Cloud Services’ Security Beats Agencies’, Companies Tell Board

Using cloud services isn’t an “all-or-nothing game,” said John DeVoe, regional manager for the public sector at Salesforce, which has 4,000 customers in government, education and the nonprofit world. Agencies can use cloud applications even if “that data never leaves your firewalls to begin with,” he said. Salesforce offers an “exchange” program that lets agencies share their custom applications with others to avoid development costs, he said. The representatives of all the companies stressed that their cloud services store the same data at multiple locations far- flung from each other to prevent downtime and emergencies.

Government will move to cloud services as surely as ATMs replaced mattresses for stashing cash, said Eran Feigenbaum, director of enterprise applications security at Google. “We see a lot of security problems because our users are trying to do the right thing,” such as work while on vacation, he said. Four in five security incidents since 2005 have resulted from lost portable media, he said. Google Apps install security and feature upgrades instantly, and customers’ stored data are “sharded” -- split into millions of “obfuscated” pieces across its infrastructure to make useless any leaked data, he said. As the fourth-largest hardware maker in the world, Google can “build security in the DNA, rather than an afterthought,” Feigenbaum said.

Amazon’s cloud services “go down deeper in the stack” than competitors’, by offering virtual machines instead of stand-alone applications, said Schmidt, the general manager of dedicated utility computing. Animoto, a social-networking application maker, started with 40 virtual machines running on Amazon’s Elastic Compute Cloud. But when its application’s popularity spiked on Facebook, Animoto moved up to 5,000 machines in two days “without contacting us to do it,” unlike with conventional Web hosts, he said. The Amazon system also let WashingtonPost.com quickly upload thousands of indexed travel documents from then presidential candidate Democrat Sen. Hillary Clinton, giving the newspaper a “tremendous competitive advantage” without long-term spending, he said.

The FBI’s “entertaining” virtualization switch came about because Schmidt couldn’t keep track of the networks that officials had set up, often without telling anyone, Schmidt said. “I had database administrators screaming at me” because they wanted to run their own physical servers, but they came to appreciate the efficiency of a centralized system, especially not having to keep track of backup tapes, he said. Cloud computing offers the same benefits, getting rid of the “silos” that often hamper systemwide upgrades at agencies, he said.

Getting the government into the cloud will “take some time to evolve,” because officials want the ability to “touch” everything, said Patrick Arnold, Microsoft Services’ chief technology officer. The company is the latest big entrant into cloud computing with its Azure platform, which also handles such services as increasing the capacity of Microsoft’s Hotmail. Concerns about mixing data from many “user sets” have been “conquered” at the FBI and at the court that handles Foreign Intelligence Surveillance Act requests, Schmidt said. “The process seems to be working,” DeVoe said, recounting a recent meeting with an agency official who was mostly concerned about not running afoul of the inspector general’s office by adopting cloud services. “Sensitive but unclassified data is probably a good place to sit in the cloud,” said Feigenbaum.

Company representatives managed to reassure board members on some subjects. Physical security of data centers isn’t an issue, Feigenbaum said. “It took pretty much an act of God to allow our auditors into our data centers” for routine reviews, he said. Security in business, such as mandatory two-factor authentication, often is stricter than in government, where FBI employees once regularly shared the same administrator rights on a computer, Schmidt said. Board member Lynn McNulty pointed to legislation that would change the Federal Information Security Management Act to require a “continuous monitoring regime” for agency security and asked whether companies would charge agencies extra for such upkeep. Corporate customers largely require continuous monitoring in their contracts anyway, Schmidt said. Agencies can be confident that their cloud services won’t run out of capacity, because of the agencies’ service-level agreements with providers, Feigenbaum repeatedly told one board member. “I don’t see it breaking and getting to capacity any time soon,” Feigenbaum said, noting that Google applications have about 10 minutes of downtime a month, or roughly “a couple seconds added up” across the month. “By and large these systems… are going to be more stable than you're accustomed to,” Arnold said.

DeVoe had more trouble explaining why Salesforce couldn’t host a system of records -- agency terminology for a database of personal information, which are subject to strict privacy and disclosure requirements. The Department of Homeland Security Privacy Office is nearly finished with a long review of “legacy” system-of-records notices (WID Dec 4 p5). Privacy officers across agencies disagree about what constitutes personally identifiable information, so Salesforce doesn’t want to wade into that murky regulatory discussion, he said. -- Greg Piper

Information Security & Privacy Advisory Board Notebook…

The National Institute for Standards and Technology will release a special publication on cloud computing security next year, Senior Computer Scientist Peter Mell told the board. It will cover security approaches for the cloud’s architecture and applications -- “two very separate things” - - as well as forensics, security monitoring, working within compliance frameworks such as the Federal Information Security Management Act, and other subjects, Mell said. He said there’s not likely to be a “massive movement” away from agency data centers toward cloud services, but agencies themselves are likely to create their own non-interoperable cloud networks if NIST doesn’t act.

----

The Defense Department’s first uses of cloud computing “will be very static,” predicted Chris Kubic, technical director of information assurance architecture for DoD. The department handles so much data for so many purposes - from cybernetwork defense logs to status updates on troops and vehicles -- that it makes sense to have a wide-ranging network architecture accessible from anywhere, he said. And DoD has already taken baby steps toward cloud computing through its YouTube-like TroopTube.tv site for soldiers and families and Rapid Access Computing Environment set up by the Defense Information Systems Agency. But “single-purpose clouds” are the best that DoD can design until security and classification issues are solved, Kubic said. “The investigators like to get behind the rack and see how things are wired,” so cloud-system hardware that’s out of the direct control of DoD is highly unlikely, he said. The department wants fine-tuned controls on any platform, so it can provision resources, tie specific platforms and machines to different applications, and govern what applications can run in which cloud situations -- all based in the U.S., he said. DoD’s top goal is for the cloud architecture itself to “attest” to its security configuration, so users know whether it’s safe to run particular applications on any given cloud, he said. The department must be able to process information under multiple classification schemes in the cloud and “sanitize and purge” data in local storage at a moment’s notice. It’s “technically feasible” for both classified and unclassified information to be run on the same cloud, Kubic told a board member, noting that DoD went through the same hurdles in setting up a virtualized environment. But in a cloud setting, DoD would have to enforce security across several widely dispersed servers, he added. ----

Setting up a cloud computing platform is mainly an exercise in risk management, Mike Sade, assistant commissioner for acquisition management at the General Services Administration, told the board. Buying servers for a centrally managed data center is far easier and has a lower risk, he said. Agencies should make a detailed case to vendors why they're considering cloud computing and then weed out vendors by asking for specific answers on where they have previously set up cloud services and how they charge, he said. Agencies also should decide whether they have an “IT culture” internally that doesn’t mind managing some servers locally, or whether the vendor’s management at multiple locations will suffice, he said. There are more than just privacy and security considerations to take into account, Sade said: Environmental regulations on agencies, such as for power consumption, may also frustrate plans for cloud services if they're not taken into account early. “This is not a paperwork exercise … Fly before you buy,” he said: Demand that vendors let agency officials actually bring in their own software to test-run on the vendor’s platform and evaluate results. Agencies should include performance metrics in the contract and offer incentives to vendors for hitting a specific service level or coming in under cost. Consulting the GSA at the start of the process is wise, Sade said. “The sooner we're at the table, the less of a roadblock we'll be.”