Federal chief information officers and chief information security officers will convene Monday, June 14, at an annual information technology conference where they are sure to discuss the Office of Management and Budget's mandate to look toward cloud computing to cut IT costs, increase efficiencies and enable greater government-wide collaboration and data exchange.
So what is cloud computing? Here's how the National Institute of Standards and Technology defines it: "Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources [e.g., networks, servers, storage, applications, and services] that can be rapidly provisioned and released with minimal management effort or service provider interaction."
The key tenet of the cloud is availability. But where are the other cornerstones of information security: integrity and confidentiality?
A recent survey suggested that some CIOs and CISOs may be reluctant to move their data and services to the cloud. However, the Government Services Administration is expected to reissue its blanket purchase agreement for cloud services in the near future, perhaps at the upcoming conference. Notwithstanding their reluctance to move to the cloud, government CIOs and CISOs may have no choice going forward. Of course, that's not all bad, because cloud computing and virtualization technologies offer many benefits. But with those benefits come potential information security and assurance pitfalls.
In examining the potential benefits and vulnerabilities of moving their services to the cloud, government CIOs and CISOs should ask and demand answers to some difficult questions.
Aggregation, Resilience and Operational Capability
Does your provider ensure the confidentiality, integrity and availability with mature processes, proof of past performance, understanding of and mechanisms for disaster recovery options, and encrypted backups?
Demand answers so that you are fully aware of how your data is protected, where it is stored, whether it is co-mingled with other data, if the provider has isolation mechanisms for data, processing, memory, and logs. Presume that your data is replicated and know how quickly it can be restored in the event of an emergency. Understand the provider's ability to surge on demand of need, so that if faced with a distributed denial of service attack or some other event that may affect essential services, you know you will be able to keep your mission critical applications up and running.
Multi-Tenancy
Most clouds are envisioned to be a multi-tenant environment, which means shared processing and shared storage. Demand to know how the service provider will implement data segregation. Understand whose responsibility it is to notify another party of a breach in security. Demand transparency of the environment that you are "renting" and now responsible for maintaining the integrity and confidentiality of the data and service stored therein. After all, you are accountable to your cabinet secretary and to Congress for the services rendered by your agency.
Law Enforcement-Investigation of Inappropriate or Illegal Activity
Many cloud computing environments provide an application programming interface to allow for automation of many functions, including adaptive virtual machine provisioning with no human interaction needed. While this capability can reduce costs and provides for desirable demand-scalable systems, an insecure implementation could allow an attacker to rapidly provision large quantities of resources that can be leveraged for malicious use. Due to the speed this can be done, it is in effect giving the attacker the ability to rapidly provision attack platforms, botnets, etc., and then just as quickly remove them and destroy the evidence. If this attack is not detected during the event, the only sign may be when the owner of the environment gets the bill for the large resource utilization or a visit from law enforcement.
Demand to know how your service provider collects and maintains log of activity. Understand if appropriate technologies are fielded to collect, analyze and notify of anomalous activity. Presuming all of the data is stored in the United States, you should know when and if this data was accessed by any other entity. If this data is stored outside of the United States, know when it is accessed and under what authorities it is accessed. If data is shared or backed-up across multiple data centers, ensure that you know where it is stored and how readily it can be restored.
Security, Privacy and Compliance
Does the service provider demonstrate a very high commitment to compliance and audit efforts to attain and maintain certifications such as the Payment Card Industry Data Security Standard, the Cloud Security Alliance best practices, NIST Special Publication 800-53 standards or security content automation protocols, or SAS 70 Type II audits? Does the service provider demonstrate the same high commitment to compliance with other applicable privacy and security rules and internal control requirements, such as those set forth in the Health Insurance Portability and Accountability Act of 1996, the Gramm Leach Bliley Act of 1999, the Sarbanes-Oxley Act of 2002, Federal Information Processing Standards, or applicable European Union directives?
There are 46 state data breach laws, including the California Security Breach Information Act, many of which have differing standards. The Internal Revenue Service has an entire division within their CIO office dedicated to understanding and attending to applicable data breach and data privacy standards.
Every government CIO and CISO must know these standards, wherever your data is stored, because unless Congress preempts the states, the laws of the states in which data resides are the laws you must follow. Similar problems arise with the various laws around the world when data is stored outside of the United States, as can happen when government contractors use Gmail or other cloud-based services. And because many audit controls are not yet in place for cloud computing environments, it is even more difficult for those who use cloud services to ensure they can prove compliance. Demand to be able to audit your cloud provider. Ensure that you can implement continuous performance monitoring against your data in the cloud. Leave yourself flexibility for the next audit and compliance regime.
Security Attestation
Most cloud service providers are not able to address authentication support. Risk is defined by the individual agency requirements. For example, the Department of Agriculture's IT posture is focused on availability, whereas the IRS is focused on confidentiality and privacy - rightly so, as they have information on every citizen and corporation in the United States. As more data is stored in shared hosting environments with other parties who have varying degrees of security, integrity, confidentiality and availability requirements, government CIOs and CISOs must assess risk.
Managing this risk requires an ability to attest to the environment by which you have responsibility. Are identity measures implemented? Can the cloud attest to its security configuration or properties? As a buyer of the service, you may need to implement data labeling (classification, releasability and authorities). You may also need to implement privileged based access controls for data stored in the cloud, as well as for users who access cloud-based applications. Finally, you will need to work with the cloud provider to ensure that the architecture, configuration, policies and processes meet your security needs and that you are permitted to regularly conduct vulnerability assessments and red-teaming or penetration testing to verify the security posture.
In the early 1990s, the government went down a similar path of adopting commercial-off-the-shelf software to reduce costs and promote efficiency and interoperability of government IT services. The government, however, did not equally invest and demand for security at the outset. That decision made the government more vulnerable, as countless reported intrusions and data losses demonstrate.
As we continue to invest in digitizing our infrastructures and everything behind it, we cannot ignore the risks. The migration of data to a paperless society and the growth of cloud computing can yield cost savings, in terms of physical plant and personnel, but how secure is the information that you can no longer lock in a file cabinet or safe?
Technology and information security must partner with enterprise operations to ensure we manage our future risk and can protect our most critical asset--our information.
Melissa Hathaway, who led President Obama's Cyberspace Policy Review, is a senior adviser at the Belfer Center of Harvard University's Kennedy School of Government.
Hathaway, Melissa. “Beyond Availability: Melissa Hathaway on the Cloud.” GovInfoSecurity.com, June 10, 2010