Monday, February 9, 2009

Federal Gov hearts Cloud Computing (maybe)

And by maybe, I mean if the new Obama pick for the new E-Gov person is confirmed.

I am a regular reader of Christofer Hoff over at Rational Suvivability and have been convinced that Cloud Computing is almost as evil as Dick Cheney.

Which is why this article on Obama's pick for E-Gov chief has me more than a little worried. The article spends a few paragraphs near the end talking about moving information "into the Cloud".

Cloud Computing is not a good idea, unless the government can build its own Cloud. This would involve the entire government knowing who owns and operates the infrastructure (probably GSA). In a perfect world, it would be like the ultimate General Support System (GSS, see the 800-37 [pdf]). All the agencies would sign MOUs and SLAs. They would use common APIs and there would be coding standards. Regular security checks and web application assessments. Oh the glory of it all!

But this isn't what will happen, one or many agencies will get pissed, take their ball and go home. They'll stand up their own solutions with the help of a prime and 500 sub contractors.

A single infrastructure would help some of the initiatives that are underway. Like Trusted Internet Connections, enforcement of policies on end point systems, encrypted off-site backups, IPv6, among others.

So that's something, but the risk is not worth the reward. A single infrastructure means that the whole government could be out when a targeted attack is underway. Or that a simple misconfiguration could lead to what Google faced with its badware miscategorization. How to design to be redundant and available? Would there need to be one for classified and unclassified? Who's going to support incidents? All the usual questions that go along with a shared infrastructure.

So I don't know, I would love to put applications onto a common supportable infrastructure and have the government save a crap load of money. On the other hand, doing it correctly will take years or decades to implement and there is no guarantee that everyone will be on board.

But to even get started, the current government guidance and regulations aren't clear on the best ways to execute a cloud implementation. The new 800-37 was supposed to address this, but there doesn't seem to be any clarity there. If data is shared between two agencies on the common platform (and they both make edits), who will own the data. Lastly, there are some agencies out there trying to get an HTML page with an email address secured, let alone putting all OUR data across the Internet over a VPN.

They are going to do what ever they want though, because the appearance of competent financial management outweighs competent security practices. Until there's an incident.


DanPhilpott said...

Leaving aside the question of what the amorphous term 'cloud computing' means I think there's a more important question. Does what IT security thinks about cloud computing matter?

I'd argue that to a great degree it doesn't. I know, I know, this is heresy. We should be equal partners in assessing the adoption of new technologies. But think about how IT security reacted in the past to the following innovative technologies:

Desktop computers: "No, all our data is protected on the mainframe. Letting multipurpose terminals access it exposes it to unacceptable risk!"
PDAs: "You want our field staff to carry around our corporate secrets on easily stolen devices?!"
Internet: "There's no way I'm going to allow everyone in the world to potentially have access to our systems!"

The usual reaction among security professionals to new technologies is caution. We are necessarily a conservative bunch (well, except when it's our own adoption of technologies). And that's how it should be. But that caution doesn't always best serve the interested of the organizational mission.

Organizational needs drive IT. Each of the above technologies introduced a host of new risks and left IT security professionals scrambling to find controls to moderate those risks. None have been fully addressed, all have had the risks of use moderate by new security controls. The controls weren't available at the inception of the technologies but still organizations adopted them. The benefits from each technology's adoption was so great that the business risk of remaining with older technologies overrode the security risks of adoption.

An interesting notion to keep in mind is that the real benefits to new technologies are never clear at the point of adoption. A corollary to this futurist law would be that the security implications of the new technologies are never fully known at the point of adoption, either.

I don't know what controls will be developed to moderate the risks of cloud computing. I'm sure that control adoption will be iterative and uneven. There will be security incidents and fast, reactionary adoptions of new controls interspersed through periods of thoughtful control development. But in the long term I believe cloud computing security controls sufficient to moderate the risks of continued operation will be developed and adopted.

That is if organizational needs drive adoption of cloud computing.

By way of synchronicity I noticed that ISSA has an upcoming cloud computing web seminar:

"Supporting New Technologies - Cloud Computing and Virtualization", February 17th, 2009, 9am US PST.

Chris said...

I am going to start by saying that I agree with you. I suppose that I am attempting to caution Federal System Integrators/Developers against hitching their wagon to the Cloud idea before it is ready for prime time.

Everyone wants the new/sexy/laziness enabling thing for their environment. The same way that the firewall guys couldn't wait for IPS, because then they wouldn't have to monitor ports as closely. We all know how that turned out.

I suppose the best way to get "cloud computing" secured is for the government to try conduct a certification on a given platform. You know a good one where then spend a year trying to break the access controls and ensure no unintended mixing of data. Especially since, most organizations can't segregate date with a server and two users.

Given everything we (InfoSec Community) know about the risks of "the cloud", what are the interim controls that could be adopted? If adoption of a cloud (private or public) is inevitable, because of budgetary, manageability or whatever, how can does one convince a paranoid CISO to get on board?

And I have registered for the Webcast you provided.