect data to support the thesis project an online survey was conducted using

SurveyMonkey.com. Survey Monkey’s advanced versions allowed the creation of an unlimited

number of different question types to include multiple choice, rating scale, matrix selection,

open-ended and demographic questions. No personally identifiable information was to be

Page 11 of 33

collected or distributed for this thesis project. However, some background information was

collected in relation to title, position, and DOD component organization. Additionally, no

classified information was collected or requested for this class thesis project. To protect

participants’ anonymity the IP collection features were turned off to avoid identifying a

respondent’s location and or computer used to complete the survey. The Survey was also

configured to only allow one response per computer so that participants could not answer the

survey several times from the same computer. Also, the SSL features were enabled for added

security. Furthermore, the survey could be completed from any location to accommodate those

participants that were not authorized to complete the survey on government furnished equipment.

Sampling Requirements and Plan

The survey attempted to target at least one IA/INFOSEC/CYBERSEC professional from

each of the four DOD services as well as DOD agencies and combatant commands such as

USCYBERCOM, NSA, DISA, DLA and DFAS. Therefore, the desired sample size was required

to be at least 9 respondents. If it was possible to successfully achieve more than the minimum 9

required respondents, the responses of additional respondents was to be included in data

collection and analysis.

The survey started within my Navy command, NAVSUP BSC, to leverage the contacts of

my fellow IA professionals within my command as well as my personal contacts both of whom

reside throughout various DOD components. Furthermore, it was expectant to also sample

feedback from other IT professionals such as IT leadership and management decision makers,

system administrators, enterprise architects, network administrators and database administrators.

The intent of the survey for data collection was to use the results collected from the various DOD

components and characterized demographics to aid in answering or refuting the research thesis

question.

Methods to Analyze Data

To analyze the survey data collected the tools provided by survey monkey such as charts,

graphs and other analytical tools were leveraged. The responses and open ended information

provided by all the services, various agencies as well as the IA vs. non IA responses were

compared leveraging cross tab and summary reporting features.

Survey Questions

Appendix B contains a copy of a survey introduction and recruitment letter created to

spark interest and understanding into what the survey was in regards to as well as why and when

it needed to be completed. There were 14 survey questions starting with some demographic

questions, some questions on cloud and some questions to gather basic understanding of DOD

security processes. A detailed list of the survey question design can be found in appendix C.

Page 12 of 33

Survey Results and Analysis

Appendix D contains a complete summary of survey question results. The minimum of 9

responses was surpassed. However, as seen in appendix D, figures D-1 to D-4, the majority of

responses were from Navy civil service IA personnel within the GS-11 and 12 pay grade ranges.

Nevertheless, viewing the complete summary results displays that there were some responses

that tapped into the other desired demographics. There were a total of 13 responses with a 100 %

response rate on all 14 survey questions.

As seen in appendix D, figure D-5, 76.9 % had an understanding of or involvement in

DIACAP and 92.3 % had an understanding of cloud technology. This implies some level of

DOD security process awareness in regards to security requirements checks that each DOD

network and system must undergo in order to be authorized to operate within the DOD

information grid. The data also shows that awareness and or basic understanding of cloud

technology or cloud computing has begun to make its way around DOD across several

demographics. With more responses it would be interesting to note the breakdown between DOD

components and personnel positions cross referenced with understanding of the cloud and DOD

security requirements. Some examples can be seen in appendix E, using Survey Monkey’s cross

tab analysis functions. An interesting positive to note in appendix E, figure E-3, 41.7 % of IA

responses have an understanding of the cloud. This is a positive sign for DOD cloud

implementations as IA personnel lead the way for all DOD cyber security operations and

policies. With greater response rates across more demographics one could conclude that secure

cloud solutions can exist within all DOD components that have an active and informed IA

personnel group. Such information is important in studying whether or not the capability and

understanding to implement cloud solutions currently exists within all DOD components.

Discussions and Conclusion

During the course of researching DOD and cloud security issues, it is apparent there are

differing views. It is also evident that there is a growing understanding of cloud technology and

implementation options. Furthermore, the need for understanding of security issues is expressed

from the highest levels of DOD. So much so that the DOD CIO has recently published a new

DOD Cloud Strategy that is intended to outline the cross component needs and requirements of

implementing cloud solutions within the DOD global information grid (GIG). The strategy

outlines the creation of a “Joint Information Environment” that all DOD cloud solutions must

originate from. This strategy implies a joint understanding and commitment at the highest levels

of DOD to implement in-house DOD cloud solutions (Department of Defense Chief Information

Officer, 2012). The DOD CIO has specifically designated DISA as the sole DOD cloud “broker”

responsible for coordinating, managing and leading all DOD cloud solution efforts (Defense

Information Systems Agency (DISA), 2012). The publication of the DOD Cloud Computing

Page 13 of 33

Strategy and the designation of DISA as the DOD cloud broker by the DOD CIO, illustrates that

the DOD is committed to pushing the cloud onto all DOD components going forward.

In parallel to the DOD CIO’s actions, the USCYBERCOM commander and NSA

Director, General Keith Alexander has decided that DOD cloud solutions should also be the

perfect place to migration and build more secure, cheaper and efficient cyber intelligence

capabilities (Sternstein, 2012). General Alexander feels secure cloud computing within DOD

would enhance secure intelligence information sharing and collaboration within DOD as well as

between DOD and the rest of the intelligence community.

Despite the difference in opinions between various DOD components as well as various

levels of each DOD component, one can conclude that cloud within DOD is coming and will be

used to increase network consolidation and reduction of costs. Both the DOD CIO and General

Alexander seem to drive the points of collaboration and reduced cost. It is useful to note that the

DOD now has a clear understanding and plan from the highest DOD IT, intelligence and IA

leadership levels of cloud security issues as well as cloud capabilities and initial cost to migrate

to the cloud.

However, it remains to be seen how this will trickle down to each of the various DOD

services, combatant commands and agencies. Nevertheless, as a Navy IAO, it is my

recommendation that all DOD IT professionals, specifically the demographics targeted for the

data collection survey, bring themselves up to speed on the Federal and DOD cloud computing

plans and initiatives. The DOD would be better served to have IT professionals in key specialties

more involved in DOD cloud efforts to maintain efficiency, cross component collaboration and

most importantly security.

Page 14 of 33

Works Cited

Badger, L., Grance, T., Patt-Corner, R., & Voas, J. (2012). Cloud Computing Synopsis and

Recommendations: NIST Special Publication 800-146. National Institute of Standards and

Technology.

Brodkin, J. (2010, February 4). Air Force building military-grade cloud network, with IBM's help.

Retrieved from Network World: http://www.networkworld.com/news/2010/020410-air-force-

cloud.html

Cloud Security Alliance. (2012). From CSA: Cloud Security Alliance: https://cloudsecurityalliance.org/

Defense Information Systems Agency (DISA). (2012, July). DoD Releases Cloud Computing Strategy;

Designates DISA as the Enterprise Cloud Service Broker. Retrieved from

http://www.disa.mil/News/PressResources/2012/DISA-DOD-Enterprise-Cloud-Service-Broker

Department of Defense Chief Information Officer. (2012, July). DOD Cloud Computing Strategy .

Retrieved from http://www.defense.gov/news/DoDCloudComputingStrategy.pdf

Foley, J. (2009, July 6). How Government's Grabbing THE CLOUD. InformationWeek, 33-36.

Hoover, J. N. (2012, January 23). Cloud Security, Costs Concern Federal IT Pros. Retrieved from

InformationWeak: http://www.informationweek.com/news/government/cloud-

saas/232500801

Hoover, J. N. (2012, January 25). Feds Issue Comprehensive Cloud Security Guidance. Retrieved from

InformationWeak: http://www.informationweek.com/news/government/security/232500472

Marsan, C. D. (2011). Collaborating in the Cloud. Government Executive, 33-35.

Ponemon Institute, LLC. (2012). Ponemon Institute. From http://www.ponemon.org/index.php

Page 15 of 33

Ponemon, D. L. (2009). Cyber Security Mega Trends: Study of IT leaders in the U.S. federal government.

Ponemon Institute LLC. From

http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/CA%20Security%20Mega

%20Trends%20White%20Paper%20FINAL%202%20%282%29.pdf

Safari, K. (2012). I.T. SERVICE MANAGEMENT, SAAS,AND THE PUBLIC CLOUD: SECURE ENOUGH FOR THE

GOVERNMENT? BMC Software, Inc.

Seffers, G. I. (2012, May). Fostering Technology Transformation. Retrieved from SIGNAL Online: More

than a Magazine: We're AFCEA.:

http://www.afcea.org/signal/articles/templates/SIGNAL_Article_Template.asp?articleid=2946&

zoneid=13

Smith, D. A. (2012, May 29). NSA security expert worries about mobility, cloud. Retrieved from Network

World: http://www.networkworld.com/news/2012/052812-nsa-cloud-mobility-259601.html

Sternstein, A. (2012, June 13). NSA Chief Endorses Cloud for Classified Military Cyber Program. Retrieved

from NextGov: http://www.nextgov.com/cybersecurity/2012/06/nsa-chief-endorses-cloud-

classified-military-cyber-program/56257/?oref=ng-HPtopstory

The Virtualization Practice. (2011). The Virtualization Practice: Virtualization & Cloud Computing News,

Resources, and Analysis. Retrieved September 27, 2011, from The Virtualization Practice:

http://www.virtualizationpractice.com/blog/

Wild, A. (2012, April 12). Cloud Security Requires All Hands on Deck. Retrieved from CSA: Cloud Security

Alliance Industry Blog: https://blog.cloudsecurityalliance.org/2012/04/12/cloud-security-

requires-all-hands-on-deck/

Page 16 of 33

Appendices

Appendix A: Additional References Not Cited

Amir Ali Semnanian, J. P. (2011). Virtualization Technology and its Impact on Computer

Hardware Architecture. 2011 Eighth International Conference on Information

Technology: New Generations.

DON CIO. (n.d.). DON Policy and Guidance . Retrieved from Dept of Navy: Chief Information

Officer: The DON IT Resource: http://www.doncio.navy.mil/Policy.aspx

Hinkley, C. (2012, March 19). Cloud Security - Myth or Reality? Retrieved from CSA: Cloud

Security Alliance Industry Blog:

https://blog.cloudsecurityalliance.org/2012/03/19/secure-cloud-myth-or-reality/

IDG Enterprise. (2012, April 2). Press Release: Research Indicates that Cloud Increases Short

Term Costs for Long Term Gains . Retrieved from IDG Enterprise.com :

http://www.idgenterprise.com/press/research-indicates-that-cloud-increases-short-term-

costs-for-long-term-gains

P. Hoffman, K. S. (n.d.). Guide to Security for Full Virtualization Technologies. National

Institute of Standards and Technologies, U.S. Department of Commerce.

Page 17 of 33

Appendix B: Survey Intro and Recruitment letter

Dear Colleagues, 9 July 2012

My name is Isiah Jones, a current Penn State University-World Campus Graduate

Student and Navy Civil Service Information Assurance Officer (IAO). I am conducting a survey

via Survey Monkey to support my Master of Professional Studies in Homeland Security-

Information Security and Forensics thesis project on “Can the Cloud be secure enough for all

DoD components?” This survey intends to target DOD IT/IM and IA/INFOSEC/CYBERSEC

personnel. The survey is specifically seeking responses from Military (Active, Reserve and

Guard), Civil Servants, Contractors and Foreign Nationals. Responses from Army, Navy, Marine

Corps, Air Force, NSA, DISA, DLA, DFAS, NGA, DIA, USCYBERCOM and other DOD

components. The survey and its target demographic are being used to gather Cloud and Security

awareness and understanding information throughout various DOD components. It may also

provide some awareness to our fellow colleagues that Cloud research and secure solutions in fact

are possible within the GIG per some of the UNCLASS information I have found for my project.

Survey participants are asked to complete and then forward the survey to colleagues with

relevant positions. Relevant positions would consist of but are not limited to IAO/ISSO;

IAM/ISSM; ISSE; CND; System Administrators; Network Administrators;

Developers/Engineers/Programmers; Database Administrators; Project/Program Managers;

System/Business Analyst; Enterprise Architects and management such as CIO, CISO, CSO,

IAPM, Supervisors, Commanders and IT Directors.

No personally identifiable information or classified information will be collected,

distributed or accepted for this thesis project. However, the before mentioned demographic

information will be collected in relation to title, position, rank and DOD component organization

affiliation. Additionally, to protect participants’ anonymity the IP collection features in Survey

Monkey have been disabled to avoid identifying a respondent’s location and or computer used to

complete the survey. The Survey is also configured to only allow one response per computer so

that participants cannot answer the survey several times from the same computer. Also, the SSL

features have been enabled for added security. Furthermore, the survey can be completed from

any location with internet access to accommodate those participants that will not be authorized to

complete the survey on government furnished equipment.

Lastly, the survey is strictly voluntary and consists of 14 questions that should take no

more than 5 to 20 minutes to answer. However, participants are asked to respond to all 14

questions. Nevertheless, if a question does not apply there are the options to select or enter N/A

or I do not know where appropriate. Moreover, please note this survey is intended to initially

support my thesis class project. Nonetheless, this thesis research could be incorporated into

larger and publishable research studies in the future. If you have any questions or interest in the

thesis project, a copy of my final report or future research collaboration, please contact me at

[email protected], [email protected] and/or find me on LinkedIn. Thank you again for your

participation and forwarding on to our fellow DoD IT and IA colleagues.

If interested in participating please click on the provided link below. Please complete the

survey by close of business 16 July 2012.

https://www.surveymonkey.com/s/Isiah_Jones_Navy_IAO_Penn_State_gradStudent

Page 18 of 33

Appendix C: Survey Questions Design

Demographic Questions

1. Please describe your primary association with the Department of Defense.

a. Military (Active, Reserve, Guard)

b. Civil Service

c. Contractor

d. Foreign National

2. If you selected Military or Civil Service Please select your Rank/Grade Range. If this

does not apply please select N/A.

a. E-1 to E-3

b. E-4 to E-6

c. E-7 to E-9

d. W-1 to W-5

e. O-1 to O-3

f. O-4 to O-6

g. O-7 to O-10

h. GS-1 to GS-4

i. GS-5 to GS-10

j. GS-11 to GS-12

k. GS-13 to GS-14

l. GS-15 to SES

m. N/A

3. Please select your major DOD component. Please note: If you are Military please select

your service not the agency or command you are currently assigned to. If you are a

contractor or foreign national please select the primary component you are currently

assigned to.

a. Army

b. Navy

c. Marine Corps

d. Air Force

e. NSA

f. DISA

g. DLA

h. DFAS

i. USCYBERCOM

j. Other (Please enter the name of a DOD agency not already listed above or part of

the above listed components.)

4. Please select your primary role, duty, title or position.

a. IA/INFOSEC/CYBERSEC/CND etc (including management/leadership i.e.

IAM/ISSM, CISO etc)

b. IT program/project management

c. Non IA Management/leadership (CIO, CFO, Commander, Director, Supervisor

etc)

Page 19 of 33

d. System Administrator

e. Network Administrator

f. Enterprise Architect

g. Database Administrator

h. Developer/Engineer/Programmer

i. System/Business Analyst

j. Other (Please enter other IT/IA related position or title not already listed above)

Cloud and Security Relevant Questions

5. Do you have responsibility, experience and involvement with DIACAP and/or FISMA

requirements?

a. Yes

b. No

6. Do you understand the concept and technological components of the Cloud?

a. Yes

b. No

7. Does your DOD component have a need or requirement to leverage the Cloud?

a. Yes

b. No

c. I do not know

8. Does your DOD component handle sensitive and/or classified information, data, systems

and/or technology?

a. Yes

b. No

c. I do not know

9. Does your DOD component have the resources to develop private Cloud solutions?

a. Yes

b. No

c. I do not know

10. As an IA/INFOSEC/CYBERSEC/CND professional do you have the training, tools and

resources you need to maintain confidentiality, integrity, availability and non-repudiation

of data, information, systems and technology within the Cloud?

a. Yes

b. No

c. I do not know

d. N/A (not an IA professional)

11. Do you have an understanding of Cloud technology to include implementation options?

a. Yes

b. No

Page 20 of 33

12. Are you aware of existing DOD components with secure Cloud solutions? (i.e. Forge.mil,

etc)

a. Yes

b. No

13. Could you list some of your DOD components unclassified requirements for a secure

Cloud solution? (open-ended comment box)

14. Could you list any unclassified Cloud solutions underway and what DOD components are

involved? (open-ended comment box)

Page 21 of 33

Appendix D: Summary Survey Responses

Figure D-1: Question 1 summary results

Page 22 of 33

Figure D-2: Question 2 summary results

Page 23 of 33

Figure D-3: Question 3 DOD component summary results

Page 24 of 33

Figure D-4: Question for primary role summary results

Page 25 of 33

Figure D-5: Questions 5 and 6 DIACAP and Cloud understanding summary results

Figure D-6: Questions 7 and 8 DOD Cloud and INFOSEC needs summary results

Page 26 of 33

Figure D-7: Questions 9 and 10 resources summary results

Page 27 of 33

Figure D-8: Questions 11 and 12 Cloud awareness summary results

Page 28 of 33

Figure D-9: Questions 13 UNCLASS cloud requirements feedback

Figure D-10: Question 14 UNCLASS existing cloud solution awareness feedback

Page 29 of 33

Appendix E: DOD Cloud exposure by Demographics

Figure E-1: Cross tab analysis of Cloud understanding and DOD primary association

Page 30 of 33

Figure E-2: Cross tab analysis of cloud understanding and DOD components

Page 31 of 33

Figure E-3: Cross tab analysis of primary duty and cloud understanding

Page 32 of 33

Appendix F: Project Gantt Chart

Page 33 of 33