WikiLeaks fiasco reinforces push to set security standards for cloud services.
The WikiLeaks scandal, which prompted targeted blackouts of the document-leaking venture and financial services, demonstrates how online enterprises are at the mercy of third-party Web service providers. Such shutdowns could have dire consequences for Internet-based government services such as payment processing. Still, federal officials remain adamant that moving more information technology operations to the cloud will conserve resources and boost productivity.
Cloud providers cut off connectivity for WikiLeaks after a military insider allegedly disclosed loads of classified diplomatic cables, embarrassing and endangering allies. The nonprofit media outlet, run by Julian Assange, publishes private and classified information submitted by anonymous sources. When "hacktivist" sympathizers responded to the shutdown with network attacks, many online operations were caught in the crossfire. But the federal government has been working to stay one step ahead of such cyber-sparring.
Last fall, federal Chief Information Officer Vivek Kundra announced the Obama administration had drafted a standard approach to cloud security called FedRAMP, which stands for Federal Risk and Authorization Management Program. By this summer, White House officials expect to finalize specifications for cloud vendors that want to sell agencies access to their networks, servers, storage and applications. The goal is to establish a checklist for authorizing cloud products intended for multiple agencies. Departments deploying the same tools won't have to conduct duplicative security reviews, which should expedite the shift to Web-based information technology, officials say.
The WikiLeaks affair should be instructive for shaping FedRAMP, according to cyber-security experts.
"At first sight, you wonder why in the wake of WikiLeaks they would want to work from the cloud and use third parties," says Darren R. Hayes, a computer forensics and security professor at New York's Pace University. But the real issue, he notes, is the human element. "The amount of access, and access to documents that he didn't need to view, that is important to consider," Hayes says, referring to alleged leaker Pfc. Bradley Manning.
Some national security observers say agencies trying to shield information in the cloud shouldn't revert to the territorial mentality that prevented analysts from exchanging intelligence prior to the Sept. 11 attacks. "Don't stop sharing," says James A. Lewis, a cybersecurity specialist and senior fellow at the Center for Strategic and International Studies, a Washington think tank. "But make it so that people can't do things like these huge downloads that never should have happened-especially to a music CD," which Manning reportedly used to save and transport files that later appeared on WikiLeaks.
Cloud safety standards also should call for segmenting and encrypting-or converting into secret code-sensitive information before launching it into the cloud, say other cyber experts. That way outsiders like the WikiLeaks organizers won't be able to decode the data. During the WikiLeaks episode "the government or somebody failed to adequately protect that information on the front end," says Roy E. Hadley, co-leader of the cloud computing and cybersecurity practice at law firm Barnes & Thornburg LLP.
Anything connected to a network is inherently insecure, Hadley adds. "The safest bet is to protect the data itself and not worry so much about where it's transported and where it's stored," he says. "All data is not really created the same. Some data, you don't really care if someone accesses it or not-that data doesn't really need to be protected."
Even the strongest networks powering sites are vulnerable to perpetrators who inundate them with useless traffic in a denial-of-service attack, Hadley says. Some of MasterCard's Web-based activities came to a halt after alleged hacktivists took revenge on the company for reportedly discontinuing the processing of WikiLeaks donations. "The protecting of information-you can do that 100 percent right such that nobody could ever get it or do anything with it, but that still wouldn't prevent you from suffering a denial-of-service attack," he says. According to Hadley, the best defense against such attacks is twofold: a robust network and, perhaps even more important, an IT staff capable of quickly identifying the source of any disruption to segregate the suspicious traffic.
FedRAMP should stipulate that agencies safeguard data offline, before it enters the cloud, and also mandate controls in the cloud, such as continuous automated monitoring of traffic, Hadley says.
Other cyber specialists recommend that all cloud contracts require providers to demonstrate their networks can bounce back rapidly from a denial-of-service attack. Some recently issued cloud solicitations do not specify that vendors must be able to shelter federal assets during outages, says Edward Amoroso, senior vice president and chief security officer at AT&T, which last fall nabbed a slot on a governmentwide $76 million contract to host agency IT infrastructures online. "We think that, if anything, the requirements for a carrier to redirect denial-of-service attacks away from the cloud infrastructure is a little under-attended to" in the requests for proposals AT&T has seen, he says.
Administration officials assure that they are building FedRAMP's architecture methodically, in cooperation with prospective cloud providers. "I've actually extended the time for industry to comment to Jan. 17 [from Dec. 3]," Kundra said at a December 2010 briefing that Government Executive hosted. "The reason is that this is so important. . . . It's our opportunity to get this right once and for all when it comes to cybersecurity."
John Gilligan, who served on the Obama-Biden transition team that drafted the administration's IT policies for the defense and intelligence communities, remarks that FedRAMP offers a rare chance to rewrite safety protocols. But he notes the policies must be flexible.
"There is no such thing as perfect security," says Gilligan, a former Air Force chief information officer who now works as a private consultant. "The context in which they should frame this discussion is, 'What's the right level of security to start with and then what is the process by which we could tighten down, add additional requirements and security as the cloud providers are able to provide us much more capabilities?' " And he warns against jamming the authorization checklist with superfluous controls that make it impossible for managers to achieve full compliance and draw attention away from critical safeguards.
Other measures to consider include continuous monitoring on a daily or weekly basis, not monthly or quarterly, Gilligan says. In addition, IT managers could create a dashboard that tracks vulnerabilities identified in the cloud and how quickly they are patched. Gilligan notes the display should be restricted to agency managers, and auditors at the Government Accountability Office, the office of the inspector general and other federal supervisory bodies. Lewis recommends that FedRAMP mimic security practices that have worked well for the government's networks, such as a new data collection tool called CyberScope. In 2010, agencies began reporting to the White House on their compliance with security protocols by sending updates to the password-protected in-box.
Hayes applauds FedRAMP's incident response requirements. Under the proposal, a cloud provider must ensure contractors dealing with a service problem be cleared to handle sensitive information. But Hayes says the guidelines should be stricter about the technical qualifications of the personnel called to respond. "There aren't many people who can reverse engineer malware to see where that malware came from," he notes.