|
11.11
Policy in the
Cloud: Congress Looks at the Federal Role in
Cloud Computing
By Chris Brantley and
Glenn Tenney
While the idea of shared or
outsourced network infrastructures and services
may be old hat in the IT community, Cloud
Computing represents a revolutionary
technological leap forward for policy-makers in
Washington and in the states, who must grapple
with new issues related to security, privacy,
law enforcement and more using an increasingly
outdated structure of laws and regulations.
Not the least of these issues is
the potential that Cloud Computing offers
governmental agencies to enhance their
mission-oriented services while reducing
IT-related costs in a time of significant budget
constraints. Enthusiasm for the Cloud,
however, is tempered by concerns about the
potential vulnerabilities of sensitive
government functions and data hosted in a Cloud
environment.
The federal government’s plans
for use of Cloud Computing services and
associated security issues were the focus of two
congressional hearings held earlier this Fall in
Washington, DC.
Opportunities and Challenges
On 21 Sept., the House
Subcommittee on Technology and Innovation held a
hearing on "The IT Revolution? Cloud Computing
Opportunities and Challenges," which focused on
innovation and efficiency opportunities
associated with cloud computing, challenges
restraining the widespread adoption of cloud
computing, and the status of federal initiatives
to adopt cloud computing.
In his introductory remarks,
Subcommittee Chairman Ben Quayle (R-AZ) noted
"Cloud computing has the potential to be the
next wave. Its widespread adoption offers
significant opportunities for new innovation,
and productivity gains for both the public and
private sectors."
He cautioned, however, that "a
range of challenges that will need to be
addressed before its potential is fully
realized." In particular, he noted "cybersecurity
is a major concern for many users who are
considering moving their computing functions to
the cloud. Users must have confidence that their
data and applications will be secure and that
their privacy will be protected. Further,
cloud service providers will need to offer users
different tiers of security depending on
sensitivity of their data."
Michael Capellas, chairman and
CEO of the Virtual Computing Environment
Company, testifying on behalf of the
TechAmerican Foundation emphasized the
revolutionary potential of cloud computing,
stating that "cloud computing has the potential
to both reshape the IT landscape and shift
wealth between nations. Trillions of dollars of
global economic wealth will be based upon
competitiveness in our 24x7 world. Cloud
computing as a foundational element to IT can
make companies, agencies and organizations more
nimble and competitive by boosting productivity
and increasing the speed of business."
Daniel Reed of the Microsoft
Corporation underscored the potential of the Cloud
for accelerating scientific discovery for
research in his testimony. Noting that
"scientists and engineers are now drowning in a
sea of data" and that "many of our scientific,
engineering and societal questions increasingly
lie at the intersections of traditional
disciplines", he recommended that "federal
research agencies should embrace the cloud to
host large-scale data sets, accelerate
scientific discovery and create new
opportunities for data intensive exploration and
multidisciplinary collaboration."
Addressing the cybersecurity
implications of the Cloud, Nick Combs of EMC
Corporation suggested that the move to the Cloud
would enhance cybersecurity by enabling the
redirect of IT/security resources away from
protection of disparate and legacy "stove-pipe"
IT systems to more efficient, centralized
monitoring, management and security solutions
for Cloud-based infrastructures. Smaller
organizations in particular could benefit from
the advanced security provided on Cloud
platforms, which also have the advantage of
spreading the costs of that security amongst
hundreds or even thousands of Cloud customers.
Dr. David McClure testified on
behalf of the federal General Services
Administration (GSA), noting that "Cloud computing
offers a compelling opportunity to substantially
improve the efficiency, agility and performance
of the federal information technology portfolio.
It allows agencies to pay only for the resources
they use in response to fluctuating demand,
avoid the expenses of building and maintaining
costly IT infrastructure, and control the
appropriate level of security for data and
applications. Cloud computing is also a key
technology for achieving cost effective IT."
In order to stay at the
forefront of cloud innovation, witnesses
highlighted the need for open and flexible
standards that will help provide
interoperability and data portability within the
cloud.
Security Implications of
Cloud Computing
The House Subcommittee on
Cybersecurity, Infrastructure Protection and
Security Technologies held a related hearing on
the cybersecurity implications of cloud
computing on 6 October.
In his opening statement,
subcommittee chair Rep. Dan Lungren (CA) noted
that while the Cloud’s potential to enable
significant savings in government IT
expenditures were important, "we can’t ignore
the information security risks created by Cloud
technology," and added that "assessing those
risks responsibly will be critical if Cloud
Computing is ever going to be widely accepted."
Citing GAO data showing that IT-related security
incidents at government agencies have increased
650 percent over the past five years, Lungren cautioned
that "the cloud offers a rich target for
hackers, criminals, terrorists and rogue
nations."
The first panel of witnesses
provided an overview of federal efforts to date
in implementing cloud computing and ensuring
information security.
Richard Spires, CIO for the U.S.
Department of Homeland Security (DHS), stressed
the benefits that the Cloud offers to DHS’ IT
operations, but emphasized the Federal Cloud
Computing Strategy, which provides that "…it is
not sufficient to consider only the potential
value of moving to cloud services.
Agencies should make risk-based decisions which
carefully consider the readiness of commercial
or government providers to fulfill their Federal
needs."
Spires added that "it is
important to recognize that many federal
departments and agencies are targeted by
Advanced Persistent Threat (APT) campaigns by
adversaries that attempt to compromise
government information systems to further their
own objectives. These APT campaigns are
aggressive, well financed, and difficult to
detect and prevent. APTs target the systems
necessary to achieve their goals, regardless of
the cloud or traditional computing environments
in use by the federal department or agency."
In evaluating Cloud options,
Spires observed that "some cloud environments
have capabilities necessary to defend against
and provide recovery from these threats, such as
advanced monitoring capabilities and cleared
information security professionals, while other
cloud environments may not, because the
increased costs to provide these security
capabilities may price their cloud offering
outside of the competitive marketplace for their
customers."
With those provisos, Spires
reported that DHS is committed to nine current
and planned cloud services, including email,
collaboration, development and test services,
remote access to virtual desktops, etc. To
address the security concerns, he noted that "we
are establishing private cloud services to
manage sensitive but unclassified information,
while using the public cloud for non-sensitive
information."
GSA's McClure testified that
Cloud platforms will enable federal agencies to consolidate
and virtualize the more than 2,000 federal data
centers, allowing the federal government "to
maximize value in IT investment dollars while
substantially lowering costs — an essential
focus given federal budget constraints."
To help manage security risks,
McClure described the new government-wide cloud
security program — the Federal Risk and
Authorization Management Program (FedRAMP),
which sets baseline security assessment and
continuous monitoring requirements for low and
moderate impact risk levels using NIST standards
that must be adhered to by all federal cloud
systems. By eliminating the need for each
agency to conduct its own security certification
and accreditation process for every IT system
acquired, FedRamp is designed to eliminate
unnecessary expense, duplication and
inconsistency in the application of NIST
security controls testing, evaluation and
certification procedures.
According to McClure, FedRamp
will enhance security by providing "more robust
continuous monitoring, providing real-time
detection and mitigation of persistent
vulnerabilities and security incidents."
Gregory Wilshusen of the
Government Accountability Office (GAO) testified
that Cloud Computing has both positive and
negative information security implications. On
the plus side, the use of virtualization and
automation helps enable secure configurations
for virtual machine images. The Cloud’s
reliance on the Internet reduces the need for
information storage on removable media. The
Cloud also provides low-cost disaster recovery
and data storage options that might otherwise be
prohibitively expensive.
On the other hand, Wilshusen
noted that many government IT professionals are
concerned about the potential for ineffective or
noncompliant service provider security controls,
the loss of physical control over agency data
and information, and potentially inadequate
security investigations of service provider
employees, which could lead to an increased risk
of wrongful or malicious activities. Another
perceived risk is advertent access to sensitive
data resulting from "multitenancy" or the
sharing of computer resources by different
organizations.
In his testimony, Wilshusen
concluded that federal efforts to ensure
information security in the Cloud are still a
work in progress, noting that "OMB has issued a
cloud computing strategy; however the strategy
does not fully address key information security
challenges for agencies to adopt cloud
computing. The CIO Council and GSA have also
developed a shared assessment and authorization
process, but this process has not yet been
finalized. In addition, NIST has issued several
publications addressing cloud computing security
guidance. Although much has been done since our
report, continued efforts will be needed to
ensure that cloud computing is implemented
securely in the federal government."
The second panel of witnesses,
several of whom participated in TechAmerica
Foundation’s Commission on the Leadership
Opportunity in U.S. Deployment of the Cloud
(CLOUD2), provided a private sector perspective.
James Shaeffer of the Computer
Services Corporation observed that "the Internet
was originally designed without a primary focus
on security; since then computer security
specialists have played catch-up." As a
consequence, firewall technologies for cloud
architectures "are just now becoming available,
and they remain largely untested."
Schaeffer added "clear,
understandable and verifiable standards" are
essential for building trust, but that "the
required security standards for cloud computing
are not yet in place." He also cautioned that
"cyber threats are serious and dynamic — and
becoming more pernicious. Business and
government alike face threats much more severe
than in the past, and more likely to change and
do so swiftly."
Timothy Brown of CA Technologies
provided a Cloud service providers perspective
on the issue of security, noting that "CA
Technologies believes that the responsibility
for securing the cloud lies with both the
providers and the consumers of cloud solutions.
The cloud is neither inherently more nor less
secure than other IT services and solutions.
Generalized concerns over cloud security on the
one hand, and arguments that the security risks
in the cloud are overblown on the other hand,
have muddied the waters to the point that
policymakers and practitioners are experiencing
security schizophrenia."
James Bottum, CIO for Clemson
University, noted that the Cloud security
challenges that Clemson faces are typical of
other higher education Institutions and include
insecure interfaces, malicious insiders, shared
technology issues, account or service hijacking,
and unknown risk profiles. According to Bottum,
Clemson "has implemented a series of policies,
best practices, and controls that provide for
increased protection, but know that nothing is
100 percent ‘bullet-proof.’" Staying ahead of the
curve of threats and vulnerabilities is a
continual challenge, which Clemson addresses
through a variety of best practices starting with rigorous
human resource procedures.
Rounding out the panel, John
Curran of the American Registry of Internet
Numbers cautioned that "cloud computing may
actually heighten the difficulties that Federal
CIO’s face in some areas if not carefully
managed" and noted four areas likely to pose
increased risks due to introduction of cloud
computing:
-
Interaction of cloud computing services
with federal cybersecurity initiatives
-
Physical location of cloud computing
facilities and data
-
Migration between vendors of cloud
computing services
-
Evolution of cloud computing services
with Internet technologies
Curran offered that "the
question of actual physical location of the
federal IT system is highlighted when the cloud
service provider has facilities which are
outside of the United States" and noted that the
new FedRAMP security program does not currently
address the question of location.
On the subject of vendor
migration, Curran suggested "the ability to
extract agency data in standard formats from
cloud computing services (whether that be
application data such as mail messages and
mailing lists, or system data such as the
virtual server, storage, and network
configurations) is essential to be able to
migrate between cloud vendors. Lack of this
capability means vendor lock, eroding the
financial benefits of cloud computing and
preventing timely response."
In closing, Curran observed that
the Internet is constantly evolving through the
introduction of new standards and technology,
and noted efforts underway to improve the
overall security of the Internet, including the
DNSSEC initiative to secure the Domain Name
System, the forthcoming Internet Protocol
version 6 (IPv6) and ongoing work on Internet
routing security.
He concluded that "it is crucial
that the FedRAMP program clearly and
unambiguously incorporates DNSSEC and IPv6 into
the FedRAMP baseline, and that ongoing
developments in Internet-wide security
technologies are promptly incorporated as they
reach maturity."
To Be Continued. Part Two of
this series will summarize specific Cloud
Computing policy issues facing federal and state
law-makers. Part Three will focus on
cyber-security legislation currently moving
through Congress and its Cloud implications.
For More Information
Cloud Computing: What are the
Security Implications?, Hearing of the
Subcommittee on Cybersecurity, Infrastructure
Protection and Security Technologies, Committee
on Homeland Security, U.S. House of
Representatives, 6 Oct. 2011. Online at:
http://homeland.house.gov/hearing/cloud-computing-what-are-security-implications
The Next IT Revolution?: Cloud
Computing Opportunities and Challenges, Hearing
of the Subcommittee on Technology and
Innovation, Committee on Science and Technology,
U.S. House of Representatives, 21 Sept, 2011.
Online at:
http://science.house.gov/hearing/technology-and-innovation-subcommittee-hearing-cloud-computing
The Federal Cloud Computing
Strategy, Vivek Kundra, U.S. Chief Information
Officer, The White House, 8 Feb. 2011. Online
at:
http://www.cio.gov/documents/Federal-Cloud-Computing-Strategy.pdf
The NIST Definition of Cloud
Computing, Special Publication 800-145, National
Institute of Standards and Technology, U.S.
Department of Commerce, Sept. 2011. Online
at:
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
The Federal Risk and
Authorization Management Program (FEDRAMP).
Online at:
http://www.cio.gov/pages.cfm/page/Federal-Risk-and-Authorization-Management-Program-FedRAMP
Chris Brantley is IEEE-USA's
managing director in Washington, D.C.
Glenn Tenney is a senior
member of the IEEE and has been chair and
vice-chair of the IEEE-USA Intellectual Property
Committee. He is a software and systems
architecture designer, information security
professional, and has been a consulting expert
on several patent related law suits.
Comments may be submitted to
todaysengineer@ieee.org.
|
Comments
on this story may be
sent directly to
