Following some recent breaches, exposures and losses of data, the Department of Defense is looking to improve security of cloud providers as they’re poised to provide the first enterprise-wide cloud environment.
Moving to the cloud is a top IT modernization priority for the Pentagon as a global organization. But, vulnerabilities exist and the DOD is trying to mitigate them.
“We have found several instances on the unclass [unclassified networks] where errors in the hypervisor management side of different vendors have led to IP addresses being exposed to the public for a period of time,” Dave McKeown, chief information security officer and deputy chief information officer for cybersecurity at DOD, said at the Billington Cybersecurity Summit on Tuesday. “Of course, the bad guys don’t wait. They are constantly scanning networks, looking for a door that they can go in and rummage around. We lost some data as a result of that.”
The Joint Warfighting Cloud Capability (JWCC) was awarded in December, and is the Pentagon’s highly anticipated $9 billion enterprise cloud effort that replaced the maligned Joint Enterprise Defense Infrastructure (JEDI) program. Google, Oracle, Amazon Web Services and Microsoft were all awarded under the contract and will each compete for task orders.
McKeown didn’t offer specifics regarding security incidents. However, one recent example involved emails containing sensitive personnel data that were exposed publicly.
McKeown noted that the DOD is looking at some creative ways to work with these vendors to secure their offerings, which, while purpose built for the Pentagon and not exactly the same as commercial offerings, are still vulnerable to malicious actors on the internet.
The department had to look at the governance process and work with the providers on improving security, he added.
“How can we help you defend your cloud that you built for us? In all cases, those JWCC clouds are custom-built gov clouds, so they’re not the traditional commercial clouds. But still, they’re visible from the internet, they’re attackable from the internet. So, we partnered with them to understand better how we can help defend,” he said. “One of the things that we looked at initially was maybe we can use our tools to scan that IP space where your management network, your hypervisor resides. We got agreement, we’re starting to do that.”
The Pentagon’s main organization responsible for defending the network — Joint Force Headquarters-DOD Information Network — will get a full report on the open ports and protocols that are vulnerable and work directly with the providers to fix them, according to McKeown.