Security worries cloud Web migration
September 19, 2011
Federal agencies — ranging from the Defense and State departments to the National Institutes of Health — are having second thoughts about moving government secrets and essential functions to the Web in the face of a growing number of cyberattacks from online assailants…
The agencies worry that a White House policy instituted late last year requiring them to move services to cloud computing — a policy dubbed “cloud first” — puts their concerns over cybersecurity second.
Some are holding off on making the jump to the cloud until security concerns are addressed.
“We’re sitting back and waiting since we are a security agency,” said Cynthia Cassil, director of systems integration for the State Department’s chief information officer. “We don’t want to be one of the early adopters. We want to be a follower — but we do want to comply with OMB [Office of Management and Budget] and put our toes out in the water.”
Agencies have been under White House orders since December to consider Web-based cloud computing before other technology solutions that rely on more costly hardware. Former White House Chief Information Officer Vivek Kundra tasked each agency with identifying three services to move to the cloud — one within 12 months and the other two within 18 months.
At the time, Kundra stressed that while security needs may vary by agency, many would see their strict security requirements satisfied in the cloud. In a recent op-ed in The New York Times, Kundra, who left the government for a position at Harvard in August, argued that cloud computing is often more secure than existing government technology because cloud service providers like Google, unlike many federal agencies, are able to attract and retain a talented pool of cybersecurity personnel.
Some agencies, however, are not yet sold.
Many agencies tasked with handling classified data and information, such as State and Defense, are holding off on migrating functions and data to cloud systems owned by outside vendors, such as Google and Amazon, known as the “public cloud.” In addition, other agencies that handle large volumes of data on citizens — including Health and Human Services — are also taking their time to evaluate security implications.
“You have to look beyond the marketing material,” said Robert Rosen, chief information officer for the National Institute of Arthritis, Musculoskeletal and Skin Diseases at NIH. The agency is in charge of safeguarding sensitive patient data. “If [a cloud provider] can’t meet the security requirements, there’s no point in continuing the discussion.”
While Rosen isn’t opposed to moving some agency functions to cloud computing, he is skeptical of vendors that tout the cloud as a panacea that can prevent hacker infiltrations into sensitive systems. “It is no different than any other technological solution,” he said.
Some cyberexperts warn that moving sensitive government data to Internet-based cloud-computing platforms without taking the right security precautions is akin to paving the way for hacker collectives like Anonymous and probing rogue states to invade. One compares it to Hannibal’s march on Rome.
“This could be the greatest technological mistake since Rome completed the Roman roads in … Gaul,” said Tom Kellermann, chief technology officer at wireless security company AirPatrol Corp. and a former cybersecurity official at the World Bank.
Many government agencies now face a daily barrage of cyberthreats and are hesitant to make any moves that would result in a successful security breach by a hacker. In fact, the Government Accountability Office said this spring that reports of security incidents from agencies rose 650 percent over the past five years — up from more than 5,500 reported incidents in 2006 to more than 41,700 incidents in 2010.
Cloud service providers, of course, beg to differ with these security concerns and are quick to note that some recent high-profile breaches could have been averted if the sensitive data were stored in the cloud.
Agencies that do not have extensive computer security operations or do not handle classified data should move to the public cloud, according to security experts. On the other hand, defense agencies and others charged with protecting personally identifiable information and data critical to national security should adopt a hybrid model — one that includes use of the private cloud for sensitive data and the commercial cloud for more general information.
“Cloud providers have the resources to invest in a lot of security systems and for smaller organizations, it is a no-brainer that cloud computing is much more secure,” said Jim Reavis, executive director of the Cloud Security Alliance, a trade organization that encourages security best practices for cloud computing.
But several agency computer security chiefs have put the brakes on cloud adoption while waiting for federal agencies — including OMB, General Services Administration and the National Institute of Standards and Technology — to clarify security testing and standards needed to make sure moderate and high-risk unclassified systems are safe.
“If no one defines what kind of testing is appropriate to the cloud, no one feels safe in moving into the cloud until the instructions are complete,” one federal agency official who works on cybersecurity told POLITICO. The source said agency officials have valid concerns: “How am I going to do this without harming the owners’, the taxpayers’ or employees’ personally identifiable information or those other kinds of sensitive information the government is managing?”
For this reason, the Pentagon and State Department, among others, are limiting their use of commercial cloud services and are opting instead to erect their own private cloud systems that are run by the agencies themselves — not by private-sector providers.
Agencies that deal in sensitive data aren’t rejecting private-sector cloud services altogether. The Defense Information Systems Agency, which provides technical and communications support to the military, has a series of cloud-computing initiatives already under way, including the Forge.mil website, where developers can collaborate and post open-source applications to the cloud.
Meanwhile, more than 75 percent of the State Department’s computing environment is running in private cloud systems managed by the agency. Those systems are continuously scanned for cyberthreats.
The State Department has also moved its public websites for its overseas missions, State.gov and its Office of the Historian, to the public cloud. Cassil said she believes State is “well within meeting everything” within the administration’s cloud strategy.
Cloud vendors said there are clear benefits for government — and workers.
Storing information in the cloud allows employees to access their work anytime, anywhere without leaving a trace of data on a mobile phone, computer or storage device, said Eran Feigenbaum, director of security for the enterprise division of Google Apps.
Employees who transfer data onto USB drives, CDs or send it to their personal email accounts are at risk for security breaches if those are stolen or fall into the wrong hands. Army intelligence analyst Bradley Manning was allegedly able to siphon confidential military information to WikiLeaks by copying data to a CD.
“We’ve seen a lot of smart agencies and commercial companies that have suffered from large security breaches on things that are not in the cloud,” Feigenbaum said. “Those could have been completely avoided if that data was stored in the cloud.”
But some Washington security experts maintain that Kundra was wrong to push the public cloud because cloud computing’s infrastructure carries some intrinsic risks. For example, hackers who successfully breach a cloud server can access all of the systems hosted within it in one fell swoop. He compared it to a mail carrier having a key to the entire set of mailboxes in an apartment building.
“Through one attack, they wouldn’t have to spend many days or months leapfrogging through the system,” Kellermann said. “They could compromise the system all at once.”
In addition, cloud servers store data for multiple parties, or tenants. With several organizations sharing the same storage facility in the cloud, the infiltration opportunity for hackers is heightened. Security experts recommend that cloud providers construct a government community cloud, where several government agencies share the same data center rather than co-mingling their data with organizations outside the public sector.
There are also jurisdictional issues that come into play. Not all commercial cloud providers store client data in servers based in the United States, so Kellermann argues that it is imperative for government agencies to put limits on where their data is stored in their contracts.