The United States government and President Obama are taking steps towards implementing a “cloud-first” computing policy, something that has been debated over the years, but never fully realised.
Moving computing to the cloud would certainly be a more eco-friendly and efficient choice when it comes to government processes, but security analysts worry that moving sensitive information to the cloud could have catastrophic consequences.
In an interview with TechEye, Rob Housman, Washington DC-based Cyber Secure Institute's Acting Executive Director and Chairman of the Board, said that moving information to the cloud does have its benefits, even from a security point of view:
“The benefit is efficiency - you don’t need as many redundant systems and fewer 'digital roadblocks,' from a tech standpoint and an environmental standpoint. There’s more work flexibility - people can access their stuff from anywhere.”
From a security standpoint, Housman mentioned, “In some sense there is a security benefit. If you have everything in the cloud and you can control the access points, then you can protect everything really, really well. You can funnel people through controlled access points and in that way you can make it easier to track and know what’s being accessed by whom.”
That said, Housman stated that now is the time when the government should be putting an emphasis on security and safety rather than saving money and going for the tried and true “hack and patch” approach when problems arise.
Analysts are worried that security may not be the number one priority for the government based on a quote from Jeffrey Zients, the federal government’s first chief performance officer, who announced last week that federal agencies would be moving to the cloud “whenever a secure, reliable, cost-effective cloud option exists."
Looking towards the long run, perhaps it would actually be more cost efficient to employ the costly option that provides better security.
Housman described the cloud as a storehouse of information that can be compared to an apartment building. He mentioned that once a thief is past the doorman in front, it makes it easy for him to get into the apartment buildings within. Will the person climb from balcony to balcony? Or might they just break down the front door? To combat this, Housman describes the first line of defence in cloud security as access controls. Within the cloud you have to break up the data into sections and give access only with the right credentials and passwords. “If you want to get into the part of the cloud that looks like the chocolate chip cookie, you have to have that particular access code.”
Aside from access controls within the cloud, Housman explains the importance of analysing the cloud computing companies that will be providing the service. Of course that means utilising the best cyber security technology available as well as running scans like penetration tests and evaluating updates. Housman argues that it’s also important to evaluate the patchwork of the company itself.
What kind of staff access does the company have to the cloud and what kind of credentials and certifications do these staff members have?
When answering this question, Housman brings up the example of the Pentagon’s ZIPPERNET air gap security system, which was considered a super strong and safe option that was breached by Pentagon employees that were stealing information using flash drives. For reasons like this, Housman argues that it’s important to evaluate the internal patchwork of these cloud computing companies to ensure security up front. Is data stored offshore of China protected by a chain link fence and guards that are paid minimum wage? To return to the apartment analogy, Housman emphasises the importance of knowing your neighbour within the cloud. Who are you sharing information with the “multi-tenancy of cyberdom”?
“Cloud computing is a technology the government doesn't want to avoid. The question is, are they going to do it the right way? Because we have a history of not doing things the right way as far as IT security goes,” warns Housman.
When TechEye asked Housman if he thought the government cloud would be a major target for hackers, Housman emphatically responded, “Would you rather steal a regular wallet, or a wallet with millions of dollars in it?” He explained that hackers in China and Eastern Europe are constantly pinging systems, looking for a way in to steal or plant something for when they really need it. “We only fix holes we know about. The smart guys are in the code and we don’t even know they’re in there.”
As far as cloud computing companies go, Google recently sued the government citing that a Request for Quotation for cloud-based messaging and collaboration services was written in favour of Microsoft, so it’s pretty much up in the air what cloud computing company the government will go for. But neither have stellar security records.
The bleak reality of the situation is that with our current technology, there is a strong probability of attack. This is why Housman and his team at the Cyber Secure Institute are putting such a strong emphasis on planning, partitioning of data, and security.
Houseman ended our conversation by stating, “You can't worry about cost. You have to worry about security. Put cyber security first and foremost, above efficiencies.” Time will only tell if the government gets it right.