The Friction in the Federal Cloud
As federal government technical advisors champion cloud computing solutions like Apps.gov, their efforts raise questions about their ability to provide those systems with tight security. In fact, the biggest problems may not be based on technical inability, but rather on politics and the familiar difficulties that arise when multiple government agencies are forced to cooperate.
As the U.S. federal government moves ahead with its cloud computing strategy, it may find that the real bugbear won't be technology but politics. What else would expect on the Hill?
Other problems could pop up in the government's approach to security and a lack of adequately qualified staff.
Can these issues be resolved? Or will Washington blunder along despite the efforts of U.S. CIO Vivek Kundra, who's leading the charge toward the cloud?
Of Politics, Mindsets and Qualified Staff
The federal government has had its share of problems retaining cybersecurity advisors. Specifically, they tend to quit in frustration. The latest was Melissa Hathaway, who stepped down in August, stating that the White House was taking too long to make a permanent appointment and that she was unable to make any real change.
Her experience and comments echoed those of Amit Yoran, who essentially held the same post in the Bush administration. Yoran quit in 2004 after just one year and was the third holder of that office to leave within two years.
"The technology demands of the cybersecurity adviser's job are relatively trivial," said Bruce Hart, COO of Terremark Federal. "The real demands are in the political areas you have to navigate." However, things might soon look up due to the White House's strong support for cloud computing. "The political infighting is always bad, but the strong championship from this administration will be a great help," Hart told the E-Commerce Times.
Another problem is the approach many government staffers take to security. "Many consider security to be of a military nature," Carl Almond, senior director at global IT consultancy Avanade, told the E-Commerce Times. "In reality, IT security is very far from military in nature. Unfortunately, the government generally does not understand this, and so you end up with a lot of people doing security who are quite good at the mechanics but will never understand how these policies apply to their organization." Top-notch security leaders must understand both security as well as organizations and how they operate, Almond said.
The problem is exacerbated by the relatively low pay scale found in government. "If you multiply the scarcity of security leaders in government by the low pay grades that the government offers, it's very unlikely that the government will ever acquire security leaders, and even if they do, that it will hold onto them," Almond pointed out.
Attempts to interview General Services Administrion CIO Casey Coleman fell through when the agency canceled the interview at the last minute.
Tip-Toeing Through the Technology
The GSA already had the technical aspects of the cloud well covered by August of 2009, when it issued a Request for Quotation (RFQ) for cloud storage, Web hosting and virtual machine services. This would eventually lead to the launch of the Apps.gov site. Apps.gov is an online storefront for federal agencies to browse and purchase cloud-based IT services.
The RFQ's provisions included the following: Cloud service level agreements would have to provide for at least 99.95 percent availability; vendors would have to secure their services; the system must enable live migration of workloads from one virtual machine to another; and Web hosting services would require both Windows and Linux options.
Announcing the launch of Apps.gov on the White House blog Sept. 15, Kundra wrote it would help cut the cost of government operations while driving innovation within government.
"Cloud computing has champions the likes of which I've never seen before in my 30 years of federal service," Terremark Federal's Hart said. "The CIO (Kundra) and CTOs (chief technology officers) are hot over cloud computing, and they're creating a welcoming climate for those distributed decisions of which the federal government generally runs afoul."
Here's how gung-ho the Administration is: On Jan. 14, Office of Management and Budget (OMB) Director Peter Orszag participated in the White House forum on modernizing government with more than 50 of the nation's leading CEOs. Ideas on how the government can use technology to save money were discussed at the forum.
The OMB is a cabinet-level office. Its job is to help the president oversee the preparation of the federal budget and to supervise its administration in agencies of the executive branch. It also coordinates the administration's regulatory policies as well as its policies for procurement, financial management and information.
Putting Together a Secure Cloud
In addition to being somewhat familiar with the technical requirements of cloud services, the federal government is turning to cloud vendors to provide cloud services, which means it won't have to put together its own clouds from scratch. However, any contractor offering cloud services to Washington must have top-flight physical and IT security in place.
First, Washington must determine what level of security applies to its data. Stories about relatively innocuous files bearing high-level security classifications and top-secret information being misclassified are the stuff of urban legend. "The interesting thing will be determining what data can go where, not the technical implementation of the security," Avanade's Almond pointed out.
Communication is the key to getting this right. "The most important thing the government can do to protect its cloud computing efforts is to communicate," Almond said. "When it comes to cloud security, all parties, from the purchasing organization to the service providers, must communicate about the levels of security required, the level of security available, the current and future risk portfolio, daily changes and observations, and any other factor that could affect security."
Whether or not this level of communication is possible remains in doubt, given the amount of infighting in the federal government. After all, the Christmas Day bomber, Umar Farouk Abdulmutallab, managed to board Northwest Airlines Flight 253 concealing explosives in his underwear despite multiple warning signs. His father warned the U.S. embassy in Nigeria that he had gone to Yemen for training with Islamic radicals, he boarded a flight for Detroit with no winter coat and no luggage, and the National Security Agency had picked up discussion out of Yemen about a Nigerian being trained for a special mission.
Abdulmutallab had already been placed on a watch list by British authorities and banned from entering Britain earlier this year. Further, U.S. government agencies apparently failed to share or highlight potentially relevant information about him. If they can't communicate on issues of such vital interest, can they do so in other areas?
Thorough communication and prep work is critical to combat hackers. "It's not a question of if you'll get hacked, it's a question of when," David Marcus, director of security research and communications at McAfee Labs, told the E-Commerce Times. "Whenever you provide anything on the Internet, the first people who will look at it are the bad guys. They will figure out how services are improperly deployed before the good guys will."
Once that is done, the government needs to ensure that cloud service vendors are adequately focused on security before and after the contracts are signed. "Security doesn't end once the services are procured," Michael Sutton, vice president of security research at ZScaler, pointed out. Like any other buyer, the federal government can include right-to-audit clauses in contracts and insist on seeing the results of regular third-party audits and assessments, he told the E-Commerce Times.