Secure Cloud Computing Architecture (SCCA) Susan Casson PM, SCCA December 12, 2017 UNITED IN IN SERVICE TO OUR NATION 1
Unclassified DoD Commercial Cloud Deployment Approach Cyber Command C2 Operations On Premise Level 1-5 Cloud Providers OMS IBM CMSG Big Data Analytics Internet-based User Internet Access Points Boundary Protection for Internet Traffic Internet Off Premise Level 2 Approved Vendors AWS East/West Salesforce NIPR-based User Internal Cloud Access Points Joint Regional Security Stacks Secure Cloud Computing Architecture (SCCA) Off Premise Level 4/5 Approved Vendors Global Content Delivery System (Commercial Caching) DISN Global Content Delivery System (Commercial Caching) Cloud Access Points Boundary Protection for Impact Level 4 & 5 Meet-Me Point Central Location for DoD and Cloud Connections Azure Salesforce GovCloud O365 AWS Oracle DoD Controlled Environment Commercial Controlled Environment w/dod Oversight 2
Secure Cloud Computing Architecture (SCCA) Session Objectives Define the SCCA portfolio and requirements to obtain services Outline how SCCA can enable cloud migration Connect attendees with technical and functional DISA experts Collect attendee feedback to influence future roadmap priorities Connect: Access DoD approved level 4/5 cloud services Secure: Extend application and data-level security services to cloud environments Manage: Consume custom analytics and intelligence data along with host based security and access control capabilities 3
Capability Overview Cloud Access Points: Provides connectivity to approved cloud providers, and protects the DISN from cloud originating attacks Virtual Data Center Security Stack: Virtual Network Enclave Security to protect application and data Virtual Data Center Managed Services: Application Host Security, including HBSS/ACAS, patching, configuration, and management Trusted Cloud Credential Manager: Cloud Credential Manager for Role Based Access Control (RBAC) and least privileged access 4
Cloud Management Roles and Responsibilities DISA Cloud Connection Approval Onboarding Checklist Infrastructure Software Approved cloud vendor System Network Approval Process (SNAP) Registration Internet Protocol Registration Cybersecurity Service Provider Authority to Operate DISA or Mission Partner Managed Applications Data Runtime Middleware Applications Data Runtime Middleware Shared Management O/S Virtualization O/S Virtualization Cloud Service Provider Managed Cloud Service Provider Managed Servers Storage Servers Storage Networking Networking 5
Cloud Access Points; Accessibility Versus Application Security SCCA Boundary CAP (BCAP) Support IaaS and SaaS clouds Protect DoD Networks from cloud originated attacks Scale up to 10G capacity per site Strategically located Included in DISN subscription rate BCAPs Do Not Break and inspect Provide application level security 6
Cloud Security and Managed Services VDSS Traditional network security features for public facing web applications Next Generation Firewall for protecting cloud hosted workloads Web Application Firewall Next Generation Firewall VDMS Cloud connected management and security tools Cloud privileged user access and account management Central search and display of CAP and Cloud logs via Splunk HBSS ACAS Operating System Patching Recursive DNS Caching Cloud Visibility 7
Boundary CAP (BCAP) 1.0 Overview Level 4/5 Approved Vendors 8
VDSS and VDMS CSP VDSS VDMS Core VDMS Extension CSP VDMS Core VDSS VDMS Extension 9
Our Evolution of Cloud Security Does Not End With SCCA Leaner and faster Templates, tools, and integration points Hybrid security solutions Optimization Migration Security Automation 10
11