The problems with data security can be solved by learning from the past and using the technology of the future. We have transformed from the industrial age to the information age and now are moving to the collaboration age. As nanotechnology and robotics evolve, we will transform to the embedded, or immersion age, where we will work and live in virtual reality side-by-side with robots and embedded nanotechnology devices. But for now, cloud computing services are the next step along the information management journey.
Back to Basics — Information
The National Institute of Standards and Technology's (NIST) Special Publication 800-145 defines cloud computing as "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."
Cloud computing facilitates the use of information. The warfighter and business professional need information to make informed decisions. Hence, information confidentiality, integrity and availability (CI&A) must be protected. The definitions for information, information systems and national security systems are defined in OMB Circular A-130, 44 United States Code (USC) 3502(7), 40 USC 11103(a)(1) and 44 USC 3542(A).
The Office of Management and Budget (OMB) Circular A-130 defines information as "any communication or representation of knowledge such as facts, data or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative or audiovisual forms."
44 USC 3502(7) defines an information system as "a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of information." OMB Circular A-130 adds to the end of this definition: "in accordance with defined procedures, whether automated or manual." So would you like your information in paper, plastic, plasma, metal, mineral, crystal or wave form?
Information 100 Years Ago
Assume a person had information in the form of a drawing, photograph or text on paper. The type of information would dictate the form, such as a time and date stamp on time-sensitive data or a raised seal on an official document. If the information was confidential, it was probably sealed in an envelope and stamped with an imprint or wax seal. The value of the information would decide how someone handled it. Information of no value was probably thrown away.
If of low value, the document might have been left on a person's desk. If of moderate value, it was probably placed in a folder, tagged with a reference code and stored in a file cabinet.
A document of high value was probably locked in a fire-proof cabinet, and if of national security value, additional controls most likely included storage inside a vault with guards and restricted access.
In the previous cases, access to the data was necessary. If the confidentiality, integrity or availability was compromised, the custodian of the information was at risk for breach of service, security or privacy violations, possible monetary damages, and civil or criminal charges. The owner of the data was responsible for ensuring its CI&A to those with the authority to access the information. Law enforcement authorities were responsible for prosecuting the custodian and the entity that caused the confidentiality, integrity or availability breach in cases with civil or criminal penalties.
The tenets for information CI&A security are the same in cloud computing. Assume a person has a geospatial map, an image, or electronically formatted or unformatted text. If the information is an official document, digital signatures can be used. If the information is confidential, it may also be encrypted and stored in a restricted database repository.
Meta tagging information can provide context to the information in a geospatial map, an image or electronic text. Meta data can include information regarding when and who created, modified and stored the data. Several standards have emerged for tagging data, such as C2 Core for command and control information. Tags could include fundamental information, such as the content, context, authoritative source, location, duration/expiration, and the security and privacy classification level. Cloud computing has not changed the way we handle information based on value and classification levels. If the information has no value, such as a non-federal record or a document not under a litigation hold, it could be thrown away, though the trash can may be on a computer desktop.
Low-valued information can be stored nearly anywhere (shared public or private cloud) with minimal controls. As long as there is a backup copy, the integrity of the information can be easily restored if it is compromised. If the information is of moderate value, it could be encapsulated and stored in an electronic folder, tagged with a reference code and stored in an electronic file directory or database repository. The information may be located in a shared public or private cloud.
The most valuable information would be encrypted and stored in a restricted electronic file directory or database repository, most likely in a private cloud. If of national security interest, the information would be tagged, encrypted and stored on a secured server in a restricted data center facility in a private cloud. Authorized availability of the information is necessary, and the guardians of the information are held accountable for its security, with consequences of financial penalties, or civil or criminal charges if they fail, within the appropriate law enforcement and contract governance jurisdiction.
Information Security
The confidentiality, integrity and availability of data will be potentially bound by the intersection of user authentication
The Air Force is currently defining authoritative data sources, tagging data, consolidating data centers and assessing the information and security classification levels that would require a private, public or hybrid cloud; defining identity and access management (IdAM) and governance; and as part of Air Force IT efficiencies, assessing Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) models.
The fundamental information security and privacy concerns in cloud computing are:
If the CI&A of the information is compromised, does the government have jurisdictional authority to prosecute the involved parties? This security concern is more of a contract governance concern than a technical one.
Does the government have the authority and ability to continuously monitor and audit the service providers' operational and technical controls?
Can cloud computing service providers meet the performance measures and demonstrate adequate protection, mitigation, recovery and discovery for the information?
A risk assessment of cloud computing security and privacy must be considered to ensure a secure solution is operationally viable to support government data. NIST Special Publication 500-291, "Cloud Computing Standards Roadmap," and the Federal Risk and Authorization Management Program (FedRAMP) provide a standard approach to assessing and authorizing (A&A) cloud computing services and products. Consulting federal cloud computing experts, such as Earl Crane of the Department of Homeland Security (DHS), will help to identify a number of security controls and evaluation criteria. When considering available federal resources and advanced persistent threats, some security considerations, controls and guidelines will be of greater importance than others, including the following.
A Methodical Approach
Establish an information-centric risk assessment and authorization baseline for using cloud computing shared resources in line with government standards, policy and guidelines.
Transition from the traditional system development life cycle to an information management life cycle where the focus shifts from system ownership and design to information confidentiality, integrity, availability and authorized use through service offerings.
Apply the appropriate integrity controls for service models. For example, SaaS environments focus on application integrity, such as input validation, while IaaS environments focus on file system and database integrity.
Develop cloud portability and interoperability standards to improve government information sharing between systems and the public; and reduce application and storage reengineering and interoperability costs.
Evaluate cloud compliance with system and communications protection requirements by considering compartmentalization, isolation, external and internal connections for system boundaries, routing through government authorized trusted Internet connections for perimeter protection, and domain integrity requirements, such as Domain Name System Security Extensions (DNSSEC).
Address policy and procedure cloud computing paradigm service changes to traditional government system boundary definitions, compartmentalization and inventory identification associated with data center operations and maintenance, configuration management, and physical and personnel security. The dimensions of cloud computing are shown in Figure 2.
Technical Considerations
Shift encryption and media protection from system-centric to an information-centric approach in a cloud computing environment. Data may need to be encrypted when stored and transmitted through the infrastructure to its authorized user destination. Digital rights management may be required to protect the confidentiality, integrity and information owner's intellectual rights.
Coordinate encryption key management with identity, credentialing and access management to maintain control over information stored within a cloud and distributed through multiple access paths. Maintaining the physical and logical separation of the information storage from encryption key management may be required to protect the information confidentiality and integrity. Otherwise, unauthorized entities may gain the "keys to the kingdom" to the information.
Personal Identity Verification Policy--Figure 1
• Homeland Security Presidential Directive 12 (HSPD-12): Policy for a Common Identification Standard for Federal Employees and Contractors.
• OMB Memorandum M-04-04: E-Authentication Guidance for Federal Agencies.
• FIPS Publication 201-1: Personal Identity Verification of Federal Employees and Contractors.
• NIST SP 800-63: Electronic Authentication Guideline.
• NIST Special Publication 800-73-3: Interfaces for Personal Identity Verification (4 Parts).
• NIST SP 800-76-1: Biometric Data Specification for Personal Identity Verification.
• NIST SP 800-78-3: Cryptographic Algorithms and Key Sizes for Personal Identity Verification.
• Personal Identity Verification Interoperability For Non-Federal Issuers issued by the Federal CIO Council May 2009.
|
Monitoring
Require application security controls, including code reviews, vulnerability assessments and independent validation.
Identify if government-specific security and performance requirements may not be obtainable through commercial cloud computing services. These may include personnel security background checks, which are mandated controls (and not at the discretion of the contracting government agency), operational standards, management practices and technologies.
Require additional visibility into the cloud computing service providers' infrastructure environment to perform audits and to implement robust evaluation criteria in compliance with government laws, regulations and policy. This is driven by the requirement that the respective government system and data owner authorizing official's accountability cannot be outsourced.
Require the service provider to perform continuous monitoring and near real-time audit capabilities and technologies that apply accepted general audit principles.
Apply specific tools and techniques to the deployed technology, architecture and cloud service models to provide visibility of virtualization and resource abstraction for security operators within a virtualized environment.
Compliance
Require the cloud computing service provider to implement government security, privacy and performance incident response guidelines and requirements and to accurately assess and capture appropriate evidence.
The response plans should address the possibility that incidents, including privacy breaches and classified spills, may affect cloud services and other cloud customers. This requires identification of the specific tools, techniques and training that cloud computing service providers are required to provide for complying with government security and privacy incident responses, computer forensics and evidence for the chain of custody in a cloud.
Identify and control the physical location of data and access to the cloud environment for privacy and confidentiality compliance, audit and redress requirements and breach notification issues. Review contracts, terms of service and cloud provider privacy policies to ensure compliance. Conduct privacy impact assessments and implement federal privacy requirements, such as the Fair Information Practice Principles and System of Records Notices, which are guidelines for collecting, storing and retrieving information in an electronic framework.
Analyze the cloud service providers' contingency plans and service level agreements to ensure they meet government requirements and conduct periodic reviews to address changes in requirements.
Identify the risk of cloud computing shared or pooled resources on governance, priority of services and performance during high volume or restricted volume periods of shared resource use.
Implement a cloud computing awareness and training program that focuses on the risks of information disclosure and data protection in concert with the Committee on National Security Systems (CNSS) Instruction No. 1253: "Security Categorization and Control for National Security Systems" and FIPS Publication 199: "Standards for Security Categorization of Federal Information and Information Systems" guidance.
The Future of Cloud Computing
Government agencies will move from data center consolidation to the cloud over the next few years. The intersection of identity management, credentialing, access management and data attributes will drive privilege management security solutions down from the network, system and document level to the data element level and expand the use of cloud computing. Over the next few decades, as IPv6 replaces IPv4 and robotics and nanotechnology emerge as mainstream solutions, data in the cloud will extend to new robotic devices that could interact with or be attached to humans. Continuous data feeds from unmanned land, sea, air and space vehicles will be commonplace in the cloud. Hence, the line between back office data centers and edge devices will blur into meshed node components capable of access to information from anywhere at any time. Will we have to rethink data center consolidation and cloud computing in terms of data center mobilization and cloud computing data forecasts?
Robots could provide their own mobile storage and computing power rivaling some of today's data centers. Intrusion prevention and network appliances could be replaced with interactive nanotechnology security and communication devices that attack and extinguish intrusions and viruses from within the internal operations of the robot, thus becoming the robot's autoimmune system. We will have to protect the exoskeleton exterior perimeter of the robot from physical, chemical and electronic threats, as well as the internal operations and health of the robotic system and information.
As robots interact in physical and virtual environments with humans and other transmission devices, will we have to adopt additional information and system infiltration virus protection models analogous to physiological immunology, environmental safety and viral and communicable disease control and prevention? The analogies of today's interactive environments will provide the cloud computing solutions for tomorrow.
Brian P. Burns is a member of the senior executive service and the deputy director for warfighter systems integration in the Office of Information Dominance and Chief Information Officer, U.S. Department of the Air Force.