Head in the Clouds: DoD Turns to Cloud Computing
The term “cloud computing” has been floating around the commercial IT sector for a number of years. It describes how large-scale computer infrastructure can tap the power of the Internet to perform complex tasks. Cloud computing allows organizations to save money and increase flexibility by using shared IT resources, such as applications, storage devices, and servers.
The DoD wants to tap into those benefits. In May 5/09 testimony [pdf] before a US House panel, Pentagon cybersecurity official Robert Lentz offered the following prediction about the benefits of cloud computing for DoD:
“A cloud is…an ideal place from which to make capabilities available to the whole enterprise. While, in the DoD, we have encountered challenges moving towards a service-oriented architecture (SOA), in the private sector, companies like Google and Salesforce are basing their business models on an insatiable public hunger for software and applications as a service. Emulating their delivery mechanisms within our own private cloud may be key to how we realize the true potential of net-centricity.”
This article examines the development of cloud computing and how DoD is tapping into that technology for its computer networks, as well as the challenges faced by DoD in its effort:
Cloud Computing: The Basics
Cloud computing is a type of computing where massively scalable IT-related capabilities are provided “as a service” to multiple external users via the Internet or large-scale private networks. What it offers is a way for users to increase capabilities without investing in new infrastructure, training personnel, or buying a software license.
Cloud computing enables computer users to use services without necessarily understanding the technology or owning the infrastructure. Through the cloud, users share resources, software, and information on-demand.
The closest analogy to cloud computing is the electricity distribution grid. A power company owns the infrastructure, a distribution company distributes the electricity, and the end user “consumes” it but does not own or operate the electricity network.
According to the US National Institute of Standards (NIST), cloud computing has the following characteristics:
- “On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider.
- Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).
- Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.
- Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.
- Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.”
Service with a Smile: Cloud Service Types
There are many types of IT services that can be provided through a cloud. NIST identifies the following 3 cloud service models:
Software as a Service (SaaS) – The consumer uses the provider’s applications that run on a cloud infrastructure. The applications are accessible from various client devices using web browsers. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities.
Platform as a Service (PaaS) – The consumer deploys onto the cloud infrastructure consumer-created or acquired applications developed using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure, but has control over applications and hosting environment.
Infrastructure as a Service (IaaS) – The consumer is able to deploy and run software, which can include operating systems and applications, onto the cloud infrastructure. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and selected networking components (e.g., host firewalls).
DISA’s RACE to the Cloud
There are a number of DOD cloud computing applications and models [pdf] for DoD to follow in implementing cloud computing. Here are four primary models.
- Use commercially provided cloud services;
- Deploy cloud computing within DoD networks;
- Develop a multi-agency cloud computing network for data processing and storage;
- Develop a combined DoD/commercial provider system.
The Defense Information Systems Agency (DISA) is trying the second model – a DoD-managed cloud computing environment called the Rapid Access Computing Environment (RACE), which enables DoD users to access virtual services and storage from a Web portal. DISA manages the IT infrastructure for 4 million DoD users and operates 14 data centers around the world.
The RACE portal defines the system as follows:
“This quick-turn computing solution uses the revolutionary technology of cloud computing to give you the platform that you need today, quickly, inexpensively and, most importantly, securely.”
Developed by HP, the RACE portal enables DoD customers to purchase computer operating systems, applications and services through the use of the portal, which has shopping cart features. Just like ordering books from Amazon.com, DoD users can add computer services to their shopping cart and pay for them with a government credit card.
In addition to convenience, DISA hopes RACE will save the DoD hundreds of millions of dollars, estimates Henry Sienkiewicz, who manages the RACE system.
“We look at the way our young warfighters are looking to consume apps and data. We need to have the ability to develop and deploy applications within the timeline of the military decision cycle,” Sienkiewicz told last year’s Gartner Data Center Conference in Las Vegas.
Convincing DoD brass to adopt cloud computing has not been easy. “This is very much a cultural shift. Three quarters of our battle is on the cultural side, not technology. At the Defense Department, we have all sorts of cultural impediments and inertia,” Sienkiewicz said.
An important RACE goal is to reduce duplication of effort and documentation. By providing one place where DoD documents are stored and providing access throughout DoD, DISA hopes to reduce the time and resources needed for document storage and retrieval.
There’s an App for That: DoD’s Storefront
Another DoD cloud computing project is called Storefront. It’s a Web services site similar to Apple’s App Store. Storefont allows users to download large business applications and services from the site.
“If I, as an end user, need a capability, there’s an app for that,” Dan Risacher, DoD Cloud Computing Storefront project lead, told the 2009 Network Centric Operations Industry Consortium Cloud Computing Workshop.
“Part of the DoD Storefront project…is to test our hypothesis of how we can better provide services,” he said.
In his workshop presentation, Risacher laid out the DOD Storefront vision:
“Create a single NIPRNET [unclassified network] access point for DoD CIO to share its information and knowledge with authorized consumers in the DoD enterprise.”
Storefront users use a single sign-on credential to download DoD services and apps, messaging services, data center storage, shared file systems, and the Defense travel system.
Risacher said the Storefront project differs from other cloud-based, one-stop shops because it will offer instant access to tools and easy authentication. The Storefront site allows users to download personalized applications immediately and start using them on their browsers.
Storm Clouds Ahead: Top Security Threats
Probably the biggest concern expressed about the US military’s use of cloud computing is information security. DoD’s current information security structure is designed for an operating-system based IT infrastructure, not a cloud configuration where resources are distributed over many systems owned and operated by many different entities.
In a March 2010 report, the Cloud Security Alliance identified [pdf] 7 security threats posed by cloud computing:
- Abuse and Nefarious Use of Cloud Computing – The ease of the registration process for services over the cloud opens up the cloud environment to abuse by spammers, malicious code authors, and other criminal elements. Solution: strengthen security of the registration process.
- Insecure Application Programming Interfaces – Cloud computing providers expose a set of software interfaces that customers use to manage and interact with cloud services. These interfaces can be hacked by unauthorized users. Solution: beef up authentication and access control to weed out unauthorized users.
- Malicious Insiders – The threat posed by a malicious insider is not unique to cloud computing. However, the threat is amplified by the convergence of IT services and customers under a single cloud environment and a lack of visibility into the hiring standards and practices of cloud employees. Solution: enforce strict supply chain management security and conduct comprehensive background check of cloud employees.
- Shared Technology Vulnerabilities – Cloud computing providers deliver services by sharing infrastructure. This opens up the entire system to security breaches. Solution: implement a defense-in-depth strategy that includes computer, storage, and network security enforcement and monitoring.
- Data Loss/Leakage – The destruction or loss of data, whether accidental or intentional, poses a grave risk to any network, but the risk increases in the cloud environment due to the number of interactions. Solution: encrypt data in transit and implement strong data backup and retention strategies.
- Account, Service, and Traffic Hijacking – Account, service, and traffic hijacking, such as phishing, fraud, and exploitation of software vulnerabilities, pose risks to any computer system. If attackers gain access to a cloud environment, they can eavesdrop on cloud users, manipulate data, return false information, and redirect users to illegitimate sites. Solution: use strong authentication techniques and unauthorized activity monitoring.
- Unknown Risk Profile – The benefit of cloud computing, reducing the costs of maintaining computer hardware and software, also creates a risk of losing track of the security ramifications of cloud deployments. “Security by obscurity may be low effort, but it can result in unknown exposures,” the report warns. Solution: maintain detailed information about who is sharing the cloud infrastructure, as well as network intrusion logs, redirection attempts, and other security logs.
That’s the bad news. The good news is that security is made simpler when the cloud computing system is developed and maintained by the DoD, which is the case for DISA’s RACE and DoD’s Storefront. That way, information security provisions are incorporated into the cloud infrastructure.
Weather Forecast: Partly Cloudy
However, as DoD pursues other cloud computing models, the information security issue will become more prominent. One project in the works is for the DoD’s Storefront to be combined with Intelink, a network used by the US intelligence community to exchange information, collaborate, and conduct business.
Intelink provides applications to report, gather and access information that might be crucial when combined with other information in the network. Risacher said that Storefront has partnered with Intelink and could merge with it in the future.
But once Storefront expands beyond DoD, the ability to control access and monitor use of the cloud computing environment lessens. Certainly, the US intelligence community has very strong information security measures, but once cloud computing projects are expanded beyond agency boundaries, the security risks inevitably increase.
The biggest security challenge will come when DoD adopts some of the other cloud computing models mentioned above, particularly involving commercial providers. So far, DoD doesn’t have any commercial provider projects in the works. But it will only be a matter of time. Perhaps the best place for DoD to start would be a commercial cloud computing project involving information that is not highly sensitive, such as human resources.
Cloud computing can save significant amounts of money by reducing the need for redundant infrastructure. Pentagon chief Robert Gates is pushing to slash DoD’s budget; cloud computing enables the DoD to cut costs while expanding capabilities. The $64,000 question is: Can cloud computing do that securely?
Additional Readings and Sources
- DOD – Cloud computing strategy [PDF]
- DISA – Rapid Access Computing Environment web site
- Air University – Cloud Computing
- NIST – Cloud Computing site
- NSA – DoD Cloud Computing Security Challenges [PDF]
- IBM – Cloud Computing
- InfoWorld – What cloud computing really means
- DoD’s IATAC newsletter (Spring 2010) – Cloud Computing: Silver Lining or Storm Ahead [pdf]
- US Navy CIO (May 18/10) – Security for Cloud Computing
- InfoWorld (May 14/10) – How and why the military should adopt the cloud
- Washington Technology (April 20/10) – Cloud adoption on the rise, but new report highlights trouble spots
- The Open Group (April 2010) – Building Return on Investment from Cloud Computing
- Lockheed Martin Cyber Security Alliance (April 2010) – Awareness, Trust and Security to Shape Government Cloud Adoption [pdf]
- Armed with Science (March 5/10) – Defense Media CTO: Clouds on the Horizon
- Information Management Online (March 4/10) – What Are The Top Cloud Computing Threats?
- Cloud Security Alliance (March 2010) – Top Threats to Cloud Computing V1.0 [pdf]
- IBM (Feb 4/10) – US Air Force Selects IBM to Design and Demonstrate Mission-Oriented Cloud Architecture for Cyber Security
- Nextgov (Jan 7/10) – Need a Defense business service? ‘There’s an app for that’
- DISA (2009) – Cloud Computing in a Military Context
- DoD’s Enterprise Software Initiative (Dec 22/09) – What is Cloud Computing and how does it impact software licensing practices?
- DataCenterKnowledge.com (Dec 4/09) – DoD: Cloud Will Save Us Hundreds of Millions
- Cloud Security Alliance (December 2009) – Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 [PDF]
- Federal News Radio (Nov 10/09) – DoD IT experts open up about cloud deployment
- ENISA (November 2009) – Cloud computing: Benefits, risks and recommendations for information security
- SecurityProNews.com (Oct 7/09) – Department of Defense Sort of Embraces Cloud Computing
- Government Computer News (Sept 23/09) – 5 lessons from DOD’s cloud computing efforts
- Information Security Magazine (June 2009) – Three cloud computing risks to consider [PDF]
- Crucial Point (March 21/09) – Cloud Computing and Cyber Defense [PDF]
- Cloud Computing Journal (Feb 5/09) – US Department of Defense Putting Cloud Computing to Work
- Bloomberg (Jan 26/09) – Defense Department Mimics Google in Cloud Computing
- HP (July 10/08) – HP to Power Department of Defense Cloud Computing Infrastructure
- ebiz (March 2008)- Distinguishing Cloud Computing from Utility Computing
- Gartner (June 26/08) – Gartner Says Cloud Computing Will Be As Influential As E-business