TL; DR: The Department of Defense’s slow, steady migration to public and private cloud architectures may be hastened by pressures at opposite ends of the spectrum. At one end are programs such as the NSA’s cloud-based distributed RDBMS that realize huge cost savings and other benefits. At the other end are the growing number of sophisticated attacks (and resulting breaches) on expensive-to-maintain legacy systems. The consensus is that the DOD’s adoption of public and private cloud infrastructures is inevitable, which makes the outlook rosy for commercial cloud services of all types.
U.S. computer networks are under attack. That’s not news. But what is new is the sophistication of the assaults on public and private computer systems of all sizes. The attackers are targeting specific sensitive information, the disclosure of which threatens not only business assets and individuals’ private data, but also our nation’s security.
In a September 29, 2014, column on the Times Herald site, U.S. Senator Carl Levin, who is chairman of the Senate Armed Services Committee, released the unclassified version of an investigation into breaches of the computer networks of defense contractors working with the U.S. Transportation Command, or TRANSCOM. The report disclosed more than 20 sophisticated intrusions by the Chinese government into TRANSCOM contractor networks in a 12-month period ending in June 2013.
In one instance, the Chinese military stole passwords, email, and source code from a contractor’s network. Other attacks targeted flight information to track the movement of troops, equipment, and supplies. TRANSCOM was aware of only two of the 20-plus attacks on its contractors’ networks, even though the FBI and other government agencies were aware of all of the attacks.
The report highlights the need to disclose breaches and attempts. Otherwise, there’s no way to formulate an effective response in the short run, and deterrence in the long run. The left hand doesn’t know what happened to the right hand within government, as well as in the business world.
Lack of breach disclosures plays into the bad guys’ hands
No longer are data thieves rogue hackers acting alone. Today’s Internet criminals work in teams that tap the expertise of their members to attack specific targets and conceal their activities. InformationWeek’s Henry Kenyon describes in a September 29, 2014, article how security officials in the public and private sectors are striving to coordinate their efforts to detect and prevent breaches by these increasingly sophisticated Internet criminals.
The Department of Homeland Security is charged with coordinating cyber-defenses, mitigating attacks, and responding to incidents of Internet espionage. Phyllis Schneck, DHS’s director of cybersecurity, identifies three impediments to effective defenses against network attacks.
DHS’s Einstein system constantly scans civilian government networks, analyzing them to detect and prevent zero-day, bot-net, and other attacks. Schneck states that DHS makes it a priority to share the information it collects about attempted and successful breaches with other government agencies, the private sector, and academia.
The problem, according to analysts, is that businesses are loathe to disclose data losses and thwarted attacks on their networks. They consider their reputation for network security a competitive advantage, so anything that impairs that reputation could reduce the company’s value. Sue Poremba points out in a September 24, 2014, article on Forbes that most major breaches still receive very little publicity.
However, the recent spate of major breaches at Home Depot, Dairy Queen, PF Chang’s, Target, and major universities are convincing company officials of the need to coordinate their defenses. Such a coordinated approach to network protection begins and ends by sharing information.
An NSA cloud success story serves as the blueprint
Organizations don’t get more secretive than the U.S. National Security Agency. You’d think the NSA would be the last agency to migrate its databases to the cloud, but that’s precisely what it did — and in the process realized improved performance, timeliness, and usability while also saving money and maintaining top security.
In a September 29, 2014, article, NetworkWorld’s Dirk A.D. Smith describes the NSA’s successful cloud-migration program. The agency’s hundreds of relational databases needed more capacity, but throwing more servers at the problem wasn’t practical: existing systems didn’t scale well, and the resulting complexity would have been a nightmare to manage.
Instead, NSA CIO Lonny Anderson convinced the U.S. Cyber Command director to move the databases to a private cloud. Now analyses take less time, the databases cost less to manage, and the data they contain is safer. That’s what you call win-win-win.
The goal was to create a “user-facing experience” that offered NSA analysts “one-stop shopping,” according to Anderson. Budget cuts required security agencies to share data and management responsibilities: NSA and CIA took charge of cloud management; the National Geospatial Intelligence Agency (NGA) and Defense Intelligence Agency (DIA) took responsibility for desktops; and National Reconnaissance Office (NRO) was charged with network management and engineering services.
The agencies’ shared private cloud integrates open source (Apache Hadoop, Apache Accumulo, OpenStack) and government-created apps running on commercial hardware that meets the DOD’s specs for reliability and security. The resulting network lets the government realize the efficiency benefits of commercial public cloud services, according to Anderson.
Just as importantly, the cloud helps the defense agencies ensure compliance with the strict legal authorities and oversight their data collection and analysis activities are subject to. The private cloud distributes data across a broad geographic area and tags each data element to indicate its security and usage restrictions. The data is secured at multiple layers of the distributed architecture.
The data-element tags allow the agency to determine when and how each bit of data is accessed — to the individual word or name — as well as all the people who accessed, downloaded, copied, printed, forwarded, modified, or deleted the specific data element. Many of these operations weren’t possible on the legacy systems the private cloud replaced, according to Anderson. He claims the new system would have prevented breaches such as the 2010 release of secure data by U.S. soldier Bradley Manning.
Overcoming analysts’ reluctance to abandon their legacy systems
Anderson faced an uphill battle in convincing agency analysts to give up their legacy systems, which in many instances couldn’t be ported directly to the cloud. Adoption of the cloud was encouraged through a program that prohibited analysts from using the legacy systems for one full day every two weeks. With the assistance of analysts with cloud expertise, the newbies overcame the problems they encountered as they transitioned to the agency’s private cloud.
The result is a faster, more efficient system that improves security and cut costs. These are among the benefits being realized by companies using the Morpheus database-as-a-service (DBaaS). Morpheus is based on an SSD infrastructure for peak performance, allowing you to identify and optimize data queries in real time. Backup, replication, and archiving of databases are automatic, and your data is locked down via VPN security.
Morpheus supports Elasticsearch, Redis, MySQL, and MongoDB. Visit the Morpheus site for pricing information and to create a free trial account.
Similar benefits are being realized by the first DOD agencies using commercial cloud services. Amber Corrin reports in a September 24, 2014, article on the Federal Times site that defense agencies will soon be able to contract for public cloud services directly rather than having to go through the Defense Information Systems Agency (DISA).
The change is the result of the perception that DOD agencies are too slow to adopt cloud technologies, according to DOD CIO Terry Halvorsen. However, there will still be plenty of bureaucracy. Agencies will be required to provide the DOD CIO with “detailed business case analyses” that consider services offered by the DISA, among other restrictions.
Most importantly, all cloud connection points are controlled by the DISA, and unclassified traffic has to pass through secured channels. Slowing things down even further, agencies will have to obtain an authority to operate, or ATO.
The DOD’s cloud migration may be slow, but it’s steady. Bob Brewin reports in a September 23, 2014, article on NextGov that the Air Force Reserves will now use Microsoft 365 for email and other purposes, which promises to save the government millions of dollars over the next few years. That’s something taxpayers can cheer about!