DoD eyes trust-but-verify approach to commercial cloud security

Grazed from FederalNewsRadio. Author: Jared Serbu.

The Defense Department is taking a serious look at overhauling its process for accrediting commercial cloud computing products as secure-enough for military use. Among the ideas DoD is considering: Changing its security approach in a way that would give much more weight to the security techniques a company uses instead of whether one of their particular cloud offerings checks all of the security boxes in a fairly static government document.

Within the next several weeks, the Pentagon will announce a working group of DoD and industry security experts charged with improving the existing security and accreditation process for commercial cloud, the latest version of which was published in an updated security requirements guide (SRG) last month. “I think we have reached the point where we can no longer accredit specific hardware or software, we’ve got to accredit the process,” said DoD Chief Information Officer Terry Halvorsen…

“Today, if you’re fielding a cloud environment, companies like Microsoft and Amazon and Google make changes to their clouds and improve their security almost nightly. Our current process can’t sustain that. We’ve got to look at security and accreditation on a process basis, and at a certain point, maybe even vendor-by-vendor, where we would say, ‘Hey, your security process for these specific areas is good, we like it, we’re going to keep evaluating you on a yearly basis, but otherwise we’re going to accept your tools as you develop them.’ If we don’t do something like that, that we can’t keep pace, and we can’t be agile.”…

Read more from the source @ http://federalnewsradio.com/dod-reporters-notebook-jared-serbu/2016/04/dod-eyes-trust-verify-approach-commercial-cloud-security/