Applying U.S. Military Cybersecurity Policies to Cloud Architectures
Naval Postgraduate School Monterey United States
Pagination or Media Count:
The Department of Defense DoD has accelerated its adoption of cloud technologies, which come with inherent risks. This thesis investigated four important cybersecurity issues that the DoD must address customer misconfigurations, data leaks, complications in security controls, and necessary changes to digital forensic incident-response tactics. We examined current U.S. policy documents and found a number of issues that need to be clarified for contracting with cloud service providers. Human misunderstandings largely drive cloud misconfigurations, which eventually become cloud data spills that require a digital forensic incident-response. To prevent misconfigurations, it is essential that DoD staff receive continual in-depth cloud training and that the DoD redefines the roles for virtualized cloud architectures. Fortunately, the selection of the cloud service model can highlight which cloud layers the DoD is responsible for, and therefore which security controls to implement. Federal cloud computing policy, DoD FedRAMP, specifies the security controls needed based on the sensitivity of the data. However, once a cyber-incident is declared, digital forensics analysts confront a myriad of cloud-specific technological, legal, and boundary challenges. The security vulnerabilities must be considered during a transformational migration from on-premises architectures to cloud technologies. This thesis offers recommendations to address these vexing cybersecurity issues.
- Computer Systems Management and Standards