23 June 2018

Cyber Security in the Cloud: One or Multiple Cloud Service Providers?

By William Schneider Jr.

The inconsistent security protocols across the federal government's decentralized IT architecture have made its entire information system a particularly inviting target for attacks by adversary states and rogue insiders. There are compelling reasons for federal departments and agencies to move from a decentralized, ad hoc IT architecture to a cloud-based architecture. Decentralized systems are especially prone to computer-hygiene gremlins, such as when users' fail to apply software security updates consistently and practice poor password discipline. Such lapses present a low bar for hackers trying to propagate cyber malware or steal data. This hygiene problem is largely absent from centrally administered cloud-based architectures. Enforced uniformity of security practices among all users of the cloud creates a preferable outcome from a security perspective. 

Cloud-based architectures also offer additional advantages to our agencies, especially to the Department of Defense: the capacity for the massive scale-up of storage and computing capacity; the ability to increase or decrease storage capacity on demand; and the ability to meter demand so that the user pays only for services used.

In 2013, the intelligence community reacted swiftly to its networks’ exposure to adversary cyber operations by moving all 17 intel agencies and their separate networks to a common, sole-sourced cloud-based architectural approach known as the Intelligence Community IT Enterprise (ICITE). The move has proved to be a significant advance over prior conditions. Nevertheless, it would be a mistake to conclude that this architectural approach best fulfills security and data management needs in the move to the cloud. Indeed, even among members of the intelligence community, the preference for agency-specific cloud storage has produced numerous “private clouds” within the larger cloud-based architecture.

The IT architectural challenge facing the Pentagon is approximately ten times the size and complexity of the intel agencies’. This alone calls into question the ability of a sole-source architecture such as the ICITE to meet the Department of Defense’s needs.

In 2012, the Office of the Secretary of Defense ordered the Defense Science Board to conduct a study of security and reliability issues for a cloud-based architecture for the Pentagon. Noting the security needs and complexity of the military’s data storage and processing requirements, the Defense Science Board concluded that “no cloud computing deployment model is uniformly suitable for hosting all DoD applications. In general, sensitive, classified, and time‐critical DoD applications should be deployed only in private clouds or conventional non‐cloud approaches.”

The surge in the technical complexity of the Pentagon’s operations in the five years since the Board made its recommendation has only reinforced its significance and timeliness. As the path of military modernization has continued—toward autonomous operations, robotic systems, pervasive sensing, 24/7 multi-domain military operations and many other data and computationally intensive missions—effective cloud-based security and data management have become fundamental. And there is still no "uniformly suitable" model.

Best practices in cloud use in the commercial sector affirm these observations. A 2016 Microsoft study found that 79% of the 1,734 surveyed firms in ten countries preferred a multi-cloud approach. Nearly one-third of those surveyed had four or more cloud service providers.

As the cloud services sector matures, the single-provider model for cloud services that was pioneered by the intelligence community may no longer be the preferred approach for organizations with significant security concerns. Increasing the number of cloud service providers may present differing cyber-attack challenges compared to a single cloud services provider. But multiple cloud service providers can raise the cost and risk to the attacker -- and the consequences of exposure -- even if no computer-based system can be made perfectly secure.

Wililam Schneider Jr. is a senior fellow at Hudson Institute and chairman of Hudson’s Task Force on Federal IT Procurement, sponsored in part by Oracle Corporation and Microsoft Corporation. Schneider is the former Chairman of the Defense Science Board (2001-09) and former Under Secretary of State for Security Assistance, Science and Technology (1982-6).

No comments: