Volume 13 Number 2 • Spring 201013/2                                                           The Newsletter for Informat...
contents                                              feature About IATAC and the IAnewsletter The IAnewsletter is publish...
IATAC Chat                                                                                                      Gene Tyler...
F E AT U R E S T O R YEstablishing Trust inCloud Computingby Dr. Bret Michael and Dr. George DinoltI  n the aptly titled a...
example. It appears that Google,                        with an appropriate level of security          should be asking to...
management framework. The obvious                      maintained within the cloud. Several          enterprise providing ...
to encrypt all the data stored and to         lead to new architectures with better          platform(s). The enterprise l...
There is no guarantee that the same                     The security properties then                     secure systems ar...
I ATA C S P O T L I G H T O N A U N I V E R S I T YPennsylvania State Universityby Angela OrebaughI n 1855, Pennsylvania S...
Cloud Computing for theFederal Communityby Hannah WaldT    he question is not whether, but when,     the U.S. federal gove...
computing concepts, starting with the               customer generally has no control         using a software offering fr...
Software as a Service (SaaS)                                  incentives and goals, which is not                          ...
provider protect the                                                                       may not want to answer question...
back-end maintenance and operations                           most of the economic benefits of              of the public ...
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Vol13 no2
Upcoming SlideShare
Loading in...5
×

Vol13 no2

500

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
500
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Vol13 no2"

  1. 1. Volume 13 Number 2 • Spring 201013/2 The Newsletter for Information Assurance Technology ProfessionalsCloud Computing: Silver Lining or Storm Ahead? also inside Establishing Trust in Insider Threat Center at Public/Private Partnership Cloud Computing CERT Grows Solutions from Becoming a Necessity Reality-Based Research Cloud Computing for the Apples & Oranges: Operating Federal Community Wikis Within the DoD and Defending the Global Information Grid DISA RACE: Certification and Vulnerability Assessment EX Accreditation for the Cloud Processes Within DoD LPS-Public: Secure C E L L E NC E SE R V CE N Browsing and an Alternative N I NF IO O R MA T Look Before You Leap Eight Steps to Holistic to CAC Middleware Database Security
  2. 2. contents feature About IATAC and the IAnewsletter The IAnewsletter is published quar- terly by the Information Assurance Technology Analysis Center (IATAC). IATAC is a Department of Defense 20 Look Before You Leap: Security Considerations in a 34 Eight Steps to Holistic Database Security Government organizations are 4 (DoD) sponsored Information Analysis Center, administratively managed by Web 2.0 World finding new ways to secure the Defense Technical Information Center (DTIC), and Director, Defense Embracing social media is their data. Research and Engineering (DDR&E). imperative to success in a new 37 Contents of the IAnewsletter are not necessarily the official views of or communications environment, but Public/Private endorsed by the US Government, DoD, DTIC, or DDR&E. The mention of Establishing Trust in Cloud Computing doing so without adequate planning Partnership commercial products does not imply endorsement by DoD or DDR&E. We can argue that it is not a matter of can do more harm than good. Becoming a Necessity whether cloud computing will become Combating advanced persistent 25 Inquiries about IATAC capabilities, products, and services may be addressed to— ubiquitous—because the economic forces Insider Threat Center threat (APT) in silo efforts is an IATAC Director: Gene Tyler are inescapable—but rather what we can at CERT Grows unsustainable strategy. Inquiry Services: Peggy O’Connor do to improve our ability to provide cloud Solutions from Reality- 38 If you are interested in contacting an author directly, please e-mail us at computing users with trust in the cloud Based Research Apples & Oranges: Iatac@dtic.mil. services and infrastructure. Educating organizations on how Operating and IAnewsletter Staff to detect and manage insider Defending the Global 9 Art Director: Tammy Black Copy Editor: Kali Wilson Designers: Michelle Deprenger IATAC Spotlight on a threat is critical. Information Grid Dustin Hurt University Our language and doctrine needs 26 Editorial Board: Dr. Ronald Ritchey Angela Orebaugh Gene Tyler Penn State is one of the nation’s Wikis Within the DoD to evolve to view cyberspace as Kristin Evans Al Arnold ten largest undergraduate Reaping the benefits the contested, warfighting IAnewsletter Article Submissions engineering schools. of community-driven information domain it is. To submit your articles, notices, sharing with wikis. 10 42 programs, or ideas for future issues, please visit http://iac.dtic.mil/iatac/ Cloud Computing for LPS-Public: Secure 29 IA_newsletter.html and download an“Article Instructions” packet. the Federal Community IATAC Spotlight Browsing and an IAnewsletter Address Changes/ Additions/Deletions A community cloud is the most on a Conference Alternative to CAC Middleware To change, add, or delete your mailing or email address (soft-copy receipt), secure way for the federal This event provided opportunities Secure Browsing and an please contact us at— government to realize the to learn about research as well Alternative to CAC Middleware:IATACAttn: Peggy O’Connor potential of cloud computing. as ongoing developments. The public edition LPS is a free,13200 Woodland Park Road easy to use, install nothing, 16 30 Suite 6031Herndon, VA 20171 DISA RACE: Vulnerability browsing alternative with Phone: 703/984-0775 Fax: 703/984-0773 Certification and Assessment built-in CAC software for Email: iatac@dtic.mil Accreditation for the Cloud Processes Within DoD almost any computer. URL: http://iac.dtic.mil/iatac Government organizations are Standardizing the vulnerability Deadlines for Future Issues Summer 2010 May 8, 2010 taking full advantage of the assessment processes can help Cover design: Tammy Black potential benefits offered by avert disaster. Newsletter cloud computing. 33 in every issue design: Donald Rowe Distribution Statement A: Subject Matter Expert Approved for public release; distribution is unlimited. The SME profiled in this 3 IATAC Chat article is Dr. Peng Liu, at 36 Letter to the Editor Pennsylvania State University. 43 Products Order Form 44 Calendar 2 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  3. 3. IATAC Chat Gene Tyler, IATAC DirectorI n early February, I had the opportunity to attend the InformationAssurance Symposium (IAS) in importantly, its weaknesses. I believe they say it best in their statement, “It is unclear whether the current set of [cloud this edition of the IAnewsletter also provide you with various perspectives on cloud computing so that you feelNashville, TN. I always look forward to computing] services is sufficiently inspired to enter into the dialogue. I askattending this event because it brings secure and reliable for use in sensitive you, is cloud computing the silver liningtogether folks who truly care about government environments.” They to computing, and should we storminformation assurance (IA). I am always advocate a cautious approach to ahead in implementing it across variousexcited to converse with colleagues implementing cloud computing organizations? Or might it weaken ourinterested in solving tough IA problems capabilities across the government and, computer network defenses and resultahead, and yet again, the IAS did not in particular, the Department of in a potential storm of malicious attacksfail; I enjoyed talking with people about Defense (DoD). However, these subject in the future?some of the newest innovations matter experts remain optimistic, which In addition to cloud computing, Icurrently changing our field. is why they are excited about the invite you to look at the various other One topic that seemed to dominate research and investigation NPS is doing articles in this edition that highlight thethe conversations I had with various to identify methods of securing cloud- following topics, also discussed at IAS:colleagues and subject matter experts at based systems. insider threat; Web 2.0 Security; socialIAS was cloud computing, and as this On the other hand, some media and its use in DoD; vulnerabilityedition of the IAnewsletter reflects, this organizations are beginning to assessments; defending the Globaltopic is getting a lot of well-deserved successfully implement cloud Information Grid; and our industryattention, for a multitude of different computing already. Most notably, the expert contributes a very interestingreasons. Cloud computing is Defense Information Systems Agency article on public/private partnerships.revolutionizing how organizations are (DISA) successfully developed the Rapid As I always remind our readers, we areconstructing their networks and Access Computing Environment (RACE), interested in your perspectives andsystems; it is changing how which is a cloud-based system. Not only welcome your contributions to thisorganizations invest in their information has DISA successfully implemented publication. We know our readers aretechnology infrastructure; and it is RACE, but, as the authors point out, the very subject matter experts who areforcing organizations to reconsider how “certification and accreditation policy analyzing and experimenting withthey secure critical information— has been adapted to allow organizations innovative solutions like cloudsecurity is critical and at the forefront of to use RACE cloud resources, thereby computing. Feel free to contact us atcloud computing quickly connecting to the cloud while iatac@dtic.mil with your perspective on But what, exactly, is cloud complying with DoD requirements.” the cloud debate!computing; and how do you ensure Munjeet Singh and Troy Giefer remaininformation security in the cloud deeply involved with DISA as itcomputing environment? Dr. Bret implements cloud solutions, and as a Michael and Dr. George Dinolt, of the result, their article, “DISA RACE:Naval Postgraduate School (NPS), Certification and Accreditation for theaddress some of these questions in their Cloud,” provides a different perspectivearticle, “Establishing Trust in Cloud on cloud computing and its advantages.Computing.” They argue that a lot of As these two articles suggest, therediscovery is necessary before the IA is a lot of debate over cloud computing,community can fully understand cloud the advantages it offers, and the risks itcomputing, its benefits, and more presents. I hope the articles presented in IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 3
  4. 4. F E AT U R E S T O R YEstablishing Trust inCloud Computingby Dr. Bret Michael and Dr. George DinoltI n the aptly titled article, “Cloud Assurance Still Missing,” Allan Careywrote, “The security problems that computing as a vehicle for maintaining their competitive edge. A recent technical report published ff IaaS (Infrastructure as a Service)— the cloud provides an infrastructure including (virtual) platforms,organizations face related to cloud by the University of California, Berkeley, networking, etc. on whichcomputing are the same as those related states that there is no commonly agreed applications can be placed;to virtualization—but even more so.” [1] upon definition of cloud computing. [5] ff SaaS (Software as a Service)—He goes on to say, “Information Instead, a definition is emerging as the the cloud provides softwareassurance practitioners already have various organizations that are applications.most of what is needed to make an developing cloud services evolve theirinformed set of decisions about cloud offerings. In addition, there are many Amazon’s Elastic Compute Cloudcomputing.” [2] We would argue that the shades of cloud computing, each of (EC2) is an example of these services. [8]security problems go well beyond the which can be mapped into a Google also provides enterprise-leveluse of virtualization in distributed multidimensional space with the integrated application services such assystems. In this article, we discuss the dimensions being characteristics, service email, appointment calendars, textneed for asking critical questions about models, and deployment models. [6] processing and spreadsheets. [9]the security implications of cloud Cloud computing is a metaphor for The claimed advantages for ancomputing. Answers to our questions giving Internet users a growing enterprise are that it does not require anare not readily apparent, even though collection of computer system resources investment in computer resources,viewing computing as a utility, similar and associated software architectures to infrastructure, administration, etc.: theto that of providing water or electricity provide application services. [7] The purveyor of the cloud provides theseon a for-fee basis, dates back to at least applications include processing and resources. The user or enterprise onlythe 1960s. [3] application integration, storage, and pays for the resources “consumed.” In the As we pointed out in a recent communications services. Cloud Department of Defense (DoD), we havearticle, [4] what has changed over time services are typically available on seen the introduction of infrastructureis the advancement of the underlying demand and are charged on a usage services on demand provided by thetechnology, including cheap, fast central basis. Often, what the user sees is an Defense Information Systems Agency’sprocessing units (CPUs), low-cost application instead of a particular Rapid Access Computing Environmentrandom access memory (RAM), computer. The services are commonly (DISA RACE). [10] Where available, theinexpensive storage, and the high- described as: cost of developing and maintainingbandwidth standardized ff PaaS (Platform as a Service)­ the — specialized applications can be sharedcommunication needed to efficiently cloud provides hardware resources, among the users of that application. Inmove data from one point to another. typically virtual machines, which theory, there is an advantage in havingAdditionally, considerations, such as the can be loaded with the users, large-scale resources shared among aeconomies of scale involved in building operating system and software; large class of users. However, this has yetvery large data centers, nudged to be borne out. [11] There are, of course,organizations to consider cloud applications that require a large number of resources. Google Search is one such4 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  5. 5. example. It appears that Google, with an appropriate level of security should be asking to improve the securityAmazon, and others are attempting to transparency to alleviate customers’ and privacy clouds afford. However, weleverage their ability to construct such a reservations about the security and can ask fundamental questions like: aresystem into other environments. privacy afforded by the cloud. [12] How the current architectures adequate for We can argue that it is not a matter much transparency is enough? How do building trusted clouds? If not, whatof whether cloud computing will we provide for transparency of cloud types of software system architecturesbecome ubiquitous but rather what we resources (i.e. determining the cloud in do we need? Consider, for instance, thecan do to improve our ability to provide which customer data resides)? Is there a possibility that an organization mightcloud computing users with assurance tipping point at which additional levels opt to fully outsource its computingthat the cloud services and of transparency would only serve to infrastructure and data center to theinfrastructure provide appropriate help malefactors compromise services cloud, retaining only thin clients withinsecurity functionality. Cloud computing and datacenters? the organization. How do we make theproviders should supply their customers In addition, as users and developers thin client user terminals and the find new ways of applying cloud communications infrastructure secure? o Security Policy technologies, there will be new expectations about security and privacy. DoD Enterprise Computing Provision I&A Compromise Integrity For instance, Twisted Pair Solutions of What is our motivation for jumping feet of Service Seattle proposes to provide cloud first into asking hard questions about computing resources for state and local cloud computing? The growing Informal Map agencies to link up disparate public importance of cloud computing makes it safety radio systems (e.g., police, fire, or increasingly imperative that security, ambulances)—a novel but difficult-to- privacy, reliability, and safety Integration & Middleware predict usage of cloud computing, but communities grapple with the meaning also a usage that makes the cloud part of of trust in the cloud and how the Formal (Mathematical) Map mission- and safety-critical systems. [13] customer, provider, and society in Theorems (Proof that Spec Satisfies Model) The expectations for security, privacy, about Policy general gain that trust. Consider the reliability, and quality of service and so initiative of the DoD Enterprise Services Top Level System Specification on will be different in some respects for & Integration Directorate to make the Voice over Internet Protocol (VoIP) radio DoD Storefront Project a reality. The Semi Formal Map systems than for the cloud’s social Storefront consists of a cloud-based set (System Satisfies Spec) networking aspects. This raises the of core and specialized applications that question: how do we manage risk when users can discover through an we do not fully understand what we are application marketplace and which Top Level System Implementation trying to protect or guard against? share an identity management The fluid nature of cloud computing framework. How will DoD provideFigure 1 Process for Integrating Security makes it a moving target, even when security for the Storefront? It is moreInto the Cloud trying to determine the questions we than a matter of having an identity IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 5
  6. 6. management framework. The obvious maintained within the cloud. Several enterprise providing single sign-on; thesecurity concerns include data integrity, vendors have formed the Cloud Security enterprise user need only log onto theirdata availability, protection of Alliance (CSA). [14] In the report titled home system. Once logged on, thepersonally identifiable information, data Security Guidance for Critical Areas of enterprise user can automatically accessprotection, data destruction, and Focus in Cloud Computing V2.1, CSA the users’ files and services on Googlecommunications security. provides its take on some of the security without an additional login. Although Moving beyond the Storefront issues related to cloud computing. [15] convenient, this functionality increasesconcept, as the federal government In the report, security properties the security exposure to not only themigrates its data and applications to the are described as essentially the same set weakness of the enterprise system, butcloud, issues regarding cross-domain of properties that a user expects to see also to the weakness of Google’sresource sharing will arise within the with a self-hosted system. These include infrastructure. If, for example, Google’scloud. For instance, how will DoD link the usual: infrastructure has a security flaw, then itits clouds to those of other agencies? ff Identification/Authentication may be possible for someone in oneWill a DoD user, authenticated to enter ff Privacy enterprise to access accounts fromthe DoD cloudsphere, be trusted to ff Integrity another enterprise. On the other hand,access services owned by the ff Provision of Service. security flaws in the enterprise systemDepartment of Homeland Security may lead to weaknesses in the access(DHS)? Is there a need for a federal-wide They view assurance as an audit of controls of the information managed bycloud infrastructure and common set of the function’s implementation, that is, Google Apps. Additionally, connectedsecurity services? How will data be the cloud systems’ administrators and applications may provide unintendedshared among the various different implementers have used ‘best practices’. connections among users, as wastypes of cloud? Other than the notion that encryption is demonstrated with the introduction of used to protect the data, there is little Google Buzz. [17]Information Assurance information that defines ‘best practices.’ When each enterprise maintains itsAt the Naval Postgraduate School, a There is, however, some form of key own infrastructure, a failure in onemajor thrust of our research on cloud management included that provides enterprise may cause failures across thecomputing is to investigate the security potentially strong identification/ cloud. Unless an enterprise uses a singlepolicies, models, and appropriate authentication, as well as some form of cloud from a single vendor, integratingarchitectures to provide security for data integrity/recovery facility. The the various applications,entities/users of cloud computing security architecture proposed is infrastructures, and policies amongresources. Although cloud computing essentially a layered operating system many different clouds and cloud vendorsmay appear to provide reasonably well application. It consists of a network layer will be a significant challenge. In fact, itunderstood operating system and interposed between application will be a challenge to ensure that theapplication resources, cloud resources programming interfaces (APIs) and the different policies do not contradict andare distributed in space, time, and scale underlying operating system potentially permit access that shouldin ways that were never envisioned in infrastructures. ‘Trusted computing’ is not be allowed at the system level.the operating-system world. The current only mentioned at the hardware/ Ultimately, the proof is in thearchitectural approaches, especially operating system level. Additionally, the pudding. Will the cloud vendors bethose concerning security, may not scale CSA paper enumerates several security willing to stand behind the security ofto the much larger cloud computing issues that should be addressed by the their systems? In the case of Amazon’sapproaches. In addition, the approaches cloud-style service provider, but does EC2 and Simple Storage Services (S3)for assuring operating system security not provide any insight on security services, Amazon suggests that theirfunctionality are not necessarily policies/models, interfaces or EC2 and S3 infrastructure not be usedappropriate. It is unclear whether the potential solutions. for systems that must satisfy thecurrent set of services is sufficiently To provide an example of some of Payment Card Industry Securitysecure and reliable for use in sensitive the potential issues, Google supports Standards [18], although it hasgovernment environments. Current “Google Apps.” [16] Google Apps applies published a paper on how Amazon Websecurity claims are somewhat limited. the usual discretionary access controls Services can be used in a Health One of the fundamental problems to the resources it provides – files, Insurance Portability and Accountabilitywith adopting cloud computing is calendars, address lists, etc. To make life Act (HIPAA) compliant environment. [19]providing not only security resources easier, Google provides tools that In the HIPAA paper, Amazonbut also assurances that those resources integrate their identification and essentially places almost all theare correctly implemented and authentication systems into the requirements on the “user/enterprise”6 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  7. 7. to encrypt all the data stored and to lead to new architectures with better platform(s). The enterprise loadsmanage its keys. Amazon provides defined, more assured security. operating systems, applications, etc.,services to log safely into its systems Over the past 30-plus years in the onto the platform(s) and manages alland provide some data recovery operating system security world, a lot of the interfaces and resources provided.and integrity. work has been done to provide highly The example below assumes that In the realm of reliability, prior to assured components with trustworthy multiple platforms will be used.the breakup, AT&T was required to build systems. Unfortunately, the commercial The security policy visible to thesystems that had an up-time reliability world has ignored a lot of this work. user includes:of “five nines” (about 5.2 min/yr Recent efforts have focused on the use of ff Identification—A set of platformdowntime). Part of the reason for this separation kernels. For example, Green names issued by the providerwas to ensure services in case of Hills has recently received a National (unique to the enterprise)national emergency. Current cloud Information Assurance Partnership ff Authentication—A secure channelbased systems are advertised as (NIAP) certificate for its Integrity 178B that can be used to load theproviding “three nines” (almost 9 hrs/yr Separation Kernel. [21] Separation operating system(s) onto thedowntime). [20] kernels provide a minimal set of platforms—the provider is trusted operating system services on which to ensure that the onlyDetermining Where Trust other trusted services and applications communication with the platformsShould be Placed could be built. These may be thought of is from or to the enterpriseClearly, there are many challenging as slightly more functional than a ff Integrity—The provider shouldsecurity issues related to cloud Virtual Machine Monitor (VMM), guarantee that the resources arecomputing. In our research, we are although Green Hills and others are “empty” on first use and that noneworking on a formal, structured, looking to implement high assurance of the platform resources arepossibly mathematical approach that VMMs using their technology. modifiable by any party other thanwill give users and cloud-developers Our approach to the problem the enterprise. This includes anydeeper insight into what should be done, involves separation of ‘virtual’ management functions; it is up tohow it might be achieved, and where the resources. This approach constructs an the enterprise to ensure that anytrust should be placed. This research infrastructure that establishes (or network interfaces areincludes the investigation of reconstructs where appropriate) appropriately protectedimplementation structures and resources, identifies and authenticates ff Privacy—The provider shouldassurance provisions for “security” in users, and then controls access to the guarantee that there is no thirdcloud-based systems. To do this, we will resources. Our focus is to provide a party access to the platformattempt to provide security model and a security architecture that processor, memory, and/or disk filesarchitectures and models that satisfy provides the infrastructure that will ff Provision of Service—The providerthe following: accomplish these goals. should provide access to theff They are aware of the amorphous resources on demand, per any nature and scale of the cloud An Example service level agreements between computing paradigm For instance, consider PaaS. An the enterprise and the provider.ff They include mathematical models enterprise might wish to run its own of the security properties that can applications. These applications may There at least two models of this be used to help analyze those only run on an intermittent basis and/or kind of service: properties require a large number of resources. 1. Resources are provided on an adff They provide the underpinnings on One way to achieve this is to use a hoc, intermittent basis. In this which applications/enterprise/user cloud PaaS. version, there is no connection level security policies/properties We use the term ‘enterprise’ to between consecutive uses of the can be implemented describe the organization requiring the resources. The enterprise uses theff They provide the foundations on platform and ‘provider’ for the resources once. During subsequent which the implementation organization providing the cloud uses, the enterprise assumes that assurances can be ascertained. platform resources. The PaaS provider all the previous data does not exist would provide ‘platforms,’ either ‘real’ as or has been erased by the provider. Our hope is that the results of the part of a virtual environment (a means The only connection between theresearch will provide a framework that for downloading an operating system two usages is that the enterprisecan be at least partially applied to the and for managing the platforms), or as a uses the “same identifiers” to accesscurrent cloud architectures and may possible network interface(s) on the new instances of the resources. IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 7
  8. 8. There is no guarantee that the same The security properties then secure systems architectures and secure- physical resources will be used for become statements about the resources systems design. each run of the platform(s). and platforms. For example:2. The enterprise ‘turns off’ the plat- No pair of allocations shares References form, but in subsequent use after any common VPlatforms or 1. IAnewsletter, vol. 13, no. 1, winter 2010, p. 34. turning it back on, finds the plat- VPlatformResources. 2. Ibid. form resources in the same state As depicted in Figure 1, the security 3. M. Campbell-Kelly. “The Rise, Fall, and Resurrection they were in after being turned off. properties can be modeled on a of Software as a Service: A Look at the Volatile As expected, the enterprise might collection of the statements above. Each History of Remote Computing and Online Software,” pay more for this service. In this of the statements should map back to Communications of the ACM, vol. 52, no. 5, pp. case, the provider must protect the some aspect of the system’s user-visible 28–30, May 2009. information in the resources security property. We could use our 4. B. Michael. “In Clouds Shall We Trust,” IEEE between runs from both modifica- statements about the relationships of the Security & Privacy, vol. 7, no. 5, p. 3, September/ tion and access by third parties. entities (sets) we describe to prove October 2009. There is no guarantee that the same additional properties of the system. 5. M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. physical resources will be used in Following the security model’s H. Katz, A. Konwinski, G. Lee, D. A. Patterson, each run of the platform. construction, a high-level execution A. Rabkin, I. Stoica, and M. Zaharia. “Above the model should be constructed and Clouds: A Berkeley View of Cloud Computing,” Note that in both cases, the validated mathematically to determine EECS Department University of California, Berkeley.provider provides access to platforms that it satisfies our security model. Technical Report UCB/EECS-2009-28, 10 Februaryand associated data. The platforms are Next, it is necessary to map our high- 2009, http://www.eecs.berkeley.edu/Pubs/available to others when the enterprise level model to varied cloud aspect TechRpts/2009/EECS-2009-28.html.is not using them. Any provider implementations as documented by 6. P. Mell and T. Grance, “The NIST Definition of Cloudconfiguration data about the platforms the vendors. Computing,” Version 15, 7 October 2009, http://must be protected from modification csrc.nist.gov/groups/SNS/cloud-computing/cloud-and, in the second case above, any Conclusion def-v15.doc.enterprise information that will be Cloud security is an ill-defined, little- 7. http://en.wikipedia.org/wiki/Cloud_computing.reused must also be protected. understood area of distributed 8. http://aws.amazon.com. Informally, a portion of the model computing. However, we believe that 9. http://docs.google.com.might then take the form of: progress can be made to provide a level 10. http://www.disa.mil/raceff VPlatform—The set of names of of assurance that accommodates the 11. H. G. Miller and J. Veiga. “Cloud Computing: Will virtual platforms that will be resources needed to support DoD and Commodity Services Benefit Users Long Term? IEEE provided to enterprises the federal government’s information ITPro, vol. 11, no. 6, p. 67-69, November/ff VPlatformType—Whether the processing requirements. n December 2009. VPlatform resources are persistent 12. http://www.opencloudmanifesto.org. (type 2 above) or not 13. http://www.fcw.com/Articles/2009/04/16/Cloud- About the Authorsff VPlatformResource—The set computing-moving-into-public-safety-realm.aspx. of resources associated with 14. http://www.cloudsecurityalliance.org. Dr. Bret Michael | is a Professor of Computer a VPlatform 15. http://www.cloudsecurityalliance.org/csaguide.pdf. Science and Electrical Engineering at the Navalff Enterprise—The set of enterprises 16. http://www.google.com/apps. Postgraduate School. He conducts research on the that use VPlatforms 17. http://www.nytimes.com/2010/02/15/technology/ reliability, safety, and security of distributedff Allocation—An association internet/15google.html. systems. He is an Associate Editor-in-Chief of IEEE of an Enterprise with a 18. http://www.mckeay.net/2009/08/14/cannot-achieve- Security & Privacy magazine and a member of the Platform, VPlatformType and pci-compliance-with-amazon-ec2s3 IATAC Steering Committee. VPlatformResources. The same 19. http://awsmedia.s3.amazonaws.com/AWS_HIPAA_ Enterprise may have multiple Whitepaper_Final.pdf. Dr. George Dinolt | is a Professor of Practice VPlatforms, and VPlatformResources 20. http://www.google.com/apps/intl/en/business/ in Cyber Operations at the Naval Postgraduate associated with it infrastructure_security.html. School. His research interests are primarily in theff PlatformCloud—A sequence of sets 21. http://www.niap-ccevs.org/cc-scheme/st/vid10119/ high assurance portions of Computer Security. His of Allocations. maint200 research covers formal methods and the connections between them and security policies,8 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  9. 9. I ATA C S P O T L I G H T O N A U N I V E R S I T YPennsylvania State Universityby Angela OrebaughI n 1855, Pennsylvania State University (Penn State) was originally foundedon 200 acres in Centre County, and problems associated with assuring information confidentiality, integrity (e.g., social, economic, technology- ff The Center for Information Assurance plans, coordinates, and promotes IA research, education,Pennsylvania, as an agricultural school related, and policy issues), as well as the and outreach. The facultythat applied scientific principles to strengths and weaknesses of various coordinators for the center includefarming. Engineering Studies were methods for assessing and mitigating Dr. Chao-Hsien Chu and Dr. Pengintroduced in 1882, making Penn State associated risk. The major provides Liu. The center’s missions are:one of the nation’s ten largest grounding in the analysis and modeling •• Conduct broad-based researchundergraduate engineering schools. efforts used in information search, on various aspects (theoreticalToday, Penn State has grown into a large, visualization, and creative problem and applied; technical andgeographically dispersed, major solving. This knowledge is managerial; wired andresearch institution. Nineteen supplemented through an examination wireless, etc.) of informationcampuses, 15 colleges, and one online of the legal, ethical, and regulatory and cyber securityWorld Campus currently comprise Penn issues related to security that includes •• Educate and train informationState. In Fall 2009, Penn State served analyzing privacy laws, internal control, security professionals throughover 80,000 undergraduates and over regulatory policies, as well as basic degree and continuing13,000 graduate students, with half of investigative processes and principles. education programs, and tothe student population enrolled at the Such understanding is applied to venues insure that information securitymain campus in University Park. that include transnational terrorism, awareness is instilled in all Penn The National Security Agency (NSA) cyber crimes, financial fraud, risk State studentsand the Department of Homeland mitigation, and security and crisis •• Provide assistance and technicalSecurity (DHS) have designated Penn management. It also includes overviews support to industry, non-profitState as a National Center of Academic of the information technology that plays organizations, government, andExcellence in Information Assurance a critical role in identifying, preventing, individuals in the informationEducation (CAE/IA) since 2003 and and responding to security-related events. and cyber security area. [1]National Center of Academic Excellence IST also offers a graduate degree inin Information Assurance Research Security Informatics, which seeks to ff The Networking and Security(CAE-R) for 2008-2013. improve the cyber security of Research Center (NSRC) was The College of Information Sciences individuals and organizations by established in 2003 to provide aand Technology (IST) offers a bachelor’s creating innovative solutions for research and education communitydegree in Security and Risk Analysis detecting and removing cyber threats, for professors, students, and(SRA). This degree program is intended recovering from cyber attacks, industry collaborators interested into familiarize students with the general protecting privacy, enhancing trust, and networking and security. It alsoframeworks and multidisciplinary mitigating risks. provides a unique avenue fortheories that define the area of security Penn State includes a number of interaction with industry; theand related risk analyses. Courses in the research centers focused in cyber andmajor engage students in the challenges information security: ww continued on page 15 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 9
  10. 10. Cloud Computing for theFederal Communityby Hannah WaldT he question is not whether, but when, the U.S. federal government willembrace cloud computing. The current “Cloud computing is a model for enabling convenient,administration—in particular its Chief on-demand network access to a shared pool ofInformation Officer, Vivek Kundra—isvery enthusiastic about this configurable computing resources (e.g., networks,technology’s potential. Some federalagencies are already moving into the servers, storage, applications, and services) that cancloud: the Defense Information SystemsAgency (DISA) is pilot testing a cloud [1]; be rapidly provisioned and released with minimalthe National Aeronautics and SpaceAdministration (NASA) has announced management effort or service provider interaction.”plans to develop a cloud that can beused both internally and for they survey the landscape and take an documents (i.e., the NIST 800 series).collaboration with external research inventory of best practices. They are Alternatively, individual cabinet-levelpartners; [2] the Department of the concerned about the risks inherent in agencies could provide clouds for theirInterior (DOI) has an Infrastructure as a cloud computing but do not want to “community” of internal divisions, whichService (IaaS) offering called the restrict innovation. Pro-cloud civil could serve agencies’ individualNational Business Center Grid servants believe cloud computing can compliance needs more easily than a(NBCGrid), with other offerings set to make federal Information Technology generalized multi-agency cloud. [5]roll out in the near future; [3] and the (IT) and services cheaper, easier, and DISA’s Rapid Access ComputingGeneral Services Administration (GSA) more secure—and it can—provided Environment sets a precedent for thisoffers access to various externally the cloud is implemented and model: it is intended to serve the entireprovided cloud applications through its managed properly. Department of Defense, which has itsportal site, http://apps.gov. [4] For many federal agencies, a own set of security standards in The federal government is not community cloud would be the best addition to those mandated for civilianseriously considering cloud computing service model to use (regardless of the agencies. [6] A third possibility is asimply because of its hype. Agencies are exact type of service being provided). “federated” hybrid of agency-specificfinding it increasingly costly and The GSA, or another provider who is community clouds and a government-difficult to procure, set up, maintain, familiar with federal IT needs, could wide community cloud, all with certainand secure traditional computing stand up a multi-agency cloud that common standards (i.e., minimalarchitectures. This may explain why facilitates and enforces compliance with security baseline, universal protocols)bodies such as the National Institute of government-wide security standards but otherwise tailored to specific purposes.Standards and Technology (NIST) and such as those outlined in regulations Understanding the merits of athe Government Accountability Office (i.e., Federal Information Security community cloud requiresare holding off on setting rules and Management Act [FISMA]) or guidance understanding fundamental cloudstandards for cloud computing while10 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  11. 11. computing concepts, starting with the customer generally has no control using a software offering from onedefinition of “cloud computing” over or knowledge of the provided provider and an infrastructure offeringprovided by NIST: resources’ exact location but may from another. Commoditization of “Cloud computing is a model for be able to specify location at a bandwidth allows clients to easilyenabling convenient, on-demand higher level of abstraction leverage distantly located resources—network access to a shared pool of (e.g., country, state, or data center). something that was difficult only a fewconfigurable computing resources Examples of resources include years ago—and pay for use of those(e.g., networks, servers, storage, storage, processing, memory, resources as if they were gas orapplications, and services) that can be network bandwidth, and electricity. Finally, cloud providers arerapidly provisioned and released with virtual machines. particularly innovative in the servicesminimal management effort or service ff Rapid elasticity—Capabilities can they offer and are developing newprovider interaction.” [7] be rapidly and elastically services all the time. [9] Cloud allows NIST also lists five essential provisioned, in some cases users to leverage IT solutions with ancharacteristics of cloud computing: automatically, to quickly scale out unprecedented level of granularity.ff On-demand self-service—A and rapidly released to quickly An organization can pay an outside consumer can unilaterally scale in. To the consumer, the cloud provider for data, applications, provision computing capabilities, capabilities available for operating platforms, raw digital storage, such as server time and network provisioning often appear and/or processing resources: Data as a storage, as needed automatically unlimited and can be purchased in Service (DaaS), Software as a Service without requiring human any quantity at any time. (SaaS), Platform as a Service (PaaS), and interaction with each service’s ff Measured service—Cloud systems Infrastructure as a Service (IaaS), provider. automatically control and optimize respectively. [10] A data-miningff Broad network access— resource use by leveraging a company providing its customers with Capabilities are available over the metering capability appropriate to on-demand access to its records of network and accessed through the type of service (e.g., storage, individual purchase histories is an standard mechanisms that promote processing, bandwidth, and active example of DaaS; Google Apps are SaaS; use by client platforms (e.g., mobile user accounts). The provider and a firm offering application development phones, laptops, and PDAs). consumer can monitor, control, and environments to startups is selling PaaS;ff Resource pooling—The provider’s report resource usage, thus and a company offering access to raw computing resources are pooled to providing transparency of the computing resources is selling IaaS. serve multiple consumers using a utilized service. [8] The split of assurance multi-tenant model, with different responsibilities between the provider physical and virtual resources Industry expert Dave Linthicum, and client varies depending on the dynamically assigned and notes that cloud computing is similar to service. With DaaS and SaaS, the reassigned according to consumer time-sharing on mainframes, but with provider has control over almost demand. A sense of location some added features. For example, cloud everything. With PaaS, the client is independence exists because the clients can “mix and match” solutions responsible for application security, and IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 11
  12. 12. Software as a Service (SaaS) incentives and goals, which is not necessarily the case in cloud computing. Presentation Modality Presentation Platform In a public cloud, the relationship between clients and providers is largely transactional, and the clients do not APIs know each other. The parties involved have little basis for trust and may in fact distrust one another to a certain extent. Applications Trust, or lack thereof, is a factor in all five of the fundamental cloud security challenges. These challenges all involve Data Metadata Content uncertainties about the provider’s standard of care and how the provider Platform as a Service (PaaS) will treat the client (and the client’s data) in the event of a problem. [12] Integration & Middleware ff Data protection •• Where do data physically reside, Infrastructure as a Service (IaaS) and does the data’s location have legal ramifications? APIs •• Are data safely protected (i.e., by encryption) while stationary or in motion within Core Connectivity & Delivery and across the cloud? •• How is availability of data assured in the cloud? Abstraction •• Does the provider take measures to ensure that deleted data is Hardware not recoverable? ff Security control •• What security controls does the Facilities cloud provider need to implement, and how? •• How are assurance levels effectively and efficiently managed in the cloud? ff ComplianceFigure 1 Provider Assurance Responsibility in Different Types of Service [11] •• Is the cloud complying with all the necessary guidance?everything else is left to the provider. also has certain security advantages. For •• Can the provider substantiateWith IaaS, the client is responsible for example, a desktop computer almost claims that security controls areeverything but physical and (some never complies with an organization’s implemented sufficiently?aspects of) network security. Regardless security policy “out of the box,” but a ff Multi-tenancyof the service and inherent allocation of cloud can be configured so every new •• Are my assets vulnerable ifresponsibility, cloud clients ultimately virtual machine created therein is another client is exploited byleave the fate of their information assets compliant. Monitoring certain activities an attack?in the provider’s hands (see Figure 1). and rolling out updates across a cloud is •• How does the cloud provider The service provider is responsible relatively easy—unlike doing so across a keep different clients’ datafor maintaining, upgrading, and securing collection of distinct physical machines. separated and inaccessible fromthe hardware and software (where However, cloud computing presents other clients?applicable) on which the service runs. a variety of information assurance (IA) •• If a forensic/electronic discoveryIdeally, this setup allows users to stop challenges. One salient feature of the procedure is conducted on oneworrying about the security of their time-sharing model was trust. The users client’s data, how will theinformation assets by leaving them in and owners of the old mainframes weremore competent hands. Cloud computing part of a community with common12 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  13. 13. provider protect the may not want to answer questions about ignores other kinds of costs. What will it confidentiality of other its security practices. Cloud SLAs also cost an agency if moving to the cloud clients’ data? generally absolve the provider of liability compromises its ability to protectff Security governance in the event of a security breach. (This is sensitive data or meet mission •• Who owns/accesses/deletes/ not the case with private and requirements? Agencies need to consider replicates data in the cloud? community clouds: more on this later.) these kinds of costs as they evaluate •• How can the client ensure If the transition of federal their information assets for “cloud policy enforcement? information assets into the Cloud readiness” on a case-by-case basis. [14] •• How can the client measure Computing Environment (CCE) is Once an agency has decided which and track service/network inevitable, then how can the federal assets it can safely transition to the performance? government effectively mitigate the risks cloud, it needs to choose the service Figure 2 illustrates the layers of the inherent in the cloud? First, government model—or relationship between cloudcloud and associated layers of security. organizations must decide whether to client and provider—that best fits its Exacerbating these problems is the move certain assets to the cloud at all. requirements. The four cloud servicefact that contracts with public cloud On the face of it, spending $10 a day for models—public, private, community,providers almost always take the form of cloud infrastructure seems less costly and hybrid—have different sets of costsnon-negotiable service-level agreements than spending $100 on in-house and benefits (see Figure 3).(SLA) that severely limit, at best, the infrastructure (not to mention capital The public cloud service model isclient’s ability to see, audit, or control expenditure; it is less costly to start up a probably what many people wouldback-end operations in the cloud. A virtual server in a cloud than to set up a consider the archetypal model of cloudclient’s ability to do so would create physical one). However, thinking only in computing. In the public cloud model, amore difficulties than most providers terms of $10 versus $100 for regular provider sells cloud services to multipleare willing to deal with. The provider maintenance is dangerous because it unrelated clients, or tenants. They leave Policy & Procedures Goal: Trusted Environment, Well-Served & Satisfied Users, Agency Success Presentation Presentation Information Data Encryption, database security Modality Platform APIs Applications/Service access control, Applications static code analysis, WAFs Applications Governance, Controls, Stakeholder Satisfaction… Policy enforcement, rerouting and throttling of services, validated identity claims, authentication and authorization, Data Metadata Content Management security event monitoring, alerting and notification, contextual dashboard, independent key management Integration & Middleware Firewalls, NIDS, Zone base segmentation, dedicated APIs Network MPLS/VPN network connections Secure hypervisor for segmentation, Core Connectivity & Delivery Trusted Computing message verification, trusted APIs Abstraction Massive scale, contractual constraints on storage locations, Compute & Storage controlled and secured server images, encryption Hardware Facilities Physical Infrastructure security, physical inventory *Derived from CSA “Security Guidance for Critical Areas of Focus in Cloud Computing Technology & Tools Figure 2 Layers of Cloud Computing Environment (CCE) Security [13] IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 13
  14. 14. back-end maintenance and operations most of the economic benefits of of the public cloud because it eliminatesto the cloud provider. This arrangement outsourced cloud service. For a considerable amount of redundantis very cost-effective and, in theory, lets organizations with less sensitive assets, effort and cost. Members of the clientclients rest easy knowing the security of putting everything in a private cloud community can pay the provider fortheir information assets is in good may create unnecessary costs, only what they use, or for the utility andhands. However, the fundamental cloud inefficiencies, and redundancy. Also, if subscription cost. The latter would stillsecurity challenges mentioned earlier an organization has difficulty securing likely total less than what the clientare most problematic in this model. its information assets in a traditional would have paid to operate its own If a federal agency were to entrust setup, it is unlikely that transitioning to individual data centers.its information assets to a cloud a private cloud will solve its problems. The last type of service model is aprovider under the terms of a standard Such an organization would benefit hybrid cloud, which combines two orcloud SLA, the agency would have from having a trusted service provider more of the service models describeddifficulty demonstrating compliance perform these functions. above. An organization could, forwith IA standards mandated by A community cloud is somewhere example, keep sensitive proprietary dataregulations, such as the FISMA. Most on the continuum between the public in its own private cloud and collaboratepublic cloud providers would have to and private service models, and it enjoys on projects with industry partners in asignificantly retool their operations to some of the benefits of both. Like a community cloud. For users belonginghelp federal agencies meet their IA public cloud, community clouds serve to the organization, these two cloudsobligations. Some providers are multiple tenants. The difference is that would, in effect, be seamlesslyattempting to do so (Amazon’s “virtual the tenants are not strangers but related integrated through a single sign-onprivate cloud” is an example [16]), but, entities that share common system. The problem with hybrid cloudsfor the time being, public clouds are characteristics and needs. An individual is that they share vulnerabilities in theinappropriate for anything but the least client community member, multiple system’s least secure areas and presentcritical, most low-risk federal members working cooperatively, or a new vulnerabilities. For instance, if it isinformation assets. dedicated provider can operate easy for a user to switch between clouds A private cloud can be operated by community clouds. Unlike public clouds, on his or her desktop computer, it is alsothe same organization that uses it, or a community clouds are built and easy for that user to make a mistake anddedicated provider can operate the operated on the clients’ terms: they can expose sensitive data. In addition,cloud on the organization’s behalf. A be constructed to facilitate compliance integrated clouds mean integrated complexprivate cloud, when managed properly, with standards that all clients use. Of all systems, which by definition are rifeis the most secure type of cloud service the cloud models, the community cloud with potential security vulnerabilities.model because it is directly controlled is most similar to time-sharing in terms Returning to the central point ofby its client. Private clouds also make of the level of trust between all this article, a federal community cloudmore efficient use of physical IT assets stakeholders. This type of cloud also can provide a guaranteed IA baseline forthan traditional data centers, but lack offers many of the economic advantages its clients, whether they are departments within an agency or multiple agencies. It can reduce the cost Compliance/regulatory laws mandate of providing effective security and on-site ownership of data Pros eliminate significant redundancy. It can Security and privacy also be fully accountable to its clients and their oversight bodies (i.e., Office of Reduce costs Latency & bandwidth guarantees Management and Budget, Congress). Absence of robust SLAs The clients and their oversight bodies Resource sharing is more efficient can have a reasonable level of visibility Management moves to cloud provider Uncertainty around interoperability, into, and control over, cloud operations. portability & lock in All primary stakeholders could work Consumption based on cost Availability & reliability together to set policy and address Faster time to roll out new services problems. Last but not least, federal Dynamic resource availability Inhibitors community clouds can be used to facilitate intra- and inter-agency for crunch periods cooperation within the framework of the Federal Enterprise Architecture. Setting up a community cloud andFigure 3 Advantages and Disadvantages of Cloud Computing From a Federal Perspective [15] governance structure that will14 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac

×