What is the Secure Cloud Computing Architecture?

The Defense Information Systems Agency’s (DISA) Secure Cloud Computing Architecture (SCCA) is a set of services that provides the same level of security the agency’s mission partners typically receive when hosted in one of the DISA’s physical data centers.

All Impact Level 4 and 5 data, as defined in the Department of Defense’s Cloud Computing Security Requirements Guide, hosted in commercial cloud environments must use the Cloud Access Point component of the SCCA to connect to the Defense Information Systems Network (DISN).

Impact Level 4 and 5 data and must also be secured according to criteria defined in the SRG. A suite of services that meet the defined security requirements are provided as part of the SCCA, but may also be acquired from other service providers.

“DISA recognized early on the absence of shared security services would be an inhibitor to cloud adoption, so we built the Secure Cloud Computing Architecture with a focus on providing those key security services so you could meet your authority to operate requirements when moving into the cloud,” said John Hale, DISA’s cloud portfolio manager.

SCCA has four components: Cloud Access Points (CAP), a Virtual Data Center Security Stack (VDSS), Virtual Data Center Managed Services (VDMS), and a Trusted Cloud Credential Manager (TCCM).

The CAP is included in the DISN rate, which means there is no direct charge to end users.

“VDSS and VDMS are optional services, meaning you can come to DISA and you can use our services or you can bring your own,” said Susan Casson, the SCCA program manager, during the DISA Customer Engagement Forum last month.

TCCM is currently being offered as part of VDMS.

Each component plays a unique role in securing the network, applications, and user access in the cloud environment.

Cloud Access Points (CAP)

“The CAP is what connects the DISN or the Non-Secure Internet Protocol Router Network (NIPRNet) to the cloud environment,” said Casson.

The CAP has two major functions: to provide mission partners with dedicated connectivity to approved Level 4 and 5 commercial cloud providers, and to protect the DISN from any attack that originates from the cloud environment.

“It is not to protect the cloud service provider itself – their infrastructure or applications,” she said. “It also does not protect mission partner applications that sit in the cloud environment. That’s what the Virtual Data Center Security Stack is for.”

Virtual Data Center Security Stack (VDSS)

VDSS serves as the virtual security enclave protecting applications and data hosted in commercial environments. It includes two core services: Web Application Firewall (WAF) and Next Generation Firewall.

Together, VDSS’s WAF and Next Generation Firewall detect and prevent threats facing web applications and workloads.

“If you imagine a traditional data center security stack, VDSS was created to mimic those same capabilities, just in a virtual fashion,” said Casson.

Virtual Data Center Managed Services (VDMS)

Management, security, and privileged user access are all handled within VDMS.

Five services fall within VDMS, including the Host-Based Security System and Assured Compliance Assessment Solution. They enable mission partners to configure and deliver security policies, push upgrades, and manage roles and security policies.

“VDMS is where your management workflow path is hosted, and one feature our mission partners have requested is operating system patching. We included cloud-based instances of DOD patch repositories, which is a key value proposition for our mission partners,” said Casson.

Trusted Cloud Credential Manager (TCCM)

TCCM can be likened to a virtual system administrator, Casson said. It is not a separate hardware or software, and is currently being offered as part of VDMS.

“TCCM includes the processes and procedures to control and monitor privileged user access for cloud environments. We provide the checks and balances for mission partners to grant access only to appropriate groups or individuals,” said Casson.

Learn More

Learn more about SCCA and all of DISA’s cloud offerings at the 2018 DISA Cloud Symposium, which will be held May 15-16 at the Baltimore Convention Center in Baltimore, Maryland.

DISA subject matter experts will join early cloud adopters from across the Defense Department in information sessions that address public and private cloud capabilities and reveal best-practice adoption approaches.

There is no cost to participate. All attendees must pre-register.

Visit DISA.mil for additional information.