Terremark Cloud Services Pass DOD Security Test

The Department of Defense has given its stringent DOD Information Assurance Certification and Accreditation Process (DIACAP) security rating to a cloud service provider, Terremark, for two infrastructure-as-a-service locations. The rating hasn't been given so far to Amazon Web Services or other IaaS providers.

Terremark, prior to its acquisition by Verizon earlier this year, was an independent IaaS provider with data centers built to meet federal agency requirements. DIACAP imposes a tough review on the physical and digital security measures in place in a facility seeking to run DOD systems.

The Terremark sites receiving the designation were its Culpepper, Va., data center 60 miles outside Washington, D.C., and its 750,000 square foot Miami data center known as its Network Access Point of the Americas. Both sites are locations where Terremark built data centers with the intent of offering extra secure services oriented toward federal agencies, in the form of its Enterprise Cloud: Federal Edition.

Terremark received the certification along with its partner, URS-Apptis, which has supported the successful migration and deployment of federal agency systems onto Terremark infrastructure in the past, said Terremark spokesmen in an email interview.

[Want to see advanced security measures at a non-Terremark site? See Harris Adds Security To Multi-Tenant Clouds.]

The only other supplier of outsourced services with the DIACAP designation is colocation service supplier Equinix, with partner Carpathia Hosting. Unlike IaaS, where the service supplier owns the facility and equipment, the system owner installs its own equipment at a colocation supplier. Until now, infrastructure as a service--with the IaaS supplier owning the equipment--has been viewed as too much of a security risk to be given the DIACAP rating.

One reason the rating has been previously withheld is because the Department of Defense, Department of Energy, U.S. National Labs, and other federal agencies come under frequent probing and attack by unknown parties seeking an opening into their systems. Despite multiple defenses, the Pacific Northwest National Laboratories was breached in early July and shut down over the July 4 weekend after its staff discovered that an intruder's agent already inside was receiving directions from the outside.

The DIACAP standard amounts to a stringent set of requirements that the security level of running systems is well known, well monitored, and well maintained. It sets standards for physical protection of running systems as well. At the NAP of the Americas in Miami, a trained and armed security staff is available in a command center 24-hours a day, according to the Terremark website.

The DIACAP rating applies to a "federal-only cloud platform" in the Miami and Culpepper centers, said Jamie Dos Santos, president and CEO of the Terremark Federal Group, in a Sept. 29 announcement.

"This certification helps to assure our current and prospective government customers that the cloud infrastructure ... meets the high standard for security set by the DOD," he added.

Amazon and Verizon have both had their IaaS audited and certified as being able to support Payment Card Industry compliance if used for executing credit card transactions. PCI auditors were able to ratify environments making use of virtualized hosts after the rules and guidance set by the PCI Council were changed at the start of 2011. Before then, it couldn't be certified as compliant, even though it may have met PCI standards in operation.

Harris Corp. earlier this year opened a highly secure Cyber Integration Center, a 140,000-square-foot facility in Harrisonburg, Va. It meets FISMA, HIPAA, and PCI standards as well as NIST 800-53 high impact, SAS70 Type 2, and ISO 27001 standards.

In other words, when it's designed to do so, IaaS can perform at a comparable security and compliance level as many enterprise data centers. With IaaS operation, however, the software and network connection provided by the customer remain a second area subject to review and compliance before the whole operation can be deemed secure.