Terremark Cloud Services Pass DOD Security Test - InformationWeek
Cloud // Infrastructure as a Service
06:37 PM
Connect Directly
[Dark Reading Crash Course] Finding & Fixing Application Security Vulnerabilitie
Sep 14, 2017
Hear from a top applications security expert as he discusses key practices for scanning and securi ...Read More>>

Terremark Cloud Services Pass DOD Security Test

After a stringent review, two Terremark infrastructure-as-a-service data centers deemed secure enough for Defense Department operations.

The Department of Defense has given its stringent DOD Information Assurance Certification and Accreditation Process (DIACAP) security rating to a cloud service provider, Terremark, for two infrastructure-as-a-service locations. The rating hasn't been given so far to Amazon Web Services or other IaaS providers.

Terremark, prior to its acquisition by Verizon earlier this year, was an independent IaaS provider with data centers built to meet federal agency requirements. DIACAP imposes a tough review on the physical and digital security measures in place in a facility seeking to run DOD systems.

The Terremark sites receiving the designation were its Culpepper, Va., data center 60 miles outside Washington, D.C., and its 750,000 square foot Miami data center known as its Network Access Point of the Americas. Both sites are locations where Terremark built data centers with the intent of offering extra secure services oriented toward federal agencies, in the form of its Enterprise Cloud: Federal Edition.

Terremark received the certification along with its partner, URS-Apptis, which has supported the successful migration and deployment of federal agency systems onto Terremark infrastructure in the past, said Terremark spokesmen in an email interview.

[Want to see advanced security measures at a non-Terremark site? See Harris Adds Security To Multi-Tenant Clouds.]

The only other supplier of outsourced services with the DIACAP designation is colocation service supplier Equinix, with partner Carpathia Hosting. Unlike IaaS, where the service supplier owns the facility and equipment, the system owner installs its own equipment at a colocation supplier. Until now, infrastructure as a service--with the IaaS supplier owning the equipment--has been viewed as too much of a security risk to be given the DIACAP rating.

One reason the rating has been previously withheld is because the Department of Defense, Department of Energy, U.S. National Labs, and other federal agencies come under frequent probing and attack by unknown parties seeking an opening into their systems. Despite multiple defenses, the Pacific Northwest National Laboratories was breached in early July and shut down over the July 4 weekend after its staff discovered that an intruder's agent already inside was receiving directions from the outside.

The DIACAP standard amounts to a stringent set of requirements that the security level of running systems is well known, well monitored, and well maintained. It sets standards for physical protection of running systems as well. At the NAP of the Americas in Miami, a trained and armed security staff is available in a command center 24-hours a day, according to the Terremark website.

The DIACAP rating applies to a "federal-only cloud platform" in the Miami and Culpepper centers, said Jamie Dos Santos, president and CEO of the Terremark Federal Group, in a Sept. 29 announcement.

"This certification helps to assure our current and prospective government customers that the cloud infrastructure ... meets the high standard for security set by the DOD," he added.

Amazon and Verizon have both had their IaaS audited and certified as being able to support Payment Card Industry compliance if used for executing credit card transactions. PCI auditors were able to ratify environments making use of virtualized hosts after the rules and guidance set by the PCI Council were changed at the start of 2011. Before then, it couldn't be certified as compliant, even though it may have met PCI standards in operation.

Harris Corp. earlier this year opened a highly secure Cyber Integration Center, a 140,000-square-foot facility in Harrisonburg, Va. It meets FISMA, HIPAA, and PCI standards as well as NIST 800-53 high impact, SAS70 Type 2, and ISO 27001 standards.

In other words, when it's designed to do so, IaaS can perform at a comparable security and compliance level as many enterprise data centers. With IaaS operation, however, the software and network connection provided by the customer remain a second area subject to review and compliance before the whole operation can be deemed secure.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll