Privacy Issues of Cloud Computing in the Federal Sector


Published on

Presentation describing potential privacy issues of implementing cloud computing in the Federal market.

NOTE: Presentation does NOT reflect any official agency position. All views expressed are my own.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • One of the problems with “Cloud computing” is that the term itself means different things to different people. The reason for this confusion is that there are lots of different definitions for what “cloud computing” is. Here is the Wikipedia definition.
  • Here is the NIST definition of “cloud computing.” My presentation’s notes contain the URL for it. For geeks, I think the first sentence of this definition is a pretty clear one for what constitutes “cloud computing.” We’ll discuss the delivery and deployment models later, but I want to touch on the “essential characteristics” of cloud computing. They are as follows: Essential Characteristics: On-demand self-service. Broad network access. Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Rapid elasticity. Measured Service. From
  • For non-geeks, I think this is a better explanation.
  • Tim O’Reilly, web-guru and coiner of the term “Web 2.0,” has defined 3 types of “cloud computing” Infrastructure as a Service – virtual machine instances Platform as a Service – this is where the virtual machine is hidden behind higher-level APIs Software as a Service – Google docs Mr. O’Reilly’s three “types” of cloud computing matches the NIST definitions three “delivery models.”
  • The NIST Model has four (4) cloud Deployment Models Private cloud . The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. Community cloud . The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. Public cloud . The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. Hybrid cloud . The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting).
  • This great slide is from Dr. Ron Ritchey, at Booz Allen Hamilton, from a presentation he gave to NIST called “Governance Considerations for the Cloud,” at the October 2009 Security Content Automation Protocol (SCAP), 5th Annual IT Security Automation Conference Cloud Session entitled “ Using SCAP to Mitigate Risks in the Cloud ” It describes some of the risks for each of the NIST cloud deployment models.
  • Graph from “Cloud Computing and the DoD CIO Storefront,” by Dan Risacher of the DoD CIO Enterprise Services and Integration Office, presented on Sep. 21, 2009 and available at The way to read this graphic is that the upper-right quadrant (Dedicated Mission Capabilities) is the most costly and takes the longest to implement of all technologies. As you move down and to the left the costs decrease as does the time to complete the implement the project.
  • Data security Cloud computing data centers consolidate multiple organizations -- become attractive targets for hackers. Federal Information Security Management Act (FISMA) (44 U.S.C. § 3502) – “Information Security” requirement on Gov’t and Contractors One key point that needs to be addressed in “cloud computing” – at least for Federal Gov’t activities -- is the Privacy Act nexus with FISMA. Specifically, the Privacy Act authorizes disclosure of PII “to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties.” Without establishing specific access controls for information systems located in such shared workspaces, or “clouds,” it is not possible to ensure accurate tracking of who has had access to the PII and therefore it is not possible to state that only those “officers and employees of the agency” with a “need to know” have been provided access to those records. Therefore, an individual PIA should be conducted on each information system processing PII contained in such shared spaces or clouds. Privacy Act Cloud computing environs must comply with Privacy Act – (e)(10)’s requirements and its relation to access controls have been discussed above. Do cloud computing providers agree to use/not use data they host in compliance with the Privacy Act? How are the providers bound? TOS? Contract terms? E-Gov’t Act (PIA) Who should complete Privacy Impact Assessments for cloud environments? For Gov’t owned? Contracted? “Free”? Breach Reporting Who is responsible for providing PII breach reporting notifications? Credit monitoring? Which jurisdiction/domain is the provider in? International Privacy Law Data protection is a human right in EU and other Int’l Jurisdictions Directive 95/46/EC Federal Records Act Is the information in the cloud an official government record? Does it have a record retention policy covering it? These issues must be addressed in consultation with your Records Management Officer.
  • Mr. O’Reilly’s quote sums up the public’s concerns with cloud computing “safety.” I think it could be expanded as summing up the public’s concerns with other “hidden” services such as Deep Packet Inspection, etc., where the “beneficiary” of the service has no understanding of the underlying technology’s threats, safeguards, or potential benefits.
  • So, you want to implement a cloud computing initiative. What jurisdiction’s statutes, regulations, etc., apply? U.S.? E.U.? A.P.E.C.?
  • There are already several examples of cloud computing being used in the Federal Gov’t, Private Sector, and by the “bad guys.” I hope to give you a flavor of these examples with short summaries in the following slides.
  • Of note to Federal Agencies is OMB’s Pass-back Language requiring Federal Agencies to evaluate all new IT investments against cloud computing alternatives for the FY 11 budget submission and to evaluate all IT investments involving a significant change against cloud computing alternatives for the FY 12 budget submission. Of course, I have not actually seen OMB’s Pass-back Language, because to disclose that pass-back language would be against OMB policy.
  • New simulation results were needed for a presentation. All computational resources were either committed or did not support the environment needed for STAR computations. Technology developed by the Nimbus team at the U.S. Dept. of Energy’s (DOE) Argonne National Lab, allowed the STAR researchers to dynamically provision virtual clusters on commercial cloud computers and run the additional computations just in time. With cloud computing, a 100-node STAR cluster can be online in minutes. In contrast, Grid resources available at sites not expressly dedicated to STAR can take months to configure. Overloaded STAR resources were elastically ‘extended’ by additional virtual clusters deployed on Amazon’s EC2. The run used more than 300 virtual nodes at a time to complete STAR computations just in time.
  • LMS = Learning Management System DOI’s NBC is focused currently on it’s CPU and storage Infrastructure-as-a-Service offerings. It is developing Acquisition and HR Software-as-a-Service offerings. Their LMS would likely need to have a PIA and Privacy Act System of Records Notice.
  • U.S. Army needed a tool to track potential recruits who visited its Army Experience Center -- a new, state-of-the-art recruiting facility that allows prospective recruits to undergo simulated experiences of an Army soldier in a casual and non-threatening environment. Recruiters required the ability to track potential recruits based on their preferences and activities at the Army Experience Center. The speed to implement of 3 months is the key on these two projects.
  • Not only the good-guys are using the cloud to improve efficiency. This example is about how the bad-guys could use the cloud to enhance their attack sophistication.
  • “ Web OS 2009” image from While this is a great graphic, it is already way out of date. Looming on the horizon for Federal Agencies are: Electronic Document Management and E-Discovery issues associated with implementing NARA compliant Electronic Records Schedules. “ Users being users” -- working around rules to get their jobs done.  Collaborative tools coming online where the vendors have made the default setting for the collaborative space full access for everyone – typically a good thing for the private sector (perhaps), but not good when dealing with sensitive information such as PII or proprietary data.
  • Privacy Issues of Cloud Computing in the Federal Sector

    1. 1. Privacy Considerations in Cloud Computing Lewis Oleinick, CIPP/G Chief Privacy and FOIA Officer Defense Logistics Agency Emerging Privacy Issues
    2. 2. Disclaimer The views presented herein are my own and do not represent the views of DoD or the Defense Logistics Agency.
    3. 3. Agenda <ul><ul><li>What is “cloud computing?” </li></ul></ul><ul><ul><li>Are there different types of “clouds?” </li></ul></ul><ul><ul><li>What are the economic benefits of cloud computing? </li></ul></ul><ul><ul><li>What are the privacy issues of cloud computing? </li></ul></ul><ul><ul><li>What are some examples? </li></ul></ul>
    4. 4. What is “cloud computing?” <ul><ul><li>Wikipedia defines “cloud computing” as: </li></ul></ul><ul><ul><ul><li>a paradigm of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet . [1] [2] Users need not have knowledge of, expertise in, or control over the technology infrastructure in the &quot;cloud&quot; that supports them. [3] </li></ul></ul></ul>
    5. 5. What is “Cloud Computing?” Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models , and four deployment models . From:
    6. 6. A Picture of “Cloud Computing”
    7. 7. 3 Types of Cloud Computing <ul><li>Tim O’Reilly’s definitions: </li></ul><ul><ul><li>Utility computing (Infrastructure as a Service - IaaS) </li></ul></ul><ul><ul><ul><li>provides virtual machine instances, storage, and computation at pay-as-you-go utility pricing, e.g., Amazon’s AWS. </li></ul></ul></ul><ul><ul><ul><li>developers, not end-users, are the target of this kind of cloud computing. </li></ul></ul></ul><ul><ul><li>Platform as a Service - PaaS </li></ul></ul><ul><ul><ul><li>one step up from pure utility computing are platforms like Google AppEngine and Salesforce's , which hide machine instances behind higher-level APIs. </li></ul></ul></ul><ul><ul><li>Cloud-based end-user applications (Software as a Service – SaaS) </li></ul></ul><ul><ul><ul><li>applications that were formerly delivered locally on a PC, like spreadsheets, word processing, databases, and even email that are now delivered over the web, e.g., gmail or Google docs and spreadsheets are &quot;cloud computing applications.&quot; </li></ul></ul></ul><ul><ul><ul><li>Google search or Google maps , while on the same servers, are not . </li></ul></ul></ul>
    8. 8. 4 Cloud Deployment Models* <ul><ul><li>Private cloud </li></ul></ul><ul><ul><ul><li>enterprise owned or leased </li></ul></ul></ul><ul><ul><ul><li>may, or may not, exist on premise </li></ul></ul></ul><ul><ul><li>Community cloud </li></ul></ul><ul><ul><ul><li>shared infrastructure for specific community </li></ul></ul></ul><ul><ul><li>Public cloud </li></ul></ul><ul><ul><ul><li>Sold to the public, mega-scale infrastructure </li></ul></ul></ul><ul><ul><li>Hybrid cloud </li></ul></ul><ul><ul><ul><li>composition of two or more clouds </li></ul></ul></ul>* From Aug. 12, 2009 NIST presentation on “Effectively and Securely Using the Cloud Computing Paradigm,” by Peter Mell and Tim Grance on
    9. 9. Risks for Each Deployment Model
    10. 10. Cost/Benefit of Cloud Computing Models
    11. 11. Privacy Policy Issues in the Cloud Data Security Privacy Act E-Gov’t Act (PIA) Breach Reporting International Privacy Law Federal Records Act
    12. 12. Some Technology Solutions for Security in the Cloud * Encrypted Swap / No Swap Encrypted File Systems Encrypted Data Transit (In/Out) Secured, Fit for Purpose Machine Image * Ideas From July 15, 2009 Nat’l Def. Univ Presentation on Cloud Computing Architectures by Hal Stern , Vice President Global Systems Engineering, Sun Microsystems.
    13. 13. Tim O’Reilly on Personal Information “ The prospect of ‘my’ data disappearing or being unavailable is far more alarming than, for example, the disappearance of a service that merely hosts an aggregated view of data that is available elsewhere say Yahoo! search or Microsoft live maps.”
    14. 14. Possible Structures of a Public “Cloud” or, “Dude! Where is my Data?” What you think you are getting. What you may actually be getting. Trans-border data flow of personal information? To India, Malaysia or China?
    15. 15. Cloud Computing Examples <ul><ul><li>In Government </li></ul></ul><ul><ul><ul><li>OMB/GSA Cloud “one-stop” site </li></ul></ul></ul><ul><ul><ul><li>Dept of Energy Lab’s use of Cloud </li></ul></ul></ul><ul><ul><ul><li>Dept. of Interior National Business Center's Cloud strategy </li></ul></ul></ul><ul><ul><ul><li>Army and Census use of </li></ul></ul></ul><ul><ul><ul><li>DoD DISA Cloud infrastructure. </li></ul></ul></ul><ul><ul><li>In the Private Sector </li></ul></ul><ul><ul><ul><li>Washington Post use of Amazon Elastic Compute Cloud. </li></ul></ul></ul><ul><ul><ul><li>GE use of Google Apps </li></ul></ul></ul><ul><ul><li>By the Bad Guys </li></ul></ul>
    16. 16. OMB/GSA One-Stop Cloud Computing Store <ul><ul><li>Announced 09/15/2009 </li></ul></ul><ul><ul><li>CIO Vivek Kundra </li></ul></ul><ul><ul><ul><li>satisfying security and privacy concerns would be the biggest barrier to adoption of cloud solutions </li></ul></ul></ul><ul><ul><ul><li>agencies that deal with less sensitive data should shift to the cloud first </li></ul></ul></ul><ul><ul><ul><li>government would continue to own and operate systems that manage classified or sensitive data </li></ul></ul></ul>
    17. 17. DOE - STAR Experiment <ul><ul><li>U.S. Department of Energy </li></ul></ul><ul><ul><ul><li>Argonne National Lab Cloud Computing project </li></ul></ul></ul><ul><ul><li>New computation intensive simulations needed fast for critical presentation. </li></ul></ul><ul><ul><li>All DOE resources committed. </li></ul></ul><ul><ul><li>Argonne Lab Team used Amazon’s IaaS on a public cloud to do in minutes what would have required months. </li></ul></ul>
    18. 18. Dept. of Interior Nat’l Business Center NBC’s Cloud Offerings include : Cloud Offering Description NBCGrid NBC’s IaaS offering. Will allow end-user provisioning of a variety of types of servers and operating systems through a single website. NBCGrid will provide technology-agnostic server hosting, with a variety of pricing models, including metered and pre-paid, based on the customer’s usage of RAM or CPU per hour. NBCFiles NBC’s Cloud storage offering. Allows variable storage capacity on a metered, pay-per-gigabyte price model. Multiple security tiers drive pricing. NBCApps <ul><li>NBC’s Cloud-based application marketplace. </li></ul><ul><ul><li>Messaging, collaboration and Web 2.0 tools like wikis and blogs. </li></ul></ul><ul><ul><li>AQD LoB SaaS: “on-demand” version of ESE. </li></ul></ul><ul><ul><li>HR LoB SaaS: “on-demand” version of HR’s Onboarding, LMS, Performance & Competency Management and Time and Attendance packages. </li></ul></ul>
    19. 19. Army and Census use of Agency / Application Use Time to Implement <ul><li>US Census Bureau </li></ul><ul><ul><li>Partnership mgmt. </li></ul></ul><ul><ul><li>Replaces 3000 user legacy CRM system </li></ul></ul><ul><ul><li>Tracks partner commitments </li></ul></ul><ul><ul><li>Provides near real-time reporting for congressional inquiries </li></ul></ul>3 months <ul><li>US Army </li></ul><ul><ul><li>Recruiting </li></ul></ul><ul><ul><li>Helps recruiters identify persons likely to join Army </li></ul></ul><ul><ul><ul><li>Coincided with launch of Army Experience Center </li></ul></ul></ul><ul><ul><ul><li>Fosters communication </li></ul></ul></ul><ul><ul><ul><li>Allows detailed statistical/ marketing analyses </li></ul></ul></ul><ul><ul><li>Future capabilities </li></ul></ul><ul><ul><ul><li>Google Maps integration </li></ul></ul></ul><ul><ul><ul><li>Link to Facebook </li></ul></ul></ul>3 months
    20. 20. DoD DISA Cloud infrastructure <ul><ul><li>Rapid Access Computing Environment </li></ul></ul><ul><ul><ul><li>Agile and responsive computing </li></ul></ul></ul><ul><ul><ul><li>Authorized customers order and gain access to a Server in less than 24 hours </li></ul></ul></ul><ul><ul><ul><li>DoD Certification and Accreditation </li></ul></ul></ul><ul><ul><ul><li>Provides flexible development platform for Web, application or database </li></ul></ul></ul><ul><ul><ul><li>Windows, Red Hat, SUSE Servers in less than 30 minutes </li></ul></ul></ul><ul><ul><ul><li>MIPR or government credit card </li></ul></ul></ul>User Self-service
    21. 21. Washington Post - PaaS <ul><ul><li>A Senior Engineer at the Washington Post received 17,481 pages of data as non-searchable PDF files of a former White House official’s public schedule. </li></ul></ul><ul><ul><li>Using Optical Character Recognition (OCR) tools to convert and reformat the PDF pages into machine-readable text would take about 30 minutes per page using a standard PC. </li></ul></ul><ul><ul><li>Using Amazon EC2, he launched 200 server instances to process the images, at a speed of approximately 60 seconds per page, the project was completed within nine (9) hours. </li></ul></ul><ul><ul><li>Project used 1,407 hours of virtual machine time and cost $144.62 </li></ul></ul>
    22. 22. GE use of Google Apps - SaaS <ul><ul><li>GE moved 400,000 desktops from Microsoft Office to Google Apps. </li></ul></ul><ul><ul><li>Due to privacy concerns, migrated from Google Apps to </li></ul></ul><ul><ul><ul><li>N.B. -- Privacy Notice includes the following: </li></ul></ul></ul><ul><ul><ul><ul><li>Contents of your Account . We store and maintain files, documents, to-do lists, emails and other data stored in your Account at our facilities in the United States or any other country. Use of Zoho Services signifies your consent to such transfer of your data outside of your country. In order to prevent loss of data due to errors or system failures, we also keep backup copies of data including the contents of your Account. Hence your files and data may remain on our servers even after deletion or termination of your Account. We assure you that the contents of your Account will not be disclosed to anyone and will not be accessible to employees of Zoho in this capacity. We also do not process the contents of your Account for serving targeted advertisements. </li></ul></ul></ul></ul>
    23. 23. Password Cracking in the Cloud. <ul><ul><li>Researchers combined COTS Password Recovery software with Amazon's cloud computing services to show: </li></ul></ul><ul><ul><li>The researchers rented multiple dual-core virtual machines for $0.30 an hour each.  The total $45 cost is equivalent to running 150 machines for one hour. </li></ul></ul><ul><ul><li>The report includes step-by-step instructions on how to configure Amazon's cloud services COTS Distributed Password Recovery software.  </li></ul></ul># Characters in Password Cost to Crack Password in 1 Hour Eight-character password without special characters. $45 Eight-character password with 1 special character. $100,000 10-character complex password with special characters $10 million
    24. 24. Botnet controlled from Amazon Cloud <ul><ul><li>Botnet designed to steal online banking information </li></ul></ul><ul><ul><ul><li>Botnet name -- Zeus or Zbot </li></ul></ul></ul><ul><ul><ul><li>Used the Amazon EC2 cloud service as the command and control communications channel to steal info. </li></ul></ul></ul><ul><ul><ul><li>Cloud location increased the difficulty for defenders to counter the botnet. </li></ul></ul></ul><ul><ul><ul><ul><li>Firewalls may have difficulty distinguishing “bad” from “good” data from an established cloud provider like Amazon EC2. </li></ul></ul></ul></ul>
    25. 25. Where is this all going? Data Collection Web 2.0 Cloud Computing Logistics Info e-Discovery Where is privacy?
    26. 26. Take-aways <ul><ul><li>“ Cloud Computing” will have privacy implications in the Federal sector – both intended and unintended. </li></ul></ul><ul><ul><li>Community “Clouds,” using IaaS, or PaaS, such as DISA’s RACE and DOI’s NBCgrid provide good opportunities to test the waters. </li></ul></ul><ul><ul><li>Use of commercial “clouds” present potential security and international privacy issues. </li></ul></ul><ul><ul><li>CIO and Privacy Officer’s will need to work together to address privacy issues. </li></ul></ul>
    27. 27. Lew Oleinick, CIPP/G Chief Privacy and FOIA Officer Defense Logistics Agency Questions