Relevant links are at the bottom of this post.
The Defense Department’s information technology arm has unveiled a guide for IT shops in the defense and military space planning a move to the cloud.
Released by the Defense Information Systems Agency, the guide is aimed at DOD “mission owners” wanting to migrate an existing information system from a physical environment to a virtualized cloud environment. The framework is based on real-world cloud pilot efforts within DOD.
The contents are not official DOD policies, security requirement guides or security technical implement guides, but rather “a collection of best practices discovered during the DOD [chief information officer] cloud pilots effort for the benefit of the DOD community.”
While somewhat technical, the best practices guide is worth a read. It contains a short intro to the cloud, impact-level requirements, a breakdown of available cloud services and a detailed section dedicated to understanding shared security responsibility within the cloud – vital reading considering the recent data breach headlines.
A portion of the document also details how to achieve high availability (i.e. limited downtime) and the importance of the risk management framework, which recently became DOD’s default model for information security.
Finally, there’s also a “useful tips/lessons learned” section that highlights common problems cloud mission owners will run into, including what instance types to deploy, how to deploy a Web front-end server and how to estimate bandwidth usage.
The latter is important because, as the document points out, estimated bandwidth usage-based billing “can be difficult,” and it’s better to overestimate than underestimate it.