Cloud security and the DoD
Cloud computing has demonstrated huge cost savings and operational efficiency benefits for the private sector and now Department of Defense (DoD) IT managers are exploring the concept for enterprise and tactical applications. However, DoD planners are moving much more cautiously to assure they have plugged all the potential cyber security vulnerabilities inherent in something as nebulous as a virtual cloud.
Department of Defense (DoD) officials trying to keep the lights on in today’s budget constrained environment love how cloud computing can reduce data center operational costs, bricks and mortar expenses, and staff overhead. Virtually storing data instead of physically in a hard drive is very appealing – especially to younger military personnel who have grown up with virtual technology such as the iPhone and the iCloud. However, military cloud services – just like military smartphones and tablets – will need to be much more secure.
The National Institute of Standards and Technology (NIST) defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
“Back in the 2005 timeframe, Northrop Grumman had hundreds of data centers and consolidated them down to five data centers in 2011,” says Joe Cloyd, Director of Technology, Defense Cyber Security and Enterprise Services at Northrop Grumman (www.northropgrumman.com). “In our next round of consolidation we will go down to three enterprise data centers. The DoD will eventually do this as well, consolidating each respective network, and far down the road possibly rethinking a totally segregated approach to having multiple networks with duplication.”
“Many people initially think a cloud is inherently insecure as it is a single point of failure – the cloud goes and all your data goes with it,” says Todd Moore, Vice President of Product Management at SafeNet (www.safenet.com). “However, responsible cloud providers build in redundancy so when they write data to a cloud, they also write it to a disk at the same time. The virtual environment is encrypted and is also stored on a disk.”
“Securing the cloud is simple, as it is about providing assurance,” says Will Keegan, Technical Director, Software Security at LynuxWorks (www.lynuxworks.com). “Users need to feel comfortable that when they log on remotely, every transaction they make will be secure. The complexities of public ISP cloud systems are too high to assure that data loss or leakages cannot occur. In a public cloud you have to assume all users are adversaries, and we rely on the ISP to protect other customers from stealing my data.”
Transforming “government data centers and applications into cloud computing environments, such as what Northrop Grumman is being asked to do on the Army Private Cloud contract, is often done on-site with security built in from the ground up,” Cloyd says. “This includes the full spectrum of options from enterprise data centers to mobile cloud solutions focused on the tactical edge. We call it ‘cloud transformation,’ which is aiding a customer though various stages of maturity from unstructured chaos to a highly structured approach.”
Mapping to NIST
When it comes to securing the cloud from the ground up, many integrators rely on cloud computing characteristics and guidelines set forth by NIST. “When we think of the cloud we map everything back to the policies and procedures that the business and government communities pulled together under NIST,” Moore says. There are four different types of cloud models: private, public, community, and hybrid as defined by NIST – with public and private being the most likely to be adopted by government users. A private cloud – owned and operated by a single organization or with a third party – is made up of multiple units and can be located on-site or off, according to NIST. A public cloud is open for use by the general public, is located on the premises of the cloud provider, and may be owned, managed, and operated by a business, academic, or government organization or a combination of them, according to the agency.
“If you want to have a cloud service, there are five essential characteristics you need to check off: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service,” Cloyd says. “Each of these is fairly straightforward for commercial cloud networks, but when applied to the DoD, each has unique challenges. [For example], self-service is about the provisioning of authorized users or services. One unique risk associated with self-service authorized end users is the role of insider threats. The DoD-broad community has millions of users; the Army alone has 1.2 million core users. These are huge numbers and within such a large population insider risk is a real threat. A provider needs to provision its services with proper governance to prevent insider threats. Broad network access is one of the most interesting characteristics from a DoD perspective, as so much of the DoD is focused on rigid, tightly controlled networks such as service-specific portions of NIPRNet and SIPRNet rather than on open network access like the Internet at the other extreme. The key is for services to be available across the entire DoD, and this is largely possible today. The problem is as soon as access is broadened, it increases the attack surface, making the idea of a perimeter and a boundary much more nebulous.”
The Army Knowledge Online (AKO) program “is a great example of a system that exhibits almost every one of the NIST cloud characteristics in that the NIPRNet version supports broad network access from anywhere in the world via the Internet, user accounts and resources are self-provisioned and support elasticity and spikes in usage, the infrastructure allows reallocating virtualized resources within or across its multiple data centers, and the system has been designed to support multitenancy and very detailed usage data for potential chargeback,” Cloyd says. “With checks next to each of those essential characteristics, AKO could be poised as a great example of Software as a Service (SaaS).” SaaS is the capability provided to the consumer to use the provider’s applications running on a cloud infrastructure, according to NIST. Other types of service include Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).
“The DoD will likely set up a cloud for each classification level, as multilevel classification within a single cloud environment is just too much to tackle right now,” Cloyd says. “Down the road, I hope they will move to having multiple classification levels in a cloud, as in the long-term if we do everything right with cloud computing, trusted multitenancy at different classified levels should be within reach.”
Data is key to the kingdom
Secure cloud computing is more than just the network; it is also important to focus on the identity and authentication management to make sure each piece of data in a cloud is being accessed by the proper individual. This is roughly akin to needing an ID card and a retina scan to enter a building and also needing additional authentication factors to access a file in a drawer.
“So much client focus in the DoD is about the network,” Cloyd says. “However, you cannot just focus on a network-based, umbrella approach to protect systems. Data is the key to the kingdom so you have to protect the application, as well as the traditional network boundaries. Identity and access management at the application are finally getting the attention that they deserve, but they are not new concepts. With a growing importance on stronger authentication, cloud providers need to increase the number of authentication factors they consider. The typical two-factor authentication approach – typically a Common Access Card (CAC) in DoD – is not enough; they need to add additional factors based on the risk associated with certain data. We are focusing on ‘fine-grained entitlements’ in applications and how to secure everything with a lot of fidelity at the application level and data level. This also includes new approaches and technologies to securing data at rest.”
“There is a general government-focused trend to move to multifactor authentication,” SafeNet’s Moore says. “The government wants to move away from password-based protection to Public Key Infrastructure (PKI) protection. Things such as SIPRNet smart cards provide two-factor authentication and meet PKI standards. There is a large U.S. government Key Management Infrastructure (KMI) program that is focused on creating and delivering keys to government users ensuring that key rotation – the key life-cycle management – is up to date and efficient. The life of a key depends on the mission requirements. It can last from 24 hours to 6 months to a year if necessary.
“Key management plays into cloud security,” Moore continues. “Data encryption is a typical protection in laptop or mobile devices – encryption of the drive and on-device storage. Encryption also will be needed for data that is stored off-premise in a cloud. These virtual worlds are multitenancy environments with many users and servers involved, creating a need for more granular encryption than is provided at the device level. We will need to encrypt data at the object level – pictures, maps, files, and so on. Encrypting at the object level and tagging each object with situational awareness data require strong enterprise key management so data can be securely accessed anywhere from any device. The data just needs to be locked down at the most granular level with the lock being an encryption key management scheme that protects data at the object level.
“One of the biggest threats is the administrative threat, caused by vulnerabilities related to having a super user or super password that can access every file,” he says. “Industry and government are moving away from super users due to leaks that have occurred. If that super user or super password is compromised, every piece of data in a system is vulnerable. At SafeNet we assume someone is bound to get in, so we work at encrypting each object so even when they get in they can’t wreak havoc with the data. The more granular you drive the encryption, the less exposure your data will have to malicious attacks.”
A cyber threat that targets clouds that is becoming more common and getting more attention in the media is the Distributed Denial of Service (DDoS) attack, which messes with the shared infrastructure of a cloud, causing all the subscribers to be at risk. “Cloud organizations that host the services of other organizations and operate their data centers are providing public cloud services instead of private,” says Ronen Kenig, Director of Security Solutions at Radware (www.radware.com). “Public clouds are more likely to be attacked by threats such as DDoS. A public cloud, for example, would be a news site that might be hosting multiple user services on their cloud or business-oriented applications. Each client is then part of the cloud’s shared infrastructure. Anything between the Internet and the servers is a shared infrastructure. If something happens to the shared infrastructure, all customers hosted in the cloud will be affected. If a firewall goes down, nobody can access the cloud. About 63 percent of DDoS attacks strike the shared infrastructure as it’s the first thing the attack will hit.
“Prior to recent attacks on financial institutions in the U.S., there was not much awareness or knowledge of DDoS attacks and other cyber threats,” Kenig says. “However, once the first bank became a victim, immediately all the other institutions started to learn more about the attacks, search for solutions, then deploy those solutions quickly. When I look at military cloud security solutions, there are many vendors and partners providing tools and solutions, but not many providing availability security. DDoS attacks are hurting the availability of online services and many antivirus vendors and firewall vendors do not focus on the availability aspect.”
Cloud providers find protecting the shared infrastructure can be challenging because it is an expensive up-front cost, he continues. “However, if a DDoS attack disrupts the shared infrastructure, every client in the cloud will be adversely affected. If a cloud provider can’t protect the shared infrastructure, other customers will be reluctant to do business with them and they could become a joke in the industry. For large-volume attacks, Radware offers a new security service called Defense Pipe that basically is designed to protect the Internet pipe of a provider, no matter what security solution they use to protect their other data. With Defense Pipe, we divert traffic into a scrubbing center, where it can absorb very large volume to mitigate its effect and protect the cloud service. We activate the service when the Internet pipe is about to get saturated to better protect the cloud data center. All the effects of an attack can be blocked in the data center except those that are saturating the Internet pipe.”