cloud computing, Cyberdefense and Information Assurance, sticky

State, Local Agencies Should Examine NISTs Public Cloud Guidelines

(This post was originally published on the Virtual Integrated System Blog )

As I mentioned in a recent post, the National Institute of Standards and Technology recently published a document outlining the risks of cloud computing and offering policies and procedures to help reduce those risks. While the guidelines aren’t official federal policy yet, they are a good starting point for agencies at any level of government thinking about using public clouds as a part of their cost-cutting and consolidation of IT services.

The core guidelines of the NIST document come down to four main steps in preparing for a public cloud solution:

  1. “Carefully plan the security and privacy aspects of cloud computing solutions before engaging them.” Before even looking at cloud solutions, an organization should fully understand the privacy and security requirements of the data that will be handled. Not doing due diligence on all of the potential privacy and security issues in advance can lead to roadblocks later–or worse, major breaches in security and exposure of citizens’ private data. The City of Los Angeles was caught by surprise when it found its cloud solution wasn’t in alignment with federal data protection regulations for public safety data, for example.
  2. “Understand the public cloud computing environment offered by the cloud provider and ensure that a cloud computing solution satisfies organizational security and privacy requirements.” Most public cloud services–be they infrastructure-as-a-service, platform-as-a-service, or software-as-a-service–were not built with public sector regulatory requirements in mind. Agencies need to do an analysis of the gaps between what cloud providers offer and what their own privacy and security demands require–and then determine whether the cost of getting that sort of solution from a cloud provider makes going forward with a project financially feasible.
  3. Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing.” Just because the application and data are secure at the back end in the provider’s cloud doesn’t ensure the overall security of the solution. It’s easy to overlook the client side, which can create a number of potential security problems–especially if SaaS applications include support for mobile devices. It’s important to consider issues like how to lock down smartphones and other mobile devices, preventing them from accessing internal resources through cached credentials, for example, if they’re lost or stolen. And there’s also the issue of how the public cloud service will integrate with identity management and established authentication standards already being used in the organization.
  4. “Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.” Outsourcing the infrastructure doesn’t mean an organization is outsourcing responsibility. Public clouds should be handled like any other managed service or outsourcing arrangement–agencies need to ensure that security and privacy practices are applied consistently and appropriately in the cloud just as they are to internal IT resources. That means agencies should have visibility into the operation of the cloud service, including the ability to monitor the security of the cloud assets and continually assess how well security and privacy standards and practices are implemented within the cloud infrastructure.


At the end of the day, after assessing how well public cloud providers can handle the requirements of government applications, agencies may find that much of what they thought could be moved to a public cloud environment is better suited to a private cloud service.

cloud computing, Cyberdefense and Information Assurance

What an Internet “Kill Switch” Would Mean to the Public Cloud

In the wake of the events in Egypt in early February–and the cut-off of Internet access by the Egyptian government in response to protests coordinated partially by social media–the U.S. Senate took up legislation that would give the President the ability to exert emergency powers over Internet traffic in the event of cyber attack or some other sort of nationwide cyber threat.

While senators deny that any legislation will include a “kill switch” measure–allowing the President to shut down the public Internet in case of an emergency–just the discussion of such a capability has sent waves of concern through the Internet community, and it has raised major concerns about what the impact of legislation could be on public cloud providers.

David Linthicum, CTO and founder of Blue Mountain Labs, recently wrote an article about how just the idea of a “kill switch” is already hurting cloud providers. The reason: organizations are reluctant to invest in cloud computing as a solution, because they are concerned about the possibility of their connection to data being “pulled from (them) at any time.”

But it doesn’t take an Internet “kill switch” to make that happen. A denial-of-service attack or other degradation of the network through overt hostile acts, natural disaster, or any of a number of other events that could affect public Internet bandwidth, could disconnect organizations from the public cloud without warning, if there aren’t proper provisions made for alternate connections.

Read the rest of this post at : Virtual Integrated System Blog – Government – What an Internet “Kill Switch” Would Mean to the Public Cloud.


NISTs Guidelines for Public Cloud Security Emphasize Risk Management

The National Institute of Standards and Technology has released a preliminary set of guidelines for cloud computing security. The draft version of Special Publication 800-144, “Guidelines on Security and Privacy in Public Cloud Computing,” offers recommended precautions and policies that federal agencies should follow if they plan to use public cloud resources.The document does not dismiss public clouds as an option for government systems. But the authors of the document, NIST computer scientists Wayne Jansen and Timothy Grance, were clear about the many hazards of outsourcing systems to a public cloud provider. Much of what makes cloud computing an attractive option for government agencies is also at odds with the way agencies have traditionally applied governance and security to information systems, Jansen and Grance wrote”

Several critical pieces of technology, such as a solution for federated trust, are not yet fully realized, impinging on successful cloud computing deployments. Determining the security of complex computer systems composed together is also a long-standing security issue that plagues large-scale computing in general, and cloud computing in particular. Attaining high-assurance qualities in implementations has been an elusive goal of computer security researchers and practitioners and…is also a work in progress for cloud computing.

The rest of this post is at: Virtual Integrated System Blog – Government – NISTs Guidelines for Public Cloud Security Emphasize Risk Management.


Private Clouds, Self-Service IT, and the Power of Transparency

On February 17, I spent the day at Cloud/Gov, a conference on government use of cloud computing hosted by the Software and Information Industry Association and INPUT. One of the things I heard consistently from the federal IT leaders who presented and from those I met during networking breaks was that one of the biggest motivators for a move to the cloud is the financial transparency it provides. In other words, cloud services show exactly what agencies are actually paying for with their IT budgets.

Read the rest of this post at: Virtual Integrated System Blog – Government – Private Clouds, Self-Service IT, and the Power of Transparency.

US Cyber Command

Manning alleged to have loaded software onto SIPRNET

The Army announced additional charges against PFC Bradley Manning, who is accused of being the source of the classified material from the DoD and State Department passed to Julian Assange’s Wikileaks. According to the new charges, Manning introduced software onto an analyst workstation connected to SIPRNET, which collected classifed information and packaged it for download.

Here’s the release:

FORT LESLEY J. MCNAIR, D.C., March 2, 2011 – After seven months of additional investigation by the U.S. Army Criminal Investigation Command and other investigative agencies, the Army has added 22 charges in the case of a military intelligence analyst accused of leaking classified material.

The new charges against Pvt. 1st Class Bradley E. Manning allege that he introduced unauthorized software onto government computers to extract classified information, unlawfully downloaded it, improperly stored it, and transmitted the classified data for public release and use by the enemy. The investigation remains ongoing, officials said. “The new charges more accurately reflect the broad scope of the crimes that Private 1st Class Manning is accused of committing,” said Capt. John Haberland, a legal spokesman for U.S. Army Military District of Washington. “The new charges will not affect Private 1st Class Manning’s right to a speedy trial or his pretrial confinement.”

U.S. military officials in Baghdad preferred two charges consisting of 12 specifications against Manning on July 5. Officials said the commander of U.S. Army Headquarters Command Battalion preferred the new charges yesterday. In addition to a charge of aiding the enemy in violation of Article 104 of the Uniform Code of Military Justice, the new charges include 16 specifications under the UCMJ’s Article 134: — One specification of wrongfully causing intelligence to be published on the Internet knowing that it is accessible to the enemy; — Five specifications of theft of public property or records, in violation of 18 U.S. Code 641; — Eight specifications of transmitting defense information in violation of 18 U.S.C. 793(e); — Two specifications of fraud and related activity in connection with computers in violation of 18 U.S.C.1030(a)(1); and — Five specifications in violation of Article 92 of the UCMJ for violating Army Regulations 25-2, “Information Assurance,” and 380-5, “Department of the Army Information Security Program.”

The charge of aiding the enemy under Article 104 is a capital offense, officials said. However, they added, the prosecution team has notified the defense that the prosecution will not recommend the death penalty to the convening authority, Maj. Gen. Karl R. Horst, commanding general of the U.S. Army Military District of Washington. Under the UCMJ, the convening authority ultimately decides what charges to refer to court-martial, and whether to seek the death penalty if Article 104 is referred. Therefore, if convicted of all charges, Manning would face a maximum punishment of reduction to the lowest enlisted pay grade,; total forfeiture of all pay and allowances, confinement for life, and a dishonorable discharge.

At the request of Manning’s defense attorneys, the trial proceedings have been delayed since July 12, pending the results of a defense-requested inquiry into Manning’s mental capacity and responsibility, pursuant to Rule for Courts-Martial 706. Depending on the results of the inquiry, an Article 32 hearing may follow, officials said. An Article 32 hearing is the civilian equivalent of a grand jury, with additional rights afforded to the accused, they explained. Manning remains confined in the Marine Corps Base Quantico brig in Quantico, Va. He was notified of the additional charges in person during a command visit today, officials said. Officials emphasized that Manning is presumed innocent until proven guilty, and added that the Army is committed to ensuring his continued safety and well-being while in pretrial confinement.