The cloud, a generic term for a wide range of hosted data systems, is hot.
Rarely does a shift in information technology, a realm largely left to technical experts working behind the scenes, become the subject of congressional debates, legislation and speeches from high-profile Pentagon officials.
The allure of the cloud, an architecture that could cut costs, improve security and allow greater data integration, all in an environment of fiscal austerity, is strong.
But experts say that in the rush to realize those potential advantages, insufficient thought is being given to the security risks.
“I think there’s such a rush to the cloud, that we’re overlooking a lot of details,” said Jeff Moulton, a researcher at the Georgia Tech Research Institute. “The devil’s in the details.”
Some of the very assumptions that have been the building blocks of cloud advocacy may be incorrect, most notably the assertion that the cloud will improve security.
Yet, even with the issues facing the basic structure of cloud computing, what scares experts most is the recent push toward the use of commercial cloud providers, a cost-effective move that gives the Defense Department even less control over how its data is handled.
“You’re never going to get the visibility you need negotiated into a contract somehow, because the commercial provider would never want the customer to have that level of scrutiny into their internal operations,” said Richard Bejtlich, chief security officer at the cyber incident response firm Mandiant. “It would just be way too disruptive.”
Pentagon spokesmen did not respond to multiple requests for comment on the experts’ concerns.
The argument in favor of private cloud systems rests on three assertions about how the architecture could improve DoD systems:
The cloud is more secure than less consolidated data systems.
The cloud will require fewer talented cyber experts to protect.
The cloud can save the department large sums of money through fewer hardware requirements and more efficient operation.
The third argument, that the cloud would save money, is widely recognized and accepted by experts, although the magnitude is disputed. The other two, however, are the subject of heated debate.
“There are specific vulnerabilities associated with cloud architecture that, as far as I can tell, have not been fully and adequately addressed,” said Moulton, who previously served in the U.S. Air Force doing special operations communications.
The simplest and most frequently cited argument against the assertion that the cloud is more secure is the risk of centralization. DoD networks are still largely fragmented, which can make information sharing difficult. But that fragmentation means no individual breach would compromise the larger data mass.
“When there is no centralized control of all those systems, there is no central place to [get] access to everything else,” Bejtlich said. “Is it better to have everyone decide how to deploy their systems independently, or is it better to have one super-image that we believe contains the best security posture?
“With the former, the bad guy who gets onto the system or is trying to get onto the system doesn’t necessarily know what the victim is running. With the latter, he knows exactly what they’re running, and he can tailor his research efforts to that.”
The complaint about the fragmented approach has been that maintaining decent security at each individual outpost was both expensive and difficult. By consolidating systems, DoD could be more confident that its systems are properly designed.
But with cloud architecture, even if the protection is better, once an attacker is in, the loss is much worse.
“You’re putting all of your eggs in the same basket,” Moulton said.
Because of the added risk, the exterior defenses and network monitoring need to be even better to guard a more valuable system, probably meaning as many experts as are employed across networks now, Moulton said. And because of the lack of expertise in cloud architecture, building and protecting cloud systems could be far more expensive than has been predicted, he said.
“There’s the rush to this, and everyone thinks they’re going to save so much money and manpower,” he said. “I don’t agree with that broad assumption.”
Still, some of the assumptions that the experts questioned have gained enough traction to appear on Capitol Hill as well, with the added complication of including the commercial marketplace.
The 2012 National Defense Authorization Act included instructions that DoD develop a strategy that would allow the “migration of defense data and government-provided services from department-owned and operated data centers to cloud computing services generally available within the private sector that provide a better capability at a lower cost with the same or greater degree of security,” a recent DoD report noted.
The use of private clouds, controlled by DoD, faces largely technical problems surrounding the implementation of effective security measures. Commercial cloud offerings face the added issue of trust.
“You have to have a ton of trust because you’re basically turning over your crown jewels to a service provider that may not be in business next week,” Moulton said.
To make matters worse, the security requirements for commercial cloud providers have been “extremely watered down,” said Tom Conway, director of federal business development at McAfee.
McAfee has also found that attacks on commercial cloud systems are growing, particularly in the area of criminal activity surrounding banking. In a recently released report about an effort the company called Operation High Roller, McAfee found evidence of increasingly sophisticated efforts to access banking data stored remotely.
Attacks such as those found by Operation High Roller are an indication of things to come, Conway said.
“Everything that happens in commercial eventually seems to make its way into the government space,” he said.
Attacks on the cloud are following a similar arc as those targeting Apple computer systems. For decades, enthusiasts insisted that Apple products were immune to viruses. Many users failed to use adequate security measures based on this assumption.
In reality, experts say, the systems weren’t attacked as frequently not because the systems were impervious but because the percentage of computer users who owned Apple systems was very small. As a simple economic argument, designing a bug for a Mac wasn’t as cost-effective as designing one for the much larger PC market. But as Apple computers grew in popularity, the economics shifted.
In recent years, a slew of attacks have targeted Apple products, including the Flashback Trojan that infected more than half a million systems. The lack of security awareness among users likely makes the rise in attacks even more dangerous.
For the same reasons, experts said, few organized attacks have been noted against cloud systems. The logic remains that, while cloud implementation remains small and important data remains locally stored, the value proposition is not correct for attacking the cloud. The lack of previous attacks is likely creating a false sense of security, they said. But with the movement of bank data to cloud systems, McAfee’s research shows that attackers will adapt.
And not only will attacks likely make their way into government space, the use of commercial providers by DoD is also likely to catch on. In its cloud computing strategy released in July, DoD Chief Information Officer Teresa Takai cited commercial intentions as a major component of updated strategy.
“The DoD Cloud Computing Strategy has been expanded to address the use of commercial cloud services in the department’s multi-provider enterprise cloud environment,” she wrote in a letter included in the report.
The report itself emphasizes the use of commercial providers.
“The department will leverage commercially offered cloud services that offer the same or a greater level of protection necessary for DoD mission and information assets,” it said.
While the move to the cloud may cause problems, the in-between steps where a hybrid of cloud systems and local systems are used could be even worse, Conway said.
“I’m worried about the interim,” he said. “Right now, as bad as it is, at least it’s sort of understood how bad it is. We’re not really sure what cloud is going to be, and in between, we’re going to have a hybrid environment for an extended period of time where we’re going to the worst of both worlds.”