How Secure is the DoD JEDI Cloud?
The JEDI (Joint Enterprise Defense Infrastructure) is an enterprise level, commercial Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) solution to support Department of Defense (DoD) business and mission operations. The Pentagon’s JEDI cloud will be designed to store the government’s most sensitive classified information, including nuclear secrets. The JEDI Cloud groundwork is a zero trust security framework, and with good reason.
WHY ZERO TRUST?
Data breaches still remain the greatest threat to cloud security, costing the average enterprise $1.41mn per breach, a recent report by cybersecurity firm Kaspersky found. That figure rose by almost $200,000 between 2018 and 2019, IT security budgets now average $18.9mn (compared to $8.9mn the previous year) and Kaspersky predicts that global IT spending in 2019 will reach $3.74trn by the end of the year.
When a company’s cloud servers are breached, millions of people can lose their data, companies can lose billions of dollars - some never recover. The consequences of a data breach somewhere like the Pentagon, however, could be even more devastating.
Zero trust refers to the narrowing of cyber-defenses from wide network perimeters to micro-perimeters around individual or small groups of resources. In moving to the cloud, DoD is assuming it’s a hostile environment.
WHAT DOES JEDI CLOUD ENTAIL?
As a result, JEDI is a project that will see the DoD move around 80% of its data off-premises and, while it claims that the $10bn figure only represents about one fifth of its cloud investment, critics of the contract have written that keeping so much sensitive government information in a single cloud could create further security risks.
Although separate branches of the military and intelligence communities had been cutting their own cloud deals for years, the new contract outlines a unified IT approach for the entire Department of Defense, including classified and unclassified operations. The Defense Department’s JEDI cloud will be designed to host the government’s most sensitive classified data, including critical nuclear weapon design information and other nuclear secrets.
JEDI represents a massive jump in size and scale with Defense officials describing it as a “global fabric” available to warfighters in almost any environment, from F-35s to war zones. The JEDI Cloud contract is a critical first step toward an enterprise cloud solution that enables data-driven decision making and allows DoD to take full advantage of applications and data resources.
JEDI CLOUD CLASSIFICATION AND SECURITY LEVELS
The DoD cloud initiative will address critical and urgent unmet war-fighter requirements for modern cloud infrastructure at all three classification levels delivered out to the tactical edge. JEDI cloud services will be offered at all classification levels with military and defense determining which applications and data will be migrated to the cloud.
Contractors must be able to obtain the full range of top secret government security clearances, including Department of Energy “Q” and “L” clearances necessary to view restricted nuclear data.
Both full-time and part-time active duty military members and defense contractors with privileged access to a DoD information system are required by DoD Directive 8570 certification requirements to carry an approved certification for their particular job classification. The certifications involved in this directive focus on digital security, but no necessarily cloud-based security.
CLOUD CERTIFICATIONS FOR WORKING ON JEDI CLOUD
While there are no specific directives indicating required certifications for working on or with the defense department's JEDI Cloud program, the DoD Directive 8570 certification requirements are a good baseline to start.
With Microsoft winning the JEDI Cloud contract, the future may hold a move towards understanding Microsoft Cloud based security based on job roles. Microsoft currently has Role Based Certifications that show mastery of Microsoft cloud products such as Azure, Dynamics 365, Modern Desktop, and Microsoft 365. The Azure roles with certifications are Administrator, AI Engineer, Data Scientist, Developer, Data Engineer, Security Engineer, Solutions Architect, and DevOps Engineer.
It is safe to say that Microsoft cloud certifications will be a smart move for anyone planning to engage with the new DoD cloud. NHDoD offers Azure training and bootcamp training for individual or group certification. If acquiring training using the GSA government procurement process, subsidy is available.