After a stringent review, two Terremark infrastructure-as-a-service data centers deemed secure enough for Defense Department operations.
The Department of Defense has given its stringent DOD Information Assurance Certification and Accreditation Process (DIACAP) security rating to a cloud service provider, Terremark, for two infrastructure-as-a-service locations. The rating hasn't been given so far to Amazon Web Services or other IaaS providers.
Terremark, prior to its acquisition by Verizon earlier this year, was an independent IaaS provider with data centers built to meet federal agency requirements. DIACAP imposes a tough review on the physical and digital security measures in place in a facility seeking to run DOD systems.
The Terremark sites receiving the designation were its Culpepper, Va., data center 60 miles outside Washington, D.C., and its 750,000 square foot Miami data center known as its Network Access Point of the Americas. Both sites are locations where Terremark built data centers with the intent of offering extra secure services oriented toward federal agencies, in the form of its Enterprise Cloud: Federal Edition.
Terremark received the certification along with its partner, URS-Apptis, which has supported the successful migration and deployment of federal agency systems onto Terremark infrastructure in the past, said Terremark spokesmen in an email interview.
The only other supplier of outsourced services with the DIACAP designation is colocation service supplier Equinix, with partner Carpathia Hosting. Unlike IaaS, where the service supplier owns the facility and equipment, the system owner installs its own equipment at a colocation supplier. Until now, infrastructure as a service--with the IaaS supplier owning the equipment--has been viewed as too much of a security risk to be given the DIACAP rating.
One reason the rating has been previously withheld is because the Department of Defense, Department of Energy, U.S. National Labs, and other federal agencies come under frequent probing and attack by unknown parties seeking an opening into their systems. Despite multiple defenses, the Pacific Northwest National Laboratories was breached in early July and shut down over the July 4 weekend after its staff discovered that an intruder's agent already inside was receiving directions from the outside.
The DIACAP standard amounts to a stringent set of requirements that the security level of running systems is well known, well monitored, and well maintained. It sets standards for physical protection of running systems as well. At the NAP of the Americas in Miami, a trained and armed security staff is available in a command center 24-hours a day, according to the Terremark website.
The DIACAP rating applies to a "federal-only cloud platform" in the Miami and Culpepper centers, said Jamie Dos Santos, president and CEO of the Terremark Federal Group, in a Sept. 29 announcement.
"This certification helps to assure our current and prospective government customers that the cloud infrastructure ... meets the high standard for security set by the DOD," he added.
Amazon and Verizon have both had their IaaS audited and certified as being able to support Payment Card Industry compliance if used for executing credit card transactions. PCI auditors were able to ratify environments making use of virtualized hosts after the rules and guidance set by the PCI Council were changed at the start of 2011. Before then, it couldn't be certified as compliant, even though it may have met PCI standards in operation.
Harris Corp. earlier this year opened a highly secure Cyber Integration Center, a 140,000-square-foot facility in Harrisonburg, Va. It meets FISMA, HIPAA, and PCI standards as well as NIST 800-53 high impact, SAS70 Type 2, and ISO 27001 standards.
In other words, when it's designed to do so, IaaS can perform at a comparable security and compliance level as many enterprise data centers. With IaaS operation, however, the software and network connection provided by the customer remain a second area subject to review and compliance before the whole operation can be deemed secure.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.