Are Cloud Computing concepts applicable in secure national security and law enforcement arenas (i.e. Defense, Homeland Security, Intelligence, Justice)? If so, how? If not, why?
Good Answers (8)
George M
Senior Computer Systems Engineer at University of Oslo
Best Answers in: Computers and Software (1), Information Security (1)
I have been asked to informally consult on this issue and I am a bit sceptical about the storage aspect of cloud computing. The client I was consulting for had some serious legal issues in relation to storing data outside certain geograpical boundaries (where the cloud provider(s) where) which was a big obstacle from the very beginning. Whist lawyers resolved the legalities, we solved data privacy concerns by enabling proprietary strong encryption for the stored data, a standard practice for many serious corporations, irrespective where they have their backup/disaster recovery or remote data centers. And the same goes true for outsourcing/clouding data processing (number crunching) workloads from the grid days.
In my opinion, the weakest point is the availability issue of the security aspect. Lots of cloud providers are able to deliver the cost advantage because they rely on the greater Internet infrastructure to link servers and client areas. This works most of the time and in fact, most of them can negotiate uptime conditions for leased lines, with reserved capacity via large Telecomm providers. However, the second option is not cost effective and in my own experience is often not immune to a variety of Internet issues (DDoS on leased lines are rare but they do exist) and they often do not offer full control to the DoD for technical aspects (preserving QoS end-to-end for VoIP is an example) for a reasonable cost or allow for bufferring of latencies (Satelite traffic). I am not saying these problems exist everywhere, but speaking for my own Defense client, the availability assurance did not fit their requirements. Sure, Defense budgets are shrinking, but they do not shrink to the extent that they cannot afford for the storage of the most critical data tier (GPS databases, C&C systems, basic VoIP and operational data streams) in house and using their own routers (there are ministries that do actually own their own fiber).
Only my honest opinion and I 'll be glad to listen how others have tackled the availability issue.
I think they are certainly applicable. Speaking specifically of Amazon's Web Services, security is one of the main pillars of the platform and all of their services provide the ability to lock down access.
Auditing security on well-known cloud computing platforms is actually much simpler than in-house computing as knowledge of the systems in use is much more broad and transparent. Of course this all depends on the security promises of the cloud computing platform, but in general I think there are a lot of benefits of using cloud computer for such projects.
A few examples speficially -- EC2 allows the creation of different security groups to configure firewall access, the queue service is accessible over HTTPS, S3 storage is accessible over HTTPS if desired (or made completely private).
You should certainly stay away from some concepts such as browser-based uploads, public buckets, and such.
Links:
Bill B
Sr. Advisory Enterprise Architect at Tectura
Best Answers in: Enterprise Software (3), Inventory Management (1), Supply Chain Management (1)
They already are, and have been for quite some time. They are just not being used in the current, commercial perspective. Cloud computing is not new, it's just been previously unavailable for pennies to pretty much anyone who has the knowledge to take advantage of it.
Patrick G
Senior Information Technology Business Consultant at Agency for Workforce Innovation, State of Florida
Best Answers in: Computers and Software (1), Databases (1), Software Development (1)
I would agree with the Bill Barr - the concept has been around for sometime now and has certainly been implemented, though I could not personally point to a specific implementation off hand.
HOWEVER - even though it is not new; once a concept like this becomes an industry buzz-word then it gets that glossy new paint job and must be proven all over again.
I can image that many business strategists or security architects who are new to the concept will balk at the idea of allowing information to live in a cloud they don't control and will likely propose some sort of "special cloud" of their own - thus defeating the ROI altogether...
"Hey You...Get Off of My Cloud" - Rolling Stones (1965)
Cloud Computing concepts in secure (trusted) information sharing environments are applicable however, involve some additional complexities that other environments do not. These environments should adhere to published data, security, infrastructure and interoperability standards (e.g. W3C, OASIS) and by default should be cross-domain (e.g. DoD, IC) compliant following prescribed national security requirements.
Cloud computing should improve situational awareness by providing an environment supportive of mash-ups and other business intelligence tools. Cloud computing should create a more efficient use of resources, better protect the assets and create extended, collaborative communities with improved mission focus.
Successful cloud computing deployment should include the ability to appropriately label the information. The integrity (classification) is critical and could be established by cryptographic binding, authoritative information servers or other similar methods. Other issues to be resolved would include attestation and data aggregation tools (e.g. document made up of multiple information pieces may end up with classification higher than the parts); enhanced Discovery tools (central to cloud computing) should include some level of need-to know enforcement.
I think this is just the tip of the iceberg.... or is that a cloud illusion I recall (Joni Mitchell: Both Sides Now 1969) ;-)
Compared to "on site" storage - I hear the argument that it is MUCH MORE secure in the cloud.
Most often a security breach comes not from the netowrk - but the people who have access to the netowrk.
So if you eliminate the access, via the cloud, then you less the chance of break in.
In the cloud model - you only have to worry about your server's netowrk security. (And I guess the handful of people who have physical access.)
Andy G
CEO Continuity Engine, serial entrepreneur, SaaS guy
Best Answers in: Business Development (1), Product Design (1)
Cloud computing is mainly about scale. Google and Amazon have such massive deployments that the operational costs of the resources dwarf most organizations. If we look at the governmental apparatus and think of it as a client of computational resources it is indeed very big. It would seem to me that given their possession of adequate scale they could simply run a private infrastructure for themselves and have their own cloud. The question for most cloud deployments is can IT folks get over the necessary issues to deploy their applications in this model? If they can the economic difference between a public cloud like Amazon and their own private one shouldn't be significant. The technical concepts are certainly applicable, but I've wonder if the "security issue" is used as an excuse to avoid the change of deployment logistics for internal IT groups.
I think we're going to see an increase in grid computing and cloud computing concepts as the costs drop and the benefits become more tangible. I think national security implementations are prime candidates for early adoption of such technologies - beyond whatever may already be in place now - simply because of the massive scale of the computing effort, storage, and general computational requirements of such massive data sets. I agree with Andy's comment that "Cloud computing is mainly about scale." The examples mentioned - Google and Amazon - are commercial entities that have sufficient processing needs to warrant such technology. I think we'll see gravitation to cloud computing by other data-intensive industries like insurance, modeling/analytics, weather prediction, etc. as semi-early adopters, now that the technology (even though it has been around for a while) seems to be reaching a tipping point. But the national security "industry" already has a tremendous need and as a "customer" would be a great candidate for these applications. Of course, we could have a healthy debate about the pros and cons of security with these types of implementations, but that's a topic for another post.
More Answers (1)
The whiteboard used to iron out all the 'gotchas' in a Cloud Computing environment for secure national security and law enforcement arenas would stretch around the Bronx Zoo (i.e. the baseball stadium)... the whiteboard that has the hardest task is the one where the agency security guys tick 'yes'... but hang on, aren't Sesint LexusNexis et al and other data collection agencies are doing this already...(?)
