Obama administration aims for bottom-up approach to creating global standards for protection of IT and critical infrastructure.
Cloud computing has become such a way of life at NASA over the past five or six years that the Jet Propulsion Laboratory IT team thinks of most cloud-based services as just another node on the network, say Tom Soderstrom and Jonathan Chiang, chief technology and innovation officer and IT chief engineer, respectively.
In fact, Soderstrom says that whether it’s Amazon Web Services or Windows Azure, “we think that using the cloud applications can be even more secure than what we do internally.”
“Every service we sign on with has to be vetted by FedRAMP [the Federal Risk and Authorization Management Program], so we know if they are on the list that they comply with the NIST 800-53 security specifications for federal installations,” Soderstrom explains. “And these vendors spend a lot of money on IT security; they are constantly patching.”
The percentage of IT managers surveyed who say cloud computing and SaaS solutions providers can offer better security than their own IT security team can provide.
SOURCE: “2013 U.S. Cloud Security Survey” (IDC, September 2013)
Matthew Derenski, cybersecurity engineer for JPL in California, says best practices have been put in place to ensure that cloud-based services are secure. For example, when a JPL scientist needs to provision a virtual server and storage, a systems administrator starts the process by logging on to the cloud service and authenticating using two-factor authentication. Once the resources are provisioned, the user logs on using a password to access the system.
While JPL uses many different cloud-based services and has processes for security, Derenski says it doesn’t use Security as a Service platforms to secure desktops, notebooks or workstations. “Since we have to meet the NIST 800-53 guidelines, some things still make sense for us to keep in-house,” he adds.
Frank Dickson, an industry principal for Frost & Sullivan who covers network security, says federal agencies take a pragmatic approach to cloud-based security services because they’re well invested in network infrastructure and corresponding security posture.
“Federal agencies consider first the data, application or network that they are trying to protect, and then how cloud security may be used to improve the security posture,” Dickson says. “It is a very deliberate approach. As those decisions are made, some agencies are taking a closer look at public-cloud security or running security services over internal private clouds.”
The Defense Information Systems Agency offers a wide range of security services to DOD agencies over its private cloud, including anti-virus, anti-malware, content filtering, intrusion detection/intrusion prevention systems, email security and data loss prevention.
DISA Chief Technology Officer David Mihelcic says the benefits of providing security via the cloud include leveraging data collected from a large number of endpoints to better identify anomalies, categorize malware and determine the extent of infections. It also allows for easier enterprise implementation of defensive software and shared situational awareness through common dashboards.
“Securing and defending the DOD’s networks are core missions of DISA,” says Mihelcic. “DISA’s IT services are deployed with defensive, situational awareness and responsive capabilities in place. DISA’s operational component monitors for attacks and events, and responds when necessary to defend — enabling cyber capabilities that meet the warfighters’ needs.”