While there is widespread agreement among U.S. defense and intelligence officials regarding the cost benefits, there is disagreement about whether a cloud system can be secure enough to handle the nation’s most sensitive information. A lack of common understanding of cloud computing and how it is deployed and used may contribute to these concerns.
Trust takes time. In the 1990s, the Internet and World Wide Web offered radical improvements in the way we do business. Information could be shared between individuals and businesses in seconds, versus days or even weeks for delivery. Despite those advantages, it took many years to adopt this new technology into our daily lives. While email could deliver documents quickly, there were concerns about who would see it and what path it would take to be delivered. Over time, security models emerged and the Internet gradually began to be used for more sensitive applications. Today, everything from shopping to banking to some of our most private information is shared across the Internet. In fact, the U.S. government moves sensitive intelligence and defense information around the globe using the same Internet Protocol and fiber-optic cables as the commercial world, but in closed networks with better security.
So here we are again, addressing security issues raised by the continued evolution of technology. Cloud computing offers the next radical step in the evolution of information technology. With computing resources and applications ubiquitous across the Internet, commercial users no longer need to own or maintain our own computers. Through simple hand-held devices and Web browsers, we have access to the applications and data that we need no matter where we are, without having to be IT professionals. Great efficiencies for cost and performance are gained as service providers share cloud infrastructures instead of having their own dedicated computers and servers. Applications and information are available to us anywhere.
The information technology industry has made tremendous strides toward defining methods to secure public clouds, the kind used by consumers, and private clouds, the kind used by large corporations and governments.
But while cloud computing is widely adopted today for social media, gaming and Web searches, its acceptance for more sensitive applications and information is happening more slowly. There are concerns over how to control access to information, how to maintain secrecy and ensure that applications are safe. Today, private citizens manage and oversee applications and information on their personal computers, and they think, “As long as no one can access my computer, then the information must be safe.” In the cloud environment, we do not control the computer anymore. Security is turned over to the cloud provider, and in most cases, our information can move randomly from one machine to another anywhere throughout the world.
In 2008, the information technology experts at the market research firm Gartner Inc. identified seven major risk factors in cloud computing, including data-protection risks and the possible lack of forensic data to investigate illegal or inappropriate activity. The next year, the Cloud Security Alliance (CSA) was formed by information technology companies to address these and other risks. In November, CSA released its third and most comprehensive security guidance to date for IT professionals and their customers (available at https://cloudsecurityalliance.org).
Over the past three years, there have been many initiatives to secure the cloud for specific applications. The medical industry, for example, has invested more than $1 billion to secure the cloud for medical records and delivery of medical imagery. The U.S. Army and National Security Agency (NSA) invested in establishing prototype clouds and developing improved software to tag and track data as it is stored and moved around a cloud environment.
In September, NSA publicly released a secure database technology called Accumulo in hopes of further developing it in the public forum as an open-source program and moving the conversation forward on cloud technology. This open-source approach is one way to harness the public’s investment and understanding of cloud computing and eventually bring this technology back into the enterprise after reviewing and certifying the code for government use.
With all of these initiatives occurring, it is clear that risks exist, but also that solutions are being sought and identified. There are ways to use cloud technology in the near term, and a better understanding of cloud computing can help organizations determine how to do so safely.
Cloud computing involves the sharing of computing resources across a network. IT departments or data center providers make a variety of service types available to customers, including access to applications, operating systems or just the computer hardware itself.
Exposing only the computer processing and storage to customers is called “Infrastructure as a Service.” Customers use the computing pool to load and run their own operating system and applications in the cloud versus running and maintaining their own computers. Virtualization and separation software protect applications from intermixing with those of other users. This provides savings for IT organizations because they can share their IT costs with other companies, yet maintain control of their desktops and applications.
Another service provided by a data center is to offer a virtual desktop environment, where customers have access to an operating system such as Microsoft Windows or Linux, as well as other shared middleware software, such as messaging and database software. In this case, customers use this environment solely to load and run their applications, leaving the host operating environment support to the data center. This is referred to as “Platform as a Service.”
Each of these service paradigms comes with its own security risks. The latest CSA security guidance points out that the lowest risk is associated with yet another paradigm, the “Software as a Service” model. In this case, only high-level controlled interfaces are exposed outside the cloud, protecting the underlying infrastructure from potential external threats. While there continue to be concerns regarding intermingling of data and internal threats to applications and data, most IT experts believe the cloud is inherently safer than saving data on desktop computers. Security risks, however, increase as lower-level services are exposed in the cloud, allowing external users into lower levels of control, and providing access to applications and the computers that host them.
The CSA guidance also points out that how a cloud is deployed affects its security as well. Imagine the extreme cases. The most recognizable are public clouds such as those offered by Amazon and Google. In a public cloud, many users share the overall computing resources. Applications, services and data from a variety of customers is hosted within the pool and accessed at the same time. In many cases, services at all three levels are exposed outside of the cloud, including infrastructure, platform and software.
But this is not the only deployment model for a cloud. Small, private clouds can also be constructed. In such a case, the IT department for a small company may deploy its own cloud in the back office to gain efficiencies similar to a large data center. While applications and data within the organization are pooled, they are managed and protected behind the company firewall. Only company users can access the application and data, which is still tightly controlled by the IT department. A community cloud is also defined for cloud computing applications where a set of users gather together to pool their resources yet share a common set of concerns. An example may be a university system that shares a cloud across its campuses. Each campus may use the cloud services in different ways, but they share a common approach for managing the shared resources and share a common policy and protection position for its use.
A hybrid deployment model is another strategy for creating a cloud. In this case, a cloud can be set up that actually consists of multiple, smaller clouds used to support multiple customers. In this model, users access their own cloud services, but the clouds may actually share a common set of infrastructure services. This allows the existence of separated clouds to face customers for security purposes, yet still takes advantage of shared resources within the cloud. Users gain the cost savings of sharing their computing resources, but not necessarily the cost savings associated with sharing software licensing costs and data maintenance.
This hybrid cloud model may offer the best near-term answer to whether cloud technology is right for defense and intelligence applications. A hybrid cloud set up to support multiple intelligence organizations, for example, could share computing resources or platform services. Each organization could then establish a private software cloud environment on the shared infrastructure. Virtualization technology keeps applications and data separated on the same computer hardware, mitigating the risk of intermingling data with that of other organizations. This virtualization approach has been certified by NSA for use with multiple levels of security on the same computer on some programs. This way, the government can take advantage of dramatic cost reductions without waiting for cloud technology to mature. As security measures mature, the multiple clouds can gradually collapse into fewer clouds, creating even more efficiencies for the government.
In some respects, this cloud model is safer than the security posture that exists today where sensitive information is stored on computers and servers at sites around the world. Access to these computers is hard to control given the widespread nature of where the computers are located and the ability to access them at low levels of the application stack over the network. In this hybrid cloud model, data can be stored centrally in highly protected facilities. Users can access the data only through safe application portals maintained within the data center and the limited authorities they are granted for the job at hand.
As organizations look to leverage cloud technologies in the near future, they are realizing that there are no black-and-white answers with regard to security. Rather than wait for all security concerns to be addressed, they may be better served to start taking advantage of the benefits a cloud can provide now through a phased approach to minimize risk. Again, a simple look at the Internet today, with the continual threat of cyber attacks and potential loss of critical information, highlights the fact that security is never finished. Rather, IT professionals who understand the risks that exist can develop a deployment plan and use policies that reflect the current state of the risks and the sensitivity of their data.
As security improves, clouds can evolve from strictly private clouds, to hybrid clouds, to even community and public clouds. When dealing with the government’s most sensitive information, there can exist a road map that allows for early adoption of the cloud technology now, with ever increasing levels of integration over time. As in all things, trust takes time.
Jay E. Mork is senior director for Advanced Programs at General Dynamics Advanced Information Systems.
This article appeared in the January-February issue of C4ISR Journal.