Software Engineering Institute

Cloud computing is the delivery of capabilities, such as applications for analytics and decision support, and infrastructure—such as servers, storage, or networking—over the Internet by cloud service providers (CSPs) who manage those capabilities and infrastructure for the users who access them.

As organizations seek more business or mission agility, moving to the cloud is an IT strategy that provides higher flexibility, and, possibly, lower operating costs. The transition to the cloud, however, is not always easy.

To achieve the benefits of cloud computing, organizations must make careful architecture tradeoffs to decide which CSP-provided services to use based on quality attributes such as portability, cost considerations, and time to field. Systems using cloud computing also need high automation of deployment, testing, and operational monitoring, which drives the architecture approach. CSPs deliver services in a pay-per-use cost model, so application architecture approaches that work well in a data center environment might not result in the lower operating costs that organizations seek when moving to the cloud.

Security and resilience are significant concerns in cloud computing because organizations deploying software to the cloud share responsibility for cloud operating and system management with the CSP. Organizations with special security needs, such as those connected to the Department of Defense (DoD), must work closely with their CSP to make sure their requirements are met. Doing so requires a good understanding of cloud technology, analysis of potential threats for the systems that will use the cloud capabilities to establish sufficient requirements, vetting a CSP's policies, and negotiating an agreement that will ensure your organization's security policies and planned system usage requirements are met.

Cloud computing technologies intersect with several other research areas at the SEI. For example, cloud technology can help first responders, disaster-relief workers, and soldiers run the resource-intensive computing they need to ensure mission success at the network edge. And it provides computational, networking, and storage capacity to enable the advancement of big data technologies. The SEI also researches cybersecurity integration in early lifecycle activities such as requirements development and mitigations to the cybersecurity risks of cloud computing's third-party tools and storage.

Secure and Reliable Cloud Computing

The SEI is working to help the DoD, as well as other organizations and government agencies, modernize their systems with cloud technology. To do so, we identify the threats and vulnerabilities involved in migrating to the cloud, and we develop practices to help organizations make the transition to the cloud as secure as possible.

Ensuring your organization's security in the cloud involves managing a wide range of issues, from technical details to commercial, financial, legal, and compliance risks. Organizations must establish meaningful service level agreements (SLAs) with their CSP, and they must monitor the CSP's security performance. Doing so is often difficult because CSPs are sometimes not completely transparent. Our work with cloud computing has resulted in process- and data-driven approaches that help organizations work through these significant challenges through attention to both architecture and processes and establish more transparency between themselves and their CSPs.

Cloud computing is evolving quickly in both technology and governance. The DoD's mission of active cyber defense is driving an emphasis on continuous monitoring to allow for continuous authorization. Third-party tools complicate these activities. The DoD has issued new guidance that provides direction to those supporting cloud-based systems. This guidance reflects the increased concern for cybersecurity risk in cloud computing, including guidance on how computing systems should be acquired, tested, and supported. The SEI has studied the challenges that cloud computing brings to the DoD along with the capabilities that it enables. To meet these challenges, the SEI developed a roadmap for operational test and evaluation to support DoD adoption of cloud-based systems.