When U.S. CIO Vivek Kundra last year unveiled his plan for federal IT reform, cloud computing took a prominent place on the agenda. Obama’s cloud crusader promoted cloud computing as a fix for government waste and as a method to spur innovation, not just in science and technology, but in every industry and at a tempo never before experienced.
Other thought government leaders were equally extolling the cloud: General Services Administration CIO Casey Coleman declared she was a “big cloud proponent.” And Andrew McLaughlin, former White House deputy chief technology officer, said cloud computing is one of the most important transformations the federal government will go through in the next decade.
The public sector was clearly onboard with adopting the cloud. The message came through (c)loud and clear: There was no time to waste.
But on the industry side, especially among security experts, the enthusiasm seemed much more dampened.
In Cloud We Trust?
A January 2011 survey sponsored by CA Technologies polling more than 400 senior-level executives revealed that while cloud computing has been widely embraced by industry and government, many IT managers have reservations about moving data to the cloud.
Former National Security Agency Technical Director Brian Snow told security professionals at last year’s RSA Conference he did not trust cloud services. While cloud infrastructure delivers services customers can access securely, its collaborative nature could leave it vulnerable to attacks from other users, giving new meaning to the specter of the insider threat.
Even Kundra acknowledged qualms about going to the cloud. Testifying on the pros and cons, the federal CIO highlighted the No. 1 concern among cloud naysayers: trust.
“To realize the full benefits of the digital revolution, the American people must have confidence that sensitive information is not compromised, their communications with the government are secure, their privacy and civil liberties are protected and that the federal infrastructure is not compromised,” he said.
Industry could not agree more.
“Everything in the cloud centers on trust,” said Tiffany Jones, director of Public Sector Strategy and Programs at Symantec.
“So, the question becomes: How can cybersecurity professionals build an environment in which government customers have trust in both the security and availability of their critical information?”
James Leach, VP of development for Harris Corporation’s Cyber Integrated Solutions, echoed Jones’ sentiments about the cloud’s trust issues and said the bigger obstacle to overcome is being able to trust that IT
systems are operating according to the specifications that have been defined.
“The biggest challenge is that in many cases, those specifications are defined for you, and you must be able to demonstrate that you are compliant,” he said.
Another challenge is the sharing of cloud resources, said Steve Hawkins, vice president of Information Security Solutions at Raytheon. When used across multiple missions with data at various security or privacy levels, it requires more vigilance to protect and separate that data.
“This has to be accomplished by extensive use of encryption, key management and robust authentication
and identity management,” he added. “All of this must also be implemented within the cloud architecture in a way to ensure both multilevel security and accomplish mission timeline performance.”
But, for defense and intelligence contractors, it may be even more crucial to address and evaluate the risks of data breaches and cyber attacks before pursuing cloud solutions, said Bob Dix, vice president of U.S. government affairs and critical infrastructure protection at Juniper Networks.
Recent reports estimate more than 11 million Americans fell prey to identity thieves in 2009, at a reported cost of more than $54 billion, he explained.
“This does not include espionage, extortion or even more serious threats to our national and economic security — such as can easily arise if any kind of sensitive agency data is extended into the cloud,” Dix added.
“I think the most difficult challenge to solve is tracking movement of that data,” he said. “Cloud computing is about storing data virtually and being able to have it accessed in multiple locations. So, how do you track that data of where it’s being stored, how it’s being load balanced across the world? And [that raises] some very difficult, complex issues.”
Going from physical to data security will certainly present a new challenge for security professionals, especially CIOs tasked with privacy, security and governance, said Zal Azmi, senior vice president of the Cyber Solutions Group at CACI, International.
“As a CIO within an organization, you have control over those three environments because it’s your infrastructure, your people, your data, your governance process,” he said. “Once you go to a public or a hybrid cloud, you have to share those responsibilities with the others because these are multitenant clouds.”
Changing Threat Landscape
In March 2010, the Cloud Security Alliance identified hacking, insecure application programming interfaces and malicious insiders as the top threats facing cloud computing. However, Hawkins pointed out that threats evolve to what is effective — today, it is the Advanced Persistent Threat, but tomorrow it could be something completely different.
However, one of the biggest issues remains the insider threat, a malicious party operating inside the network, or simply a user unintentionally violating policy, creating a vulnerability, he added.
As organizations consolidate applications, data and other resources within a few large and virtualized data centers, they increase the risk of a single-system breach, said Tim LeMaster, director of systems engineering at Juniper Networks, because virtualized servers typically house multiple applications and components.
“In a cloud environment, it’s critical to secure data throughout the entire value chain,” he said. “This means end-to-end security for all data, at rest and in transit, within and between virtualized servers and data centers.”
The centrality of data in the cloud also poses serious security implications. With distributed environments,
as in physical data centers, data is not in just one location. But, as that data is moved back to the cloud, a lot of it may become centralized in very specific locations, possibly opening up an array of security risks, Carpenter said.
“[I]f you break into one cloud, think about the data you have versus if you break into one data center,” he noted. “And denial-of-service attacks become easier if all your eggs are in one basket.”
Attackers will create root kits and back doors and leverage social engineering, as well as find access points into the cloud — whether from a desktop posing as someone coming in to access, modify, exfiltrate or destroy the data, or by a brute force denial-of-service attack against that cloud, Carpenter said.
Luckily, the good news is that technologies exist to detect and reduce unauthorized network access, Leach said.
“The bad news is that these technologies and processes can be costly to acquire, maintain and operate,” he added. “The result is that business and government organizations must view the cloud as a risk-management equation to determine how much they can justify investing in security solutions.”
The cloud’s multitenant characteristics highlight the issue of supply-chain security, Azmi said.
“We don’t really know where the hardware and software were built before being brought into the cloud, especially if it’s a public cloud,” he said. “In the cloud, you have tons of computers, so it’s difficult to know the pedigree of every one of those motherboards to make sure they are all secure. Supply-chain security thus becomes a major issue.”
Certification is key, especially when considering data encryption and anonymization, said John Lewington, vice president of defense and federal cybersecurity operations of BAE Systems’ Intelligence and Security sector. Security professionals should look for providers with strong security certifications such as ISO27001 and FISMA, or using a hosted private cloud, he said.
“Cybersecurity professionals also need to define up front their organization’s requirement on protecting digital identities and credentials, and how they will be used in cloud applications,” he added.
In 2020, most technology experts and stakeholders expect to “live mostly in the cloud,” working primarily via web-based applications accessed through networked devices, according to a 2010 Pew Internet survey on cloud computing and its future.
“[Cloud computing] may be one of the biggest IT waves to hit business and government organizations in the last 20 years,” Leach said. He predicted the surge will bring a need for a new breed of cyber integration services that migrate elements of existing IT architectures to the cloud and then integrate those elements into a seamless, end-to-end system.
For government contractors, that influx will present new opportunities and provide additional markets to explore. Although, for most federal agencies, the transition to the cloud will not be a clean break, but a gradual movement of applications, services and supporting infrastructure, Jones said.
Demand for end-point security and backup solutions will grow exponentially with cloud adoption, she said. Once installed, it must be continually updated with virus and spam definitions, as well as other preventative security features.
“Likewise, backup is an excellent fit for the cloud’s flexibility and scalability,” Jones said. “In addition, we anticipate data loss prevention and identity protection to be integral to the evolving cloud environment.”
Dix said he sees cloud security evolving “steadily, but carefully.” As federal agencies and network managers become more aware of the benefits and risks posed by cloud computing, they will approach the application of cloud solutions where they make the most sense, he said.
But the cloud evolution will also require more from the keepers of the cloud. CIOs should adapt accordingly to the new environment with new responsibilities and a redefined role. Many of the aspects CIOs are responsible for under the 1996 Clinger-Cohen Act are no longer relevant when working in the new domain, Azmi said.
“Now, [CIOs] have to work with the cloud services provider, unless they’re dealing with a private cloud,” he added. “We really need to be cognizant of how the CIOs will operate and what will be their roles and responsibilities, as well as the roles and responsibilities of the agencies and the service providers.”
With the forthcoming release of the Federal Risk and Authorization Management Program — the federal cybersecurity guidelines established for the cloud — public-sector CIOs will understand better how to adhere to the common security standards. But will the guidelines be enough from a security standpoint?
“To be truly effective,” Jones said, “FedRAMP must clarify which types of applications are most suitable for the cloud, and how best to define trust relationships.” Also, government customers would benefit from additional guidance by industry partners on extending FISMA compliance to the cloud, she added, and on setting availability, disaster recovery and storage management requirements with cloud vendors.
Hawkins added FedRAMP “ends the mystery of what standards are best for agencies to procure cloud services,” speeding up acquisitions and providing guidance to new users as they seek to move beyond cloud-based email services and start employing hosted applications and data storage.
“In a way, we saw the same effect with apps.gov,” he said. “Time will tell if that process proves to be effective from a security standpoint.” ♦