CIA technology chief says cloud is more secure than traditional approaches

Security remains one of the biggest concerns about moving mission-critical applications to the cloud, but US government agencies are being encouraged to overcome their cyber fears.

Warwick AshfordWarwick Ashford is chief reporter at Computer Weekly. He joined the CW team in June 2007 and is focused on IT security, business continuity, IT law and issues relating to regulation, compliance and governance. Before joining CW, he spent four years working in various roles including technology editor for ITWeb, an IT news publisher based in Johannesburg, South Africa. In addition to news and feature writing for ITWeb’s print publications, he was involved in liaising with sponsors of specialist news areas on the ITWeb site and developing new sponsorship opportunities. He came to IT journalism after three years as a course developer and technical writer for an IT training organisation and eight years working in radio news as a writer and presenter at the South African Broadcasting Corporation (SABC).

View all articles by Warwick Ashford >>

[email protected] 020 8652 8505 Active Warwick Ashford False True

Security remains one of the biggest concerns about moving mission-critical applications to the cloud, but US government agencies are being encouraged to overcome their cyber fears.

At an Amazon Web Services conference in Washington attended by a number federal employees, representatives of several agencies endorsed the security benefits of cloud computing, according to US reports.

Gus Hunt, chief technology officer of the CIA, told the conference that, in fact, cloud computing may be more secure than the traditional client-server approach,

The ability to reimage or remove all software from one server and get it all up and running quickly on another server in the cloud makes it more difficult for adversaries to carry out successful attacks and proves the key to greater security, he said.

Hunt said the CIA plans to begin using this approach in the near future and to move unclassified data to the public cloud and put its classified data on a private, government-only cloud within a year.

Security-as-a-service enables organisations to build security once and reuse it everywhere instead of having to build security into each application.

In a cloud environment, said Hunt, organisations can ensure they are secure end-to-end by using tools like encryption to protect all systems and data.

Khawaja Shams, the senior solutions architect at NASA's Jet Propulsion Lab (JPL), said cloud security means trusting a third party, which is something agencies do every day.

He said although his IT security team remains responsible for the security of operating systems, file systems and applications, Amazon is responsible for everything up to the hypervisor or virtual machine manager and has to ensure there is no cross-hypervisor attacks and that customers can access only their own data.

Hardened virtual Amazon machines also turn off any unnecessary services, encrypt file systems and use system logs to track data in and data out. All that information goes back to the agency to have close to real-time situational awareness, said Shams.

Any data that is exchanged between NASA's JPL and Amazon in the virtual private cloud is encrypted over the IPSec tunnel so that means no one on the internet can see the transactions happening between JPL and Amazon, he said.

Shams said that with a single data call, agencies using the cloud can get an inventory of all the servers running, all the internet ports that are allowing traffic to flow through them and other information to give chief information security officers better cyber situational awareness.

It is not the cloud that is inherently insecure or that the local datacentre is inherently more secure; it all depends on the way they are used, he said.

Organisations need to learn to live in a new operations paradigm, said Shams, and in so doing, they will learn that in many ways cloud computing can actually offer a more secure solution.

The US government's General Services Administration is using one-time tokens to secure access to their e-mail-as-a-service in the cloud.

Casey Coleman, GSA's CIO, said her office spent a lot of time researching the best way to ensure employees have secure access to their e-mail, calendar and contacts through Google's Gmail.

The token provides anywhere access to the same functions users would have if they were in the office, she said.

In addition to working with the cloud services provider to ensure security requirements are implemented, federal experts said creating an inter-agency team is just as important. The team should include acquisition, legal, programme and other stakeholders to cover all the challenges upfront.

Agencies reported they are changing policy and standards to meet the needs of security in the cloud. The Defense Department, for example, is moving from a product-focused security standard to a risk-based standard.

Outsourcing IT to the cloud is part of a federal effort to save $3bn over five years by shutting down about 40% of the government's 2,000-plus computer centres.

In July, the White House announced it will close 178 datacentres in 2012, after phasing out 195 by the end of 2011.

Read more on IT news in your industry sector