Agencies overcoming cloud security fears

Wednesday - 10/19/2011, 6:04am EDT

Jason Miller, executive editor, Federal News Radio

Download mp3

The chief technology officer of the CIA isn't overly concerned about securing the spy agency's data in the cloud.

In fact, Gus Hunt said cloud computing may be more secure than the typical client-server approach to technology.

And Hunt wasn't alone Tuesday in promoting the security of cloud computing and in telling an audience dominated by federal employees to overcome their cyber fears.

"The advantage of elasticity turns the entirety of your security into a giant shell game," said Hunt during the Amazon Web Services conference in Washington. "The ability to reimage — either when workloads scale up or down — or to reimage periodically — with the intent to completely wipe and restart a complete machine with something that is guaranteed out of your vaulted set of images — allows you to have very high confidence you are not had and you are not hooked. You basically turn yourself into a polymorphic surface to which the attack guy has a much tougher time getting at. That, ultimately, is the real key advantage to drive security and make things much better for us across the board."

Hunt said the CIA is not yet using this approach, but it will in the near future. The spy agency plans on moving unclassified data to the public cloud and putting its classified data on a private, government-only cloud in the coming year.

Hunt said the government-only cloud could be a managed-service provider set up with cleared vendors running the instance.

Build once, use often

He said the goal with cloud security is build once and use many times.

"Security-as-a-service is all about building security once and reusing it everywhere as opposed to what we've done in the past, which is every application we ever built, built its own security into it," Hunt said. "It's about making sure we are secure end-to-end and bringing things to bear like encryption so we can protect our data, our information and our systems across the board."

Hunt isn't alone in believing the cloud can be more secure than what agencies are using now.

Khawaja Shams, the senior solutions architect at NASA's Jet Propulsion Lab, said cloud security means trusting a third party, which is something agencies do every day whether it's Microsoft or Cisco or Oracle.

"One of the things we learned when we started talking to Amazon early on about cloud computing was there's a separation of concern," Shams said. "It's important to understand the separation of concern because it helps us focus on where our responsibilities are."

He said Amazon is responsible for everything up to the hypervisor or virtual machine manager.

"They have to ensure there isn't any cross-hypervisor attacks and they have to ensure only packets routed for my virtual machines are given to me and I'm not able to snoop on other people's data," Shams said. "Everything above the hypervisor — the operation system, the file system, the applications — that's my responsibility and it's the organization's IT security team's responsibility to ensure the apps we are deploying on these machines are actually secure."

Shams said JPL also is using hardened virtual Amazon machines that turn off any unnecessary services, encrypt file systems and use system logs to track data in and data out. All of that information goes back to the agency to have close to real-time situational awareness, especially of the most sensitive mission data, such as the Mars Rover program.

"We are literally virtually extending our data center into Amazon's data center by using technologies like the virtual private cloud," he said. "Any data that is exchanged between JPL and Amazon in the VPC is encrypted over the IPSec tunnel so that means no one on the Internet can see the transactions happening between JPL and Amazon."

Along with working with the agency's cloud vendor to ensure security requirements are implemented, federal experts also said creating an interagency team is just as important. The team should include acquisition, legal, program and other stakeholders to cover all the challenges upfront.

"The relationship between the CIO and the mission owners is very helpful," Shams said. "It gives the CIO an opportunity to understand mission needs."

Shawn Kingsberry, the CIO of the Recovery Accountability and Transparency Board, said when his office developed Recovery.gov, they brought in the all the key people, including the chief financial officer, the chairman and others to address challenges up front and continually throughout the process of moving to the cloud.