Securing the Cloud @FedScoop CyberSecurity Summit

This panel featured some heavy hitters from government and industry. This was moderated by Suprotik Ghose, Principal CyberSecurity Strategist, Microsoft.

Mike Krieger, CIO of the Army
BG Steven Spano, Director of Communications, Air Combat Command, Langley AFB
- Responsible for operations and communications of 100k Airmen @ Air Combat Control
Jeff Casazza, Director of Security, Intel
- 22 years at Intel, w/ 10 years at Data Center group.
- Focused on security technologies and innovation at the Data Center level
Michael Howard, Worldwide Manager, Security Solutions, HP
- Working with threats and risks assigned with printing
- Navy cryptologist experience as well experience with 3-letter agencies
CJ Moses, Senior Manager, Amazon Web Services
- Senior Manager of security for AWS
- 17 years federal service as a computer crime investigator including time @ JTF-CND

Question # 1: Are we building a cloud infrastructure without thoughts toward security and privacy?

Michael Howard – looking at FEDRAMP, HP is working towards fulfilling those requirements to provide secure cloud environment.

BG Spano – looking at past models w/n DoD/USAF, solution to challenges was to throw capacity (processing/bandwidth/hardware), now we see that capacity will not solve complexity problem. We need to step back to see if security and privacy is a mask for trust and control, or if it is just the step to centrally provided services (cloud). Do we look at risk management from a defense in depth perspective which is outdated, or completely change the model? We must look at cloud as not a “where” we do computing, but rather HOW we do computing.

Jeff Casazza – Intel is focused on creating the foundation for secure solutions. He often sees that a lot of security technology is ignored by both industry and government for years. He sees that out of the 1.25M sites available, less than 1% are even using SSL. There is a need to embrace and adopt simple encryption. Encryption was often ignored because of alleged difficulties

CJ – if the internet was the first generation of advanced IT, and cloud is the second generation – the internet was focused as a communication platform but cloud is not focused the same. The number one priority for AWS is now security, customer privacy and trust is the key to their services, communications and capabilities fall under security.

Mike Krieger – Has three priorities;

Operational effectiveness
Security
IT efficiencies

The hardest thing he finds is to plan for IT dollars. Has an agency in DoD building a defense cloud. Seeing migration issues moving to the cloud. Hardest thing is to keep the operational effectiveness for mission critical troops while dropping costs and maintaining security.

Question #2: When applications are moved to cloud, what are some of the considerations that they should have?

Mike Krieger – Army has 300 data centers which are not connected to DoD/IC 10GB backbone. Data centers have been built just to create localized efficiencies. Challenge for CIOs is to put policies in place to kill dead applications, to virtualize them, and then to put them in cloud securely. One question is what are the policies necessary for movement to cloud. Need to force authentication or drop applications. Presidential directive to consolidate data centers creates huge opportunity to clean up and shut down dead applications as they must be moved to data centers.

CJ Moses – Cloud cannot fix past mistakes. But when looking at migration, use lessons learned from past mistakes and move forward into a data portability model. When tied to application specific stovepipe/vertical, there is a worry of vendor lock-in. Data must be portable, capable of being used in many places, supporting multiple activities. Every federal agency that AWS has worked with has had this issue. When building next generation architecture, ensure data will be able to be used across government.

Jeff Casazza – Open Data Center Alliance: trying to define industry requirements. Designing the requirements of future private sector (which will be mirrored by public sector). Key is data portability to prevent stovepipes. Look to ODCA for standards when defining architecture.

BG Spano – Cloud is just centralization of services, providing integration, interfacing and agility. Migration toward hosted e-mail, must look to other applications across functional boundaries that need e-mail notifications. Need for agility outreaches the need for efficiency. Biggest potential up-front is softwareas a service (SAAS) and thousands of applications possible. He sees SAAS as the on-ramp towards the cloud.

Michael Howard – Cloud provides the opportunity to make security a standard for application. That applications must reach the security standards before being added to the cloud portfolio.

Question #3: what are you doing to enable continuous monitoring as outlined in FEDRAMP?

Jeff Casazza – Chip from TCG (trusted computer group) consortium checks lower level BIOS and other all-but untouchable capabilities. Working w/ RSA + HP to provide continuous monitoring at low level functions. By checking low level functions, can hit things that are not easily touched by malicious action.

Mike Krieger – cannot get to continuous monitoring without 100% visibility of network. Feels that he is at 70% right now – aims to succeed by end 2011 to achieve this. Hardest part is creating the aggregation points that are cross-domain. Using 3 different vendor solutions to aggregate network data – hardest part is SOA to come up w/ XML schema (gathering 256 pieces of meta-data for every network access) that can amass data and communicate. Need to come up with an architecture that is implementable for continuous monitoring.

BG Spano – Sees continuous monitoring as a trade-off. Many FISMA requirements are manually intensive to comply with checklists. Need to spend dollars better to not check boxes, but maintain continuous monitoring (which informs and provides ACTUAL security).

Questions from audience

If you had architecture and monitoring in place, could not system complete checklists?

CJ Moses – Continuous monitoring is not new – except in federal space. On a cloud system, one API call can provide data for completion of checklists.

Mike Krieger – how do you do API calls to multiple clouds and multiple firewalls?