Security is the primary focus of any government agency. One of the most obvious pitfalls of these agencies moving highly sensitive data to the cloud is that they surrender control to a third party. Moreover, nothing on the internet is truly secure, and all data is vulnerable to attacks and threats.
The exposure footprint to those threats is staggering under the best of circumstances. For example, the complexity of mobile devices poses a significant challenge when it comes to cloud security. In addition, data commonly flows from one cloud provider to the next and between national boundaries, which runs counter to the physical security measures every government agency should have in place.
Securing Government Data in the Cloud
A Cloud Security Alliance (CSA) survey found that many executives and IT managers have serious concerns about data security. According to the report, 73 percent of respondents indicated that these concerns were holding them back from adopting cloud computing. Additionally, 38 percent cited regulatory compliance as a major barrier to cloud adoption, and the same percentage of respondents expressed anxiety about the loss of control over IT services.
To help alleviate some of these concerns, the U.S. Department of Defense (DoD) released an unclassified document titled “Cloud Computing Security Requirements Guide (SRG)” that outlined essential components for secure cloud computing. The document is intended to simplify the security requirements for the DoD and cloud providers, who must attest, control, monitor and provide evidence of data separation.
This approach to cloud computing is based on “impact levels” that consolidate data records in accordance to their sensitivity. At the lowest level, nonsensitive, unclassified data, such as information available through the Freedom of Information Act or hosted on public-facing websites, can be stored in commercial clouds that meet the strict baseline standards under the Federal Risk and Authorization Management Program (FedRAMP), a system designed to protect cloud-based government data.
When the impact level is increased, the physical requirements for data security come into play. The rub is that once the data reaches a secret classification, a public cloud is not the right place. It must be on-premises or in private clouds that are not commercial but government owned.
Enclaves that transact sensitive data must also be a part of the security architecture. Personnel must be cleared by the government and restricted by tight physical access controls. These enclaves are physically separated within a data center that does not share hardware, applications or other resources the cloud provider would otherwise share with its tenants.
Physical Cloud Security
Most governments are risk averse when it comes cloud security and safeguarding highly confidential data within their networks. Some agencies air gap their computer systems, which physically separates a secured network from an unsecured one. Air-gapped systems can also be found in major financial institutions, stock exchanges and industrial control systems within nuclear power plants. These are all examples of physical security controls that prevent access from the outside world. However, they also complicate the transfer of data between unsecured and secured networks, requiring human intervention that is prone to errors.
Data diodes are common in environments. They provide a secure, one-way channel where data can pass in only one direction. This assures that secure data cannot be leaked back to the unsecured network. Data diodes are specialized, unidirectional devices that convert Transmission Control Protocol (TCP) connections to User Datagram Protocol (UDP). They then convert the connections back on the other side. This tells applications using the File Transfer Protocol (FTP) that a connection has been established, allowing users to transfer a file from the unsecured network to the secured one, but not in reverse.
The Road Ahead
The government sets regulations as a baseline, which is problematic because the security threat landscape constantly evolves. Government standards must be flexible to keep pace with emerging cyberthreats.
Major commercial cloud providers may not fully adhere to strict data security requirements. For example, identity and access management (IAM) in the cloud should be able to authenticate government users from one online location. In addition, the authentication credentials should seamlessly pass from one provider to the next.
Obviously, for the sake of national security, highly sensitive information will not be available in the cloud. Still, the overwhelming volume of attacks and threats across the globe takes a significant toll on the intelligence and military communities. This technology may provide a useful platform for intelligence sharing between nations with private, government-owned cloud storage solutions.
VP, Chief Security Officer and Architect, Securityminders Corporation
George Moraetes is one of the leading information security practitioners with over 20 years of industry experience. He currently serves as the VP, Chief Secu...