Wednesday, September 22, 2010

Managing DoD IT Security in a Cloud

Removing DoD applications to commercial cloud services organizations that are operated outside of the Department of Defense perimeter will give rise to concerns about the adequacy of security assurance. Presently DoD data centers rely on network perimeter barriers that are supposed to exclude transactions from outsiders. Whether these barriers are effective, in view of hundreds of DoD data centers, is arguable. Contractors manage many DoD data and are staffed by personnel that are neither military nor civilian employees.

Nevertheless, the prospect of transferring computing services to an external commercial firm will have to be subjected to stringent security rules. What may be overlooked as a security incident may result in a revocation of security certification in the case of a cloud services provider.

DoD CIOs recognize that in cloud computing there are cost savings, availability of flexible capacity management as well as failover features that offer advantages as compared with the current DISA data centers. The CIOs are now asking whether the externalization of a workload to computing clouds will degrade security. Will the auditors reject commercial cloud computing because they cannot prove that they are secure?

DoD data centers achieve security by locking up server farms as well as associated electric power inside a physical enclave. Software controls are installed that include:
- Perimeter firewalls;
- Demilitarized zones (DMZ) for isolating incoming transactions;
- Network segmentation to reduce risks;
- Intrusion detection devices and software for monitoring compliance with security policies.

At present there are hundreds of firms selling computer hardware appliances and software packages for data center security. The problem with such devices is not only their high cost. Much effort is expended in integration and testing of servers that support individual applications. That adds to the overhead of maintaining hardware/software configurations for separate applications because the workload in the data center is not pooled. As security threats rise, data center management keeps adding separate security management devices, thus increasing not only operating costs but also the delays that are incurred as transactions snake their way through multiple security barriers.

The accumulation of various security measures and devices increase the fragility of systems and add to potential vulnerabilities. Each of the DoD data centers will ultimately end up with security protection measures that are unique in ways how they are implemented.  Therefore they are not amenable to coordinated oversight. It is this variety that prompted the Commander of USCYBERCOM, Gen. Keith Alexander to state "We have no situational awareness ... key defense IT systems remain exposed to remote sabotage."

In cloud computing the providers of services gain from the efficiencies of virtualization. Virtual machines from multiple organizations are co-located on physical resources but without any crosstalk that can jeopardize security. Virtualization is therefore the key technology that enables the migration of applications into a cloud environment where security is provided mostly through the hypervisor that controls separate virtual machines.  A third-party security appliance can be connected to the hypervisor. In this way consistent security services can be provided to every virtual machine even if they use different operating systems.

 One must stop viewing protection of applications at the data center or server levels as the basis for achieving security. Instead, we have to view each individual virtual computer, with its own operating system and its own application as fully equipped to benefit from pooled security services.

A data center may house hundreds and even thousands of virtual computers. Security in a cloud can be achieved by protecting virtual computers through their hypervisor on which they reside. In this way every virtual computer can be assigned policies will carry its protection safeguards as well as security criteria (such as the grant of access privileges).  For instance, when moving a virtual machine from a DISA data center to a cloud, the security of a relocated virtual machine will not be compromised. Multi-tenancy of diverse applications, from diverse sources is now feasible since the cloud can run diverse applications in separate security enclosures, each with their customized security policies.

One of characteristics of cloud computing is its offering of a self-service access to computing power. In traditional datacenters the administrative access to servers is usually managed by on premises staff.  When adding an application, this calls for an elaborate process of testing and integrating the application within its own security enclave. This process is time-consuming because it calls alignment with diverse settings.

In cloud computing the addition of a new application is streamlined. Integration with security measures can be instant and seamless because a hypervisor already supports most of the security services. If a virtual computer can ports its own security when moving from one cloud to another, the migration efforts can be reduced.

SUMMARY
Security services can be pooled and standardized in a cloud environment to support a large number of virtual machines. Such pooled services can be managed to give DoD much improved shared security awareness.

The management and monitoring of enterprise-wide security will still remain a demanding task. However, as compared with the current diversity in security methods, the transfer of applications into the cloud environment will reduce costs and simplify the administration of security.

Whether DoD can rapidly implement its own private cloud, or whether it will have to rely on commercially provided cloud providers is a budgeting as well as a timing issue. Given the current funding limitations a shortage of qualified talent, DoD could rely on commercial firms for most cloud computing services except for retaining the direct oversight over security. This could be accomplished by managing all security appliances and policies from DoD Network Control Centers that would be staffed by DoD personnel.

2 comments:

  1. Living alone could be a remarkable new experience for just about
    anyone. Living by your individual guidelines slightly than following someone else's desires and routines can sense liberating, but it surely
    also comes with some important security concerns.

    Particularly when you're a girl, living alone requires extra
    precautions in order to keep safe. In an effort to
    decrease security threats, girls living alone ought to follow these basic safety ideas:
    First, don't advertise that you reside alone.
    Be sensible about the data you give to the general public.
    Keep away from making unnecessary feedback about your living situation to anybody, for example the cashier
    on the grocery retailer as well as a new acquaintance you've met in
    any setting. Your mailbox should say only a primary initial and final name; the exact same goes
    for avoiding identifying info on the answering machine. Keep up
    with the curtains closed. An empty window giving view to a lady who
    is consistently alone will turn you into appear to even be a simple target.

    Call in for security checks. Does your mother nonetheless
    say "call me once you get home" anytime you exit her home?
    Do you comply with by way of? If not, you must! The identical goes for when you're heading out to a date, on the
    bar, or anyplace else alone, particularly at night. You
    may have do not possess a roommate, you can test in
    with friends. At year 'round make sure certain friend or cherished one is aware of where you might be at night prolong you plan to be home.
    Start this habit now so that someone will discover http://locksmithbocaraton.biz in the event you do not come home when
    planned. When possess different friends who dwell alone, provide to
    do exactly the same for them.
    Do not let strangers into residence for any explanation
    why. Should you should call a plumber or repairman, have somebody come over so you're
    not on it's own. By no means let strangers in in the event that they arrive unannounced, even once
    they appear to possess a extremely good excuse. Even opening the
    door to say 'no' can perceived as dangerous threat to your own own home safety, as
    they will simply overpower you and pressure their way inside.


    Protect your self and your home with security devices such as door and window alarms and pepper spray.
    These easy alarms will make available to you a warning to anybody making an attempt to come way back in your home, whereas pepper spray will reduce your
    chance of turning into a victim of bodily assault.
    Each woman ought to have these tools at her disposal, no matter if living alone or with others.


    Date carefully. Never give out your private home address
    to somebody you've got simply met; instead, organize to fulfill them in a public place,
    for instance a restaurant or coffee house. If possible, have a friend tag along; relating to the very least, let someone know the place
    you're going and who you are meeting.
    Be cautious turn off common areas on the apartment complex.
    Gyms, mail rooms, parking lots, and laundry rooms could be comparatively
    deserted, particularly at night, are usually often targeted by thieves and different criminals.
    Talk towards the building managers if these areas are
    not well lit, and the the time please note of your environment when there.

    Never let strangers within the condo building, in order to avoid fumbling with your keys by the entranceway.


    My web-site; boca Raton locksmith - http://youtu.be/3s8w3C4samu -

    ReplyDelete
  2. It's a well known fact that millions of people drive alone to work everyday -- and
    that doesn't even include those who commute by bus,
    train or car pool. After the show some Machine Shop regulars presented Kevin with a birthday cake and the band spent some time posing for photos and signing autographs before Andy headed out
    to get some rest. The ads start by showing a healthy and fit looking guy with a
    half naked upper half with well defined abdomen working out on a machine, the Power Raider.

    ReplyDelete

For comments please e-mail pstrassm@gmu.edu