milCloud 2.0 Data Migration Highlights the Need for Cloud Security Best Practices

From IC Insider Thales Trusted Cyber Technologies

By Gina Scinta, Deputy CTO, Thales Trusted Cyber Technologies

The Defense Information Systems Agency (DISA) is ending its hybrid cloud service program milCloud 2.0 this summer, leaving agencies currently using the platform scrambling to find ways to migrate from milCloud to another service – while also maintaining security of their data in the process.

DISA is allowing the current contract with General Dynamics IT to expire after its current term in June 2022. The milCloud 2.0 program had been intended to be a commercial cloud infrastructure service, providing on- and off-premise options to the Department of Defense.

According to one federal news outlet quoting a DISA spokesperson, the DISA’s Hosting and Compute Center (HaCC) “will aggressively work with our industry and mission partners to migrate customers to commercial cloud or another viable environment prior to the sunset date.”

In practical terms, all milCloud 2.0 users will be required to migrate their data to either a commercial cloud or other environment before the contract ends.

What has gone somewhat unaddressed in the news are the security implications connected with the use of commercial clouds by federal agencies. Both 2021’s Executive Order 14028 and the recent National Security Memo on Improving Cybersecurity of National Security, Department of Defense and Intelligence Community Systems prominently emphasize the need for cloud security.

When moving to the cloud, the number one topic of conversation is almost always focused around security. Despite this, cloud security is often an afterthought when migrating workloads to the cloud. Agencies should keep the following best cloud security best practices in mind during the data migration process.

Security is a Shared Responsibility

The importance of shared security responsibility was underscored by the Cloud Security Alliance in its latest Security Guidance v4.0. The functional definition of “shared responsibility” is an understanding of the dividing line between Cloud Solution Providers (CSPs) and data owners. CSPs are responsible for securing the infrastructure that runs their cloud services. Data owners, on the other hand, are responsible for protecting the confidentiality, integrity, and availability of their data in the cloud.

This means that data owners need to properly do their part in securing data by owning—and proving they own—their data, from inception to deletion. Data owners—not their cloud provider—must protect their sensitive data by deploying a cloud security ecosystem where data and cryptographic keys are secured and managed, and access is controlled.

To that end, there are several cloud security best practices that federal agencies must follow to ensure that their data is properly protected in cloud environments. Those best practices include:

  • Data owners need to directly manage, if not own, their encryption to ensure that their data is protected as it is stored in and moves to and from the cloud.
  • Data owners must own and control the generation and administration of the cryptographic keys that encrypt their data in the cloud.
  • Data owners need to ensure that only validated and authorized users can access sensitive data in the cloud.

Depending on the sensitivity level of the data stored in the cloud, agencies may have the option of either deploying only a few (if not all) of these best practices. However, managing data security across multiple clouds with different cloud storage options quickly gets complex.

Consequently, data owners need cloud-independent security solutions that can be applied across private, hybrid, public, and multi-cloud environments. The most effective solutions allow users to manage their security when working in different environments, across different platforms, and with multiple cloud providers.

Native Encryption vs. Bring Your Own Key (BYOK) vs. Bring Your Own Encryption (BYOE)

There are various options when it comes to deploying encryption to protect data in the cloud. Generally speaking, there are two main drivers for encryption in the cloud—compliance and security.

For less sensitive data where checking the compliance box is the main driver for encryption, data owners may choose to take the “easy” route and deploy CSP’s native encryption and key management services. The upside of native encryption is that it is easy-to-use and addresses many compliance requirements. The downside is the data owner’s lack of control—the CSP has full control of the encryption of their customers’ data. Native encryption is often very rigid and limits the portability of data in multi-cloud environments. For example, native-encrypted data must be decrypted before it’s moved in the clear from one cloud to another and then re-encrypted in the new environment. This is not only administratively taxing but leaves data vulnerable in its decrypted state.

Although native encryption can provide adequate protection for some data, it is a less desirable choice for sensitive data. When data security is the main driver for encryption in the cloud, data owners should deploy BYOK or BYOE—this gives data owners true control of their security. BYOK allows data owners to leverage native cloud encryption while retaining ownership and control of the cryptographic keys used to encrypt/decrypt data.  BYOE gives data owners the most control over their data. With BYOE, users have the ability to choose what type of encryption solution is deployed, decide what data is encrypted, determine who has access to the data, and deploy a customer-owned key management system.

Bring Your Own Key

For cloud deployments where security is less critical, agencies may choose to rely on a CSP’s native encryption and deploy BYOK services. Leveraging BYOK enables users to separate key management from cloud provider-controlled services. This is a crucial aspect of the separation of duties and control.

There are a number of factors to look for when selecting a key management service and platform. To simplify key management across on-premises and multi-cloud deployments, control should be centralized. Ideally, this key management solution would combine support for cloud provider Bring Your Own Key APIs, along with similar services for cloud key management automation, key usage logging and reporting. Cloud key management services should provide strong controls over encryption key lifecycles for any data encrypted by cloud services which will help address internal and industry data protection mandates.

BYOK deployment in any cloud should be completely separated from cloud provider access. Keys should not only be managed in the cloud in which the solution is deployed, but in any other reachable, supported cloud.

 Bring Your Own Encryption

For the highest level of data security in the cloud, users should deploy BYOE with centralized key management in their cloud environments. Multi-cloud BYOE tools ensure that data is quickly secured and complies with all security guidelines. It enables users to migrate data between cloud environments and on-premises servers, without the time and cost associated with decryption.

Through BYOE, data owners can choose what type of encryption they want to deploy—whether it’s transparent encryption for unstructured data at the file/folder level, or encryption at the database or application level.

BYOE also enables granular access control policies. Such policies must include privileged user access control, so that, through BYOE data owners can control who can see specific data, through what process, and at which specified times.

BYOE solutions must be able to be monitored, with access to logs files, to accelerate threat detection. The ideal solution would integrate security logs with popular Security Information and Event Management (SIEM) tools.

As with BYOK, centralized key management is the foundation of BYOE for managing the cryptographic key lifecycle. The aforementioned BYOK principles should be applied to BYOE deployments.

In the rush to move data from milCloud to other service providers, it might be easy to give short shift to the security of data – both at rest and in motion. By following the best practices and recommendations provided here, agencies can be assured of securing their data throughout the migration process, and after.

In the rush to move data to public clouds—whether spurred on by the milCloud data migration or digital transformation initiatives—security must not be an afterthought. And, mandates such as EO 14028 and the National Security Memo on Cyber now specifically call out cloud security requirements. Whether you leverage native encryption, BYOK and/or BYOE, at the end of the day, it’s all about protecting and controlling access to your data and cryptographic keys.

About Thales TCT

Thales Trusted Cyber Technologies, a business area of Thales Defense & Security, Inc., protects the most vital data from the core to the cloud to the field. We serve as a trusted, U.S. based source for cyber security solutions for the U.S. Federal Government. Our solutions enable agencies to deploy a holistic data protection ecosystem where data and cryptographic keys are secured and managed, and access and distribution are controlled.

For more information, visit

About IC Insiders

IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.