The chief technology officer of the CIA isn’t overly concerned about securing the spy agency’s data in the cloud.
In fact, Gus Hunt said cloud computing may be more secure than the typical client-server approach to technology.
And Hunt wasn’t alone Tuesday in promoting the security of cloud computing and in telling an audience dominated by federal employees to overcome their cyber fears.
“The advantage of elasticity turns the entirety of your security into a giant shell game,” said Hunt during the Amazon Web Services conference in Washington. “The ability to reimage — either when workloads scale up or down — or to reimage periodically — with the intent to completely wipe and restart a complete machine with something that is guaranteed out of your vaulted set of images — allows you to have very high confidence you are not had and you are not hooked. You basically turn yourself into a polymorphic surface to which the attack guy has a much tougher time getting at. That, ultimately, is the real key advantage to drive security and make things much better for us across the board.”
Hunt said the CIA is not yet using this approach, but it will in the near future. The spy agency plans on moving unclassified data to the public cloud and putting its classified data on a private, government-only cloud in the coming year.
Hunt said the government-only cloud could be a managed-service provider set up with cleared vendors running the instance.
Build once, use often
He said the goal with cloud security is build once and use many times.
“Security-as-a-service is all about building security once and reusing it everywhere as opposed to what we’ve done in the past, which is every application we ever built, built its own security into it,” Hunt said. “It’s about making sure we are secure end-to-end and bringing things to bear like encryption so we can protect our data, our information and our systems across the board.”
Hunt isn’t alone in believing the cloud can be more secure than what agencies are using now.
Khawaja Shams, the senior solutions architect at NASA’s Jet Propulsion Lab, said cloud security means trusting a third party, which is something agencies do every day whether it’s Microsoft or Cisco or Oracle.
“One of the things we learned when we started talking to Amazon early on about cloud computing was there’s a separation of concern,” Shams said. “It’s important to understand the separation of concern because it helps us focus on where our responsibilities are.”
He said Amazon is responsible for everything up to the hypervisor or virtual machine manager.
“They have to ensure there isn’t any cross-hypervisor attacks and they have to ensure only packets routed for my virtual machines are given to me and I’m not able to snoop on other people’s data,” Shams said. “Everything above the hypervisor — the operation system, the file system, the applications — that’s my responsibility and it’s the organization’s IT security team’s responsibility to ensure the apps we are deploying on these machines are actually secure.”
Shams said JPL also is using hardened virtual Amazon machines that turn off any unnecessary services, encrypt file systems and use system logs to track data in and data out. All of that information goes back to the agency to have close to real-time situational awareness, especially of the most sensitive mission data, such as the Mars Rover program.
“We are literally virtually extending our data center into Amazon’s data center by using technologies like the virtual private cloud,” he said. “Any data that is exchanged between JPL and Amazon in the VPC is encrypted over the IPSec tunnel so that means no one on the Internet can see the transactions happening between JPL and Amazon.”
Along with working with the agency’s cloud vendor to ensure security requirements are implemented, federal experts also said creating an interagency team is just as important. The team should include acquisition, legal, program and other stakeholders to cover all the challenges upfront.
“The relationship between the CIO and the mission owners is very helpful,” Shams said. “It gives the CIO an opportunity to understand mission needs.”
Shawn Kingsberry, the CIO of the Recovery Accountability and Transparency Board, said when his office developed Recovery.gov, they brought in the all the key people, including the chief financial officer, the chairman and others to address challenges up front and continually throughout the process of moving to the cloud.
New policies to secure the cloud
Agencies also are changing policy and standards to meet the needs of security in the cloud. The Defense Department is moving from a product-focused security standard to a risk-based standard.
And at the General Services Administration, technology managers are using one-time tokens to secure access to their email-as-a-service in the cloud.
Casey Coleman, GSA’s CIO, said her office spent a lot of time researching the best way to ensure employees have secure access to their email, calendar and contacts through Google’s Gmail.
“It’s a similar concept to that RSA token that has a rotating set of random numbers that you enter,” she said. “In this case, it’s on request based on your need to get to your email environment from a device that is not a government furnished laptop or BlackBerry. You can set up in advance your personal email, your voicemail or you can have an SMS Text sent to your Blackberry or your smartphone. And with that you can use that one time-use token along with your username and password to log in and create a user session in your email environment.”
Coleman added that the token provides anywhere access to the same functions users would have if they were in the office.
“We spent a lot of time looking at different alternatives and to strike the right balance between security and accessibility and giving people the full ability to take advantage of this full platform in a way that didn’t unduly hinder them, but still make sure we were secure,” she said.
Shams, Hunt and others said there are things about the cloud environment that help make security easier.
Shams said with a single data call, agencies using the cloud can get an inventory of all the servers running, all the internet ports that are allowing traffic to flow through them and other information to give chief information security officers better cyber situational awareness.
“It’s not the cloud that is inherently insecure and it’s not your local data center that’s inherently more secure. It’s what you do with it,” he said. “You really have to identify the set up capabilities that are available and new operations paradigm, and learn to live in those new operations paradigm. And as you learn to do that, you’ll learn in many ways cloud computing can actually offer you a more secure solution.”