Security for Cloud Computing
By Christopher Perry - Published, May 18, 2010
Achieving and maintaining information dominance will require continuous and timely advances in both technology and operational processes. Cloud computing is one such rapidly emerging area of technology and operations that the Department of the Navy is already planning for and beginning to pilot. To achieve information dominance, it is vital that all new technologies and processes, such as cloud computing, be thoroughly evaluated prior to adoption or transition to proactively assess and address the associated cybersecurity requirements, vulnerabilities and risks. This article provides a preliminary look at some of the cybersecurity aspects and concerns related to cloud computing.
What is Cloud Computing?
There is no single, common and authoritative definition for the term "cloud computing." A simple Google search readily yields a wide variety of definitions, descriptions and explanations. An authoritative source, the Information Technology Laboratory of the National Institute of Standards and Technology (NIST) has published a two-page definition of cloud computing, now in its 15th version.
The NIST definition states: "Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction." It goes on to describe "five essential characteristics," "three service models," and "four deployment models."
While the NIST definition provides a generic overview and basic foundation to begin to understand cloud computing, the relative immaturity of the concept, the variety of implementations, and the rapidly evolving associated practices, result in causing the definition and understanding of cloud computing to take on a "cloud-like" quality — nondescript, fluffy and amorphous — open to individual interpretation.
The Challenge of Security
With the uncertainty surrounding the characterization of cloud computing, it should come as no surprise then that authoritatively and precisely specifying the security requirements and controls for cloud computing is an even greater challenge.
There is, however, some good news. Since most of the underlying building blocks (e.g., servers, network and storage devices, and software — operating systems and applications) of cloud computing remain the same as those used in traditional information technology systems, much of the existing security policies, practices and solutions can be readily repurposed to fit the new cloud computing paradigm.
The validity of the security principles, requirements and methods described, for example, in the NIST publications, Federal Information Processing Standards and Special Publications, or Department of Defense guidelines, such as the Security Technical Implementation Guides (STIGs), remain germane. The main challenge is how to adapt the implementation of those longstanding principles to new business processes and relationships.
Apply Legacy Security Best Practices
The specific characteristics, service models and deployment models of a cloud computing implementation will affect how readily existing cybersecurity practices can be applied and implemented. The following are some of the security functions that will need to be adapted and/or addressed.
Security Controls Assessment and Operational Authorization. Cloud-based systems and services must be held to the same certification and accreditation (C&A) requirements as existing systems and networks. This includes security requirements definition, thorough system documentation, security controls assessment, risk analysis and ultimately the authorization to operate made by a Designated Approving Authority (DAA). The complexity of a centralized, shared and/or outsourced cloud environment could make this already arduous process much more difficult and may also require pre-negotiated service level agreements and contractual requirements that stipulate and include agreed-upon, recurring, and independent testing and verification.
Alternatively, leveraging a cloud service that has been intentionally developed with DoD security policies and requirements in mind could actually simplify and streamline the C&A process for the cloud customer. For example, the Defense Information Systems Agency (DISA) is developing a host-tenant accreditation model for its Rapid Access Computing Environment (RACE), which ensures compliance with the DoD Information Assurance Certification and Accreditation Process (DIACAP).
Security Configuration Management. DoD and federal government agencies are in the process of applying common security configuration baselines to their systems. The DoD STIGs and the Federal Desktop Core Configuration (FDCC) standard is an example of this. Such configurations must be aeadily applied and promptly updated to deploy patches and modifications by the cloud service provider in response to emergent vulnerabilities and attack methods. Additionally, life cycle configuration control practices, implemented with the oversight of configuration control boards, ensure
that risks associated with system changes are properly assessed, understood and addressed. The governance, standards, management and oversight for ensuring adequate and reliable security configuration management must be proactively addressed and defined in advance of transitioning to cloud computing.
Cloud service providers must demonstrate that they exercise an equivalent and similarly disciplined process for security configuration management that takes into account the security and availability concerns and requirements of their customers. In some existing situations, migration to centralized cloud-based systems and services may actually better facilitate standardization and implementation of security configuration management, but at the same time, the potential complexity of a combined cloud environment could ultimately make it much more difficult to secure and fragile to maintain.
Shared Resources and Virtualization. The characteristic of rapid elasticity is commonly facilitated through resource pooling and the implementation of virtualized systems and networks. The vulnerabilities and security ramifications associated with virtualization are still being assessed, and the associated security best practices are still in the process of being developed and implemented.
Even longstanding security practices, such as those related to security configuration management, need to be adapted to ensure they are promptly and reliably applied to online and offline virtual images. Additionally, processing, storage and network communication resources that are shared through rapid reprovisioning must be thoroughly and reliably cleared or sanitized to preclude controlled information. System virtualization and rapid reprovisioning could also potentially hinder or further complicate security incident forensics, and associated investigations could temporarily diminish access to cloud computing resources.
Continuity of Operations and Disaster Recovery. As with all current systems, proper measures must be taken to assure cloud-based systems and services reliably provide the requisite level of operational continuity and disaster resiliency. The inherent cloud computing characteristics of resource pooling and rapid elasticity can serve to enhance continuity of operations by ensuring prompt and reliable failover. However, unanticipated substantial resource overloading or denial-of-service conditions elsewhere within the shared cloud environment may inadvertently, unexpectedly or indirectly result in a cascading impact to another of the shared cloud-based systems or services.
Disaster recovery planning must be coordinated with the cloud service provider, thoroughly documented, and regularly tested or exercised to verify that the essential level of recovery can be attained within the requisite timeframe. Specific attention must be given to shared priorities and processes for restoration in the event of a complete catastrophic failure of a service provider’s shared cloud computing site or its resident capability.
Authentication and Access Control. Many of the current user enrollment, identification, authentication and authorization mechanisms and processes rely on local or otherwise internal resources, services and processes. A cloud environment will either need to be able to leverage and apply these methods to its access control measures or reliably replace them with community or cloud-based alternatives offering equivalent or better protections.
Relocation or replacement of existing local and/or dedicated directories with remote, wide area network (WAN) based, and/or community directories may necessitate that additional security controls be applied to ensure that account management processes remain secure and trustworthy. Cloud services and applications must be public key-enabled and must readily interoperate with and fully implement DoD’s existing Common Access Card (CAC)-based strong authentication processes.
Operation and Maintenance. The possible centralization, outsourcing and/or sharing of computing resources, brings with it the challenge of ensuring that all privileged users who configure, operate and maintain cloud-based systems, software and applications are properly cleared, controlled, monitored and audited commensurate with the collective level of sensitivity of the information being processed and stored by the shared system for which they are granted access.
Further, it must be verified that cloud service providers and their subcontractors comply with the training and certification requirements of DoD’s Information Assurance Workforce Improvement Program (DoD 8570.01-M).
Data Portability, Protection and Sanitization. In addition to the confidentiality concerns associated with shared resources, processes and assurances should be established, agreed upon, tested and verified in advance that allow for data to be readily, reliably and securely transferred on and off the system, thus facilitating portability of the service. Additionally, procedures to reliably sanitize the systems and storage media need to be likewise defined, agreed upon, and tested in advance regularly, and independently verified thereafter.
Security Monitoring, Aggregation, Analysis and Reporting. As with security configuration management, the centralization of cloudbased systems and services may better facilitate access to, and the aggregation of, security related logs and metrics necessary for analysis leading to detection and reporting of security related events and incidents. Alternatively, it could just as easily make those processes much more complex, difficult and obscure; particularly in virtualized, shared, and outsourced environments. Existing organizational policies and processes for system monitoring, log and event data aggregation and incident reporting must be considered and accommodated when planning to use, or migrate to, a cloud-based solution.
Securely Transitioning to Cloud Computing
With the experience gained and associated lessons learned from the Navy Marine Corps Intranet (NMCI), the DON is well positioned to take the next steps toward transitioning to cloud-based systems and services. NMCI has already exposed the DON to the security ramifications of transitioning many critical IT systems to a centralized and outsourced environment on a large scale, where many of the security services and controls are contractually provided by an external entity.
While concurrently planning for the Next Generation Enterprise Network (NGEN), the Consolidated Afloat Networks and Enterprise Services (CANES) and, more broadly, the Naval Networking Environment (NNE) ~ 2016, the DON is able to proactively adapt, apply and build on the cybersecurity lessons learned from NMCI to secure future cloud-computing implementations.
Additionally, the DON will be able to proceed in close coordination and collaboration with the Assistant Secretary of Defense for Networks and Information Integration (ASD(NII)), and other DoD services' and agencies' cloud computing initiatives. This will include DISA, which is already in the process of establishing the foundation for a secure Community Cloud for DoD. DISA's Rapid Access Computing Environment has been developed with DoD security policies and requirements in mind.
RACE uses a host-tenant accreditation model, standardized system configurations, the Vulnerability Management System (VMS) and the Enterprise Mission Assurance Support Service (eMASS) to ensure compliance with the DIACAP and the DISA Security Technical Implementation Guides. Finally, the DON will be able to leverage and actively participate in the ongoing community efforts associated with cloud computing headed up by NIST and adopt and apply NIST's standardized security guidelines to the DON's emerging and evolving cloud computing initiatives.
Christopher Perry is a retired naval officer and a Certified Information Systems Security Professional. He provides support to the DON CIO Cybersecurity and Critical Infrastructure Team.