NSA uses cloud to modernize agency

Lonny Anderson, the National Security Agency’s chief information officer, says finding efficiencies in IT is one of his biggest priorities. And, he says, his agency is using the cloud to help with that.

“I don’t want to say we’re the leader in cloud use across the IC [Intelligence Community] but if we’re not, we’re reliant on it. We’re right up there.”

Anderson tells Federal News Radio’s Jason Miller, NSA currently uses three clouds – a utility cloud for virtualization, a storage-as-a-service cloud, and a data cloud. All three of these clouds are private but have some open-source components.

When asked whether an agency like NSA would ever consider using a public cloud, Anderson says, “For unclassified networks, the public cloud would be fine. The challenge for us is, of course, that we do a lot of things in the classified world.”

But, he says, the agency is looking outside its own walls for ideas. “One of the areas we’re going to look at in the future is how to take advantage of all of those developers that are out there, not in government, but across industry and in universities. To the extent we can, we’ll try to open source and ask for help.”

Anderson also updated Federal News Radio on the agency’s data center consolidation efforts. NSA’s new data center in Utah will be used by the Intelligence Community to support the National Cybersecurity Initiative. He says the new data center will help NSA fight cybersecurity threats and provide technical assistance to the Department of Homeland Security.

“That data center will give us, the IC, the ability to take advantage of new technologies as they come on board and design a data center in accordance with our future needs.”

Listen to the full interview.

Cyber Command, NSA tout benefits of cloud computing

The head of U.S. Cyber Command says cloud computing is part of his plan for staying ahead of the cyber threats that face the Defense Department.

“A year from now we should be well on our way to having a hardened architecture proven and in place, which provides a new level of cybersecurity,” said General Keith Alexander.

“The idea is to reduce vulnerabilities inherent in the current architecture and to exploit the advantages of ‘cloud’ computing and thin-client networks, moving the programs and the data that users need away from the thousands of desktops we now use – each of which has to be individually secured for just one of our three major architectures (NIPRNet, SIPRNet, and JWICS) – up to a centralized configuration that will give us wider availability of applications and data combined with tighter control over accesses and vulnerabilities and more timely mitigation of the latter.”

Alexander testified about the use of cloud computing at a House Armed Services subcommittee hearing last week.

He told the Committee use of the cloud will help reduce DoD’s IT costs. Alexander also addressed the issue of cloud security.

“This architecture would seem at first glance to be vulnerable to insider threats – indeed, no system that human beings use can be made immune to abuse – but we are convinced the controls and tools that will be built into the cloud will ensure that people cannot see any data beyond what they need for their jobs and will be swiftly identified if they make unauthorized attempts to access data.”

Debora Plunkett, director of the National Security Agency’s Information Assurance Directorate, agrees with Alexander’s statements. She tells NextGov cloud computing is “the IT architecture of the future.”

Both believe the use of the cloud will help streamline the way their agencies operate.

“The idea is to transform the Department of Defense’s information systems from something to be passively guarded into a suite of capabilities that offer our commanders and senior leaders opportunities to adjust our defenses,” Alexander said during the hearing. “If people who seek to harm us in cyberspace learn that doing so is costly and difficult, we believe we will see their patterns of behavior change.”

Ask tough questions before moving to cloud

Today, Fed Cloud Blog sits down with INTEGRITY, a company that provides IT security solutions for government, military, and commercial enterprises.

Jimmy Sorrells is Vice President of Enterprise Products and says his company provides high-assurance security software.

JS: We would provide foundational software to a lot of the cloud providers. If you’ve got somebody who’s going to provide storage or Web presence or lots of different cloud-types of technologies, we would be a foundational technology for them. . . . We’re doing security down between the hardware and the operating system level.

FCB: We talk a lot about risks associated with moving into the cloud. . . . Can you talk about some of the biggest vulnerabilities that a CIO or a CTO needs to be aware of right now?

JS: The cloud is a really apt description of the way people are going to implement things. It’s this big, nebulous bundle of stuff out there, and the the biggest vulnerability is — what do you know about these services that you’re going to start to rely on.

If you’re going to put your data into the cloud, or if you’re going to put some kind of presence for your company out into the cloud, what do you really know about the service provider that you’re going to do business with? What kind of assurance can they give you about how they’re going to protect your information? About how they’re going to guard your particular presence in their thing — whatever their thing is?

So, instead of talking about vulnerabilities in terms of attackers attacking, I really think that the more fundamental question is, if you’re an executive and you’re thinking about moving into the cloud, what is it that you know about your provider, and what is it that they can assure you about how they’re going to safeguard your information?

FCB: What about CIOs or CTOs already in the cloud? Now what are they worried about in terms of security?

JS: It’s very similar. What you’re worried about is — what is your service provider doing to safeguard you? What are they doing in terms of giving you assurance?

When you put your money in the bank, you’ve got an assurance that if something happens — if the bank gets robbed — you’re protected. We have the FDIC, and that gives people some level of confidence. . . . There are similar types of things for the IT space.

One government-supported program called Common Criteria — the National Information Assurance Partnership (NIAP) between the National Security Agency and NIST. They actually do qualifications on technologies that are there for the IT space. At this point, it’s probably not very well known, but CIOs that are in the cloud should be asking questions of their providers — how have you qualified your technology that’s safeguarding my information — and compare it against some of the standards that are being published by Common Criteria.

FCB: We have talked about lessons learned and best practices here — are there any groups out there, or resources available, especially for the federal CIO, that maybe they’re not aware of?

JS: [There is] the Cyber Secure Institute. . . . Their mission is basically to raise the awareness for CIOs and executives about Common Criteria and the organizations that will actually assure some level of technology that would at least point out to a CIO where the risks are.

If your technology is Common Criteria qualified, they have a ranking system from 1 to 7, so you can really quickly look and see and ask your provider where they are on that 1 to 7 scale. . . . I think a lot of CIOs don’t realize that resource is out there. . . . There are [also] blogs and discussion boards where people can empathize and get information about the fact that there are measures of how secure technologies are. I don’t think they’re being utilized much at all.

When CIOs are looking to go to the cloud these days, the first thing I would tell them is, go check out your provider.

FCB: After a CIO or CTO has decided to move into the cloud, at that point you’ve got to pick and choose and figure out what needs to go in the cloud or what could go in the cloud, versus what doesn’t. . . . Do you have any advice about how to figure out what is cloud-worthy, so to speak?

JS: We are very big proponents of data segregation — segregating your data in terms of need to know and using some of the lessons learned and examples from the Intelligence Community and DoD. They’ve always had this idea of need-to-know.

You shouldn’t treat your data as one big lump. You need to have striations in terms of the importance and [think about] how important it is to keep privacy and confidentiality of information. Some is very, very private and confidential — health records, employee Social Security numbers, [but] maybe some other things aren’t, from a privacy standpoint, that [could be] public. There’s lots of public facing documents that you really do want to be accessible freely by the public.

So, I would say that a strategy of data segregation and attaching privacy importance to that is the first thing that we would suggest you do. . . . As you build your confidence in your supplier, maybe you just want to start with your very public-facing data — some websites that talk about your company, and then, as you build confidence in your provider . . . you can start to put more and more private information [in the cloud]. You may never want to put the most important and private information in the cloud. That may be something that’s only intranet worthy.

The one thing that I want to add is that we’re kind of at an inflection point here in technology and with virtualization and cloud computing, things are morphing. The Internet is ubiquitous now. Information used to be on mainframes and then it went to PCs and now it’s moving out into this really public kind of a network. So, a word of caution, and a word to the CIOs that are running organizations — there are measures out there that will tell you how good your providers are in terms of security. I don’t think a lot of people know about it, so I would encourage the CIOs to go ask the hard questions.

Don’t just accept things on face value. Do the due diligence. Dig in and find out what you’re provider is doing in terms of security.

Read more: INTEGRITY just teamed up with Dell to provide a Secure Consolidated Client Solution for federal agencies.