Ensuring secure application and system deployments in a cloud environment for the Department of Defense (DOD) can be a difficult task. However, the Defense Information System Agency’s (DISA) provides guidance in the form of the Secure Cloud Computing Architecture (SCCA). The SCCA serves as a framework to ensure “Mission Owner” cloud deployments safely work with other DOD systems. This post will answer your questions about what SCCA is, what it is not, and the importance of developing within the SCCA model.
What SCCA Is
At its core, SCCA is the customer side of a shared security model. It is designed to protect your data and systems from attack and to protect the DOD Information Network (DODIN) from your systems. The shared security model means that the cloud service provider (CSP) is responsible for managing the security of the cloud itself. As the customer, you are responsible for securing applications and systems which you will deploy within your enclave. The SCCA is comprised of an architectural approach to standards-based security and management services.
The actual components of the SCCA are meant to provide the same level of security as your physical data center. An SCCA is required for all Impact Level 4 and 5 data, as defined in the DOD’s Cloud Computing Security Requirements Guide, that will be hosted by a CSP. This includes data flow, ports and protocols, administrative access levels, and cloud architecture. The three main components of the SCCA include:
- The Cloud Access Point (CAP) is the physical connection between the DODIN or the Non-Secure Internet Protocol Router Network and the CSP. Its two main functions are to provide a dedicated physical connection to the CSP and to protect the DODIN from any attack which originates from within the cloud.
- The Virtual Data Center Security Stack (VDSS) contains the logical security services such as load balancers, Next-Generation Firewalls (NGFW), Web Application Firewalls (WAF), network routing, and firewall rules.
- In the Virtual Data Center Managed Services (VDMS), you will find the software security services such as intrusion prevention and detection services, identity management services, domain services, endpoint protection services, a DMZ, bastion hosts, Online Certificate Status Protocol (OCSP) services, directory services, security and access policy enforcement, and application access rules.
Additionally, a subcomponent of the SCCA is the Trusted Cloud Credential Manager (TCCM), this is currently provided the CSP.
What SCCA Is Not
It is important to remember that the SCCA is a set of services, not a tangible asset like a firewall. Implementing DISA’s SCCA is not free. You pay for the compute time and the underlying products of the SCCA. The SCCA is not a push-button solution. Adhering to the SCCA requirements requires some cloud expertise to help design, architect, and work with your cybersecurity service provider (CSSP). This is important to ensure compliance with their standards before you begin work.
Why You Need SCCA
The use of the SCCA enables mission owners to better control costs. You can spread the operating cost across all of your systems deployed in the CSP. You gain the ability to control your IT spending based on your needs. You are not spending extra for every additional requirement designed to support future growth. If you need capacity, add it, if you no longer need a system resource, spin it down. Mission owner projects gain efficiencies and realize real cost savings by reducing the time spent in the implementation and authorization phases.
The CSP provides your organization with modern tools, systems, and application programming interfaces (APIs). This allows you to effectively manage your resources from virtually anywhere. This delivers greater efficiencies, especially during the implementation and operation phase of projects. Instead of waiting for approval from dozens of stakeholders, your IT staff can address more pressing business challenges. These operational benefits are further enhanced by an easier ability to deploy applications thanks to the SCCA.
One of the biggest advantages for federal customers moving to the cloud is the ability to streamline the Authorization to Operate (ATO) process. Each mission owner inherits the controls of the CSP and the SCCA. The application teams can focus on the security of their application as they will deploy it in a predetermined architecture. This architecture features the underlying services and security protections required to move through the ATO process.
Your system admins are assured that the systems being deployed will comply with standards every time. You can begin to move from checkbox compliance to a true defense-in-depth posture in days not months. Your SCCA provides the continuous monitoring required by the Risk Management Framework (RMF). This allows cybersecurity to be “baked in” to each application deployment and system.
The benefits of developing an SCCA come in three main areas: cost savings through a standard security model, internal operational efficiencies, and an improved authorize to operate speed. To learn more about how AEM can help your organization take advantage of these benefits, check out our managed services work here. Please also contact our team with your comments and questions.
