Wednesday, September 22, 2010

Managing DoD IT Security in a Cloud

Removing DoD applications to commercial cloud services organizations that are operated outside of the Department of Defense perimeter will give rise to concerns about the adequacy of security assurance. Presently DoD data centers rely on network perimeter barriers that are supposed to exclude transactions from outsiders. Whether these barriers are effective, in view of hundreds of DoD data centers, is arguable. Contractors manage many DoD data and are staffed by personnel that are neither military nor civilian employees.

Nevertheless, the prospect of transferring computing services to an external commercial firm will have to be subjected to stringent security rules. What may be overlooked as a security incident may result in a revocation of security certification in the case of a cloud services provider.

DoD CIOs recognize that in cloud computing there are cost savings, availability of flexible capacity management as well as failover features that offer advantages as compared with the current DISA data centers. The CIOs are now asking whether the externalization of a workload to computing clouds will degrade security. Will the auditors reject commercial cloud computing because they cannot prove that they are secure?

DoD data centers achieve security by locking up server farms as well as associated electric power inside a physical enclave. Software controls are installed that include:
- Perimeter firewalls;
- Demilitarized zones (DMZ) for isolating incoming transactions;
- Network segmentation to reduce risks;
- Intrusion detection devices and software for monitoring compliance with security policies.

At present there are hundreds of firms selling computer hardware appliances and software packages for data center security. The problem with such devices is not only their high cost. Much effort is expended in integration and testing of servers that support individual applications. That adds to the overhead of maintaining hardware/software configurations for separate applications because the workload in the data center is not pooled. As security threats rise, data center management keeps adding separate security management devices, thus increasing not only operating costs but also the delays that are incurred as transactions snake their way through multiple security barriers.

The accumulation of various security measures and devices increase the fragility of systems and add to potential vulnerabilities. Each of the DoD data centers will ultimately end up with security protection measures that are unique in ways how they are implemented.  Therefore they are not amenable to coordinated oversight. It is this variety that prompted the Commander of USCYBERCOM, Gen. Keith Alexander to state "We have no situational awareness ... key defense IT systems remain exposed to remote sabotage."

In cloud computing the providers of services gain from the efficiencies of virtualization. Virtual machines from multiple organizations are co-located on physical resources but without any crosstalk that can jeopardize security. Virtualization is therefore the key technology that enables the migration of applications into a cloud environment where security is provided mostly through the hypervisor that controls separate virtual machines.  A third-party security appliance can be connected to the hypervisor. In this way consistent security services can be provided to every virtual machine even if they use different operating systems.

 One must stop viewing protection of applications at the data center or server levels as the basis for achieving security. Instead, we have to view each individual virtual computer, with its own operating system and its own application as fully equipped to benefit from pooled security services.

A data center may house hundreds and even thousands of virtual computers. Security in a cloud can be achieved by protecting virtual computers through their hypervisor on which they reside. In this way every virtual computer can be assigned policies will carry its protection safeguards as well as security criteria (such as the grant of access privileges).  For instance, when moving a virtual machine from a DISA data center to a cloud, the security of a relocated virtual machine will not be compromised. Multi-tenancy of diverse applications, from diverse sources is now feasible since the cloud can run diverse applications in separate security enclosures, each with their customized security policies.

One of characteristics of cloud computing is its offering of a self-service access to computing power. In traditional datacenters the administrative access to servers is usually managed by on premises staff.  When adding an application, this calls for an elaborate process of testing and integrating the application within its own security enclave. This process is time-consuming because it calls alignment with diverse settings.

In cloud computing the addition of a new application is streamlined. Integration with security measures can be instant and seamless because a hypervisor already supports most of the security services. If a virtual computer can ports its own security when moving from one cloud to another, the migration efforts can be reduced.

SUMMARY
Security services can be pooled and standardized in a cloud environment to support a large number of virtual machines. Such pooled services can be managed to give DoD much improved shared security awareness.

The management and monitoring of enterprise-wide security will still remain a demanding task. However, as compared with the current diversity in security methods, the transfer of applications into the cloud environment will reduce costs and simplify the administration of security.

Whether DoD can rapidly implement its own private cloud, or whether it will have to rely on commercially provided cloud providers is a budgeting as well as a timing issue. Given the current funding limitations a shortage of qualified talent, DoD could rely on commercial firms for most cloud computing services except for retaining the direct oversight over security. This could be accomplished by managing all security appliances and policies from DoD Network Control Centers that would be staffed by DoD personnel.

No comments:

Post a Comment

For comments please e-mail pstrassm@gmu.edu