Cloud computing adoption within the Defense Department will require establishment of clear security mandates, says a report from a Defense Science Board task force.
The report (.pdf), dated January 2013, says among the mandates the DoD chief information officer and the Defense Information Systems Agency could establish include aspects of trusted computing such as hypervisor attestation to assure that it hasn't been corrupted, cryptographic sealing and "strong virtual machine isolation."
Data at rest should be stored in encrypted form with keys protected using a hardware attestation "such as a trusted platform module" and data in transit should likewise be encrypted with hardware-attested keys, the report says.
The task force also recommends that the DoD CIO and DISA establish standard service level agreements for both private- and public- cloud computing, and that the DoD CIO establish a central repository to document the cloud computing transition. The repository should contain enough data to improve understanding of systems costs before, during and after a switch to cloud computing as well as best practices and metrics.
The task force also calls on the under secretary of defense for acquisition, technology & logistics and the DoD CIO to establish a lean, rapid acquisition approach for cloud computing hardware and software and other information technology.
The two co-chairs of the task force were Eric Evans, director of the MIT Lincoln Laboratory, and Robert Grossman, a University of Chicago professor and partner of the Open Data Group.
- download the report, "Cyber Security and Reliability in a Digital Cloud" (.pdf)