Cloud computing is the delivery of capabilities, such as applications for analytics and decision support, and infrastructure—such as servers, storage, or networking—over the Internet by cloud service providers (CSPs) who manage those capabilities and infrastructure for the users who access them.
As organizations seek more business or mission agility, moving to the cloud is an IT strategy that provides higher flexibility, and, possibly, lower operating costs. The transition to the cloud, however, is not always easy.
To achieve the benefits of cloud computing, organizations must make careful architecture tradeoffs to decide which CSP-provided services to use based on quality attributes such as portability, cost considerations, and time to field. Systems using cloud computing also need high automation of deployment, testing, and operational monitoring, which drives the architecture approach. CSPs deliver services in a pay-per-use cost model, so application architecture approaches that work well in a data center environment might not result in the lower operating costs that organizations seek when moving to the cloud.
Security and resilience are significant concerns in cloud computing because organizations deploying software to the cloud share responsibility for cloud operating and system management with the CSP. Organizations with special security needs, such as those connected to the Department of Defense (DoD), must work closely with their CSP to make sure their requirements are met. Doing so requires a good understanding of cloud technology, analysis of potential threats for the systems that will use the cloud capabilities to establish sufficient requirements, vetting a CSP's policies, and negotiating an agreement that will ensure your organization's security policies and planned system usage requirements are met.
Cloud computing technologies intersect with several other research areas at the SEI. For example, cloud technology can help first responders, disaster-relief workers, and soldiers run the resource-intensive computing they need to ensure mission success at the network edge. And it provides computational, networking, and storage capacity to enable the advancement of big data technologies. The SEI also researches cybersecurity integration in early lifecycle activities such as requirements development and mitigations to the cybersecurity risks of cloud computing's third-party tools and storage.
The level of change needed to establish appropriate operational and cybersecurity management for cloud and cloud-like environments is too great for individual programs to handle in an ad hoc manner.
Carol Woody SEI Principal Researcher
Secure and Reliable Cloud Computing
The SEI is working to help the DoD, as well as other organizations and government agencies, modernize their systems with cloud technology. To do so, we identify the threats and vulnerabilities involved in migrating to the cloud, and we develop practices to help organizations make the transition to the cloud as secure as possible.
Ensuring your organization's security in the cloud involves managing a wide range of issues, from technical details to commercial, financial, legal, and compliance risks. Organizations must establish meaningful service level agreements (SLAs) with their CSP, and they must monitor the CSP's security performance. Doing so is often difficult because CSPs are sometimes not completely transparent. Our work with cloud computing has resulted in process- and data-driven approaches that help organizations work through these significant challenges through attention to both architecture and processes and establish more transparency between themselves and their CSPs.
Cloud computing is evolving quickly in both technology and governance. The DoD's mission of active cyber defense is driving an emphasis on continuous monitoring to allow for continuous authorization. Third-party tools complicate these activities. The DoD has issued new guidance that provides direction to those supporting cloud-based systems. This guidance reflects the increased concern for cybersecurity risk in cloud computing, including guidance on how computing systems should be acquired, tested, and supported. The SEI has studied the challenges that cloud computing brings to the DoD along with the capabilities that it enables. To meet these challenges, the SEI developed a roadmap for operational test and evaluation to support DoD adoption of cloud-based systems.
What We Offer
Best Practices for Security in Cloud Computing
Don Faatz and Tim Morrow, researchers with the SEI's CERT Division, outline best practices that organizations should use to address the vulnerabilities and risks in moving applications and data to cloud services.
Risks, Threats, and Vulnerabilities in Moving to the Cloud
Tim Morrow and Donald Faatz outline the risks, threats, and vulnerabilities that organizations face when moving applications or data to the cloud.
Three Federal Government/DoD Cloud Transition Issues and How to Prevent Them
This webcast addressed a few of the causes for cloud transition issues, as well as identified some practices that will assist organizations as they plan to transition assets and capabilities to the cloud.
Tactical Cloudlets: Moving Cloud Computing to the Edge
This webinar presents the tactical cloudlet concept and experimentation results for five different cloudlet provisioning mechanisms.
The Latest from the SEI Blog
Mothra: Network Situational Awareness at Scale
January 16, 2023 • Blog Post
This SEI Blog introduces the SEI's Mothra tool, summarizes our recent research on improvements to Mothra designed to handle large-scale environments, and describes research aimed at demonstrating Mothra’s effectiveness at “cloud scale” in the Amazon Web Services (AWS) GovCloud...read
A Method for Assessing Cloud Adoption Risks
May 09, 2022 • Blog Post
The move to a cloud environment provides significant benefits. Realizing these benefits, however, requires organizations to manage associated organizational and technical risks...read
Our Vision for the Future of Cloud Computing
As most new systems move to the cloud, it will become the default service model. The problems that the DoD and industry face will shift from how to do cloud adoption and cloud migration to how to understand the cloud as the new operational and development environment. The growing deployment of Internet of Things devices to support missions, ranging from enterprise to the tactical edge, will continue pushing what is known as the cloud-to-edge continuum. Establishing trust along this continuum is an area of SEI interest and research.
To stay up to date on the future of cloud computing, subscribe to our blog or contact us.