2015-03-29

Defense sees cloud computing as insecure

news.cyb/sec/Defense sees cloud computing as insecure:
3.17: 3.29: summary:
. I'm interested in cloud computing primarily because
that is promoted by Google's Chrome OS platform;
however, what makes that platform most secure
is not so much that it relies on cloud computing,
but because it strictly controls the firmware
and this avoids advanced persistent malware .
. the usa's DoD (Dept of Defense) is moving to cloud computing
(saving money by outsourcing to private industry
instead of using DoD's own servers)
but they are not putting all their data there;
because, some of it is too sensitive .
. what they are hoping for
is that they can get private industry
to set up their servers on DoD property,
where physical access to the servers
can be monitored by the DoD .
. another issue is that top secret communications
are done on a network that is separate from
the public's internet .

. cloud computing can add some security
by putting walls between apps and your OS
somewhat like when using a SOA:
( SOA means converting all subprogram calls
into messages that get logged,
and then these are resolved into calls;
there is no need for a firewall at the site;
instead, every subprogram is an authenticated user,
and there's a firewall between each subprogram ).
. but if there are security holes in the browser
then bad sites can give you malware,
and sites can go bad any time they get hacked .
. cloud computing means sites hold your data,
and then hacked sites expose your data .
. also when your apps are in virtual machines (vm),
the walls between vm's depend upon
there not being any holes in the hypervisor's
Trusted Computing Base (tcb);
this is likely only if the tcb is quite small,
and the hardware's firmware is not hacked
(Intel's popular x86 firmware is often hacked;
and designed to be hackable)
[intro to cloud security issues].

3.12: applies to everyone:
. you might think internet is not so easy to hack
and DoD has to be extra careful only because
such big players are trying so hard to hack them .
. but organized crime wants your secrets too
because they can sell it to identity thieves,
and might profit from Big Data too .
3.28:
. why can't they connect to the internet?
is it for fear of denial of service attacks,
or that the internet is too infectious?
. the big players need your computer hacked too,
because they are building bot nets:
they can use swarms of your computers
to do things like send malware emails anonymously,
and get help with cracking passwords .

2.1: news
DoD CIO Terry Halvorsen, Jan. 30, at Cloud Industry Days:

. DoD will move as much nonsensitive data as possible
to the commercial cloud,
considering the pricing differences between
standard storage of sensitive but not classified data
and storage in the cloud.
It's 20-25% less than in the milCloud
which is cloud computing implemented by gov,
and shareable by secret gov offices only .

. the milCloud Suite of Capabilities:
managed by DISA (Defense Info Systems Agency);
is an Infrastructure as a Service (IaaS) solution
[ DISA provides the x86 hardware
and the VMware virtualization ]
plus they offer services for
agile programming of secure applications;
services include:
the Orchestrator for Virtual Application
Provisioning, Building and Testing;
and the milCloud Asset Library:
store and share software, systems, virtual appliances,
test scripts, and deployable vApps [afcea].

Two important programs involved in
DoD’s transition to the cloud are
FedRAMP and FDCCI
(Federal Risk and Authorization Management Program;
Federal Data Center Consolidation Initiative).

intro to FedRAMP:
. it keeps a list of 3rd party Assessment Organizations
and a list of cloud services they've certified
so that any federal agency wishing to use a cloud service
doesn't have to do its own duplicative efforts at
security assessment, authorization,
and continuous monitoring .

. the Federal Data Center Consolidation Initiative
gets each federal agency to use
just one logical data center
but with servers in several physical locations;
and to share when possible between agencies .
. it reduces the amount of energy and real estate used
by relying more on virtualization
(where several websites can share a single computer);
eg, OPM's virtualization host is Linux running VMWare.
. there will also be more use of
cloud app's (software as a service)
and platform as a service (where the cloud service
provides a machine with an OS,
and your developers build their software on it) [opm 2011].

. Cloud service providers doing business with DoD
may have to go beyond FedRAMP's requirements;
eg, see DoD's Cloud Computing SRG [below];
and contractors may need to build their servers
within federal property [fcw].
--[ this could then contain sensitive data;
but could it be connected to the internet? ]

DoD Cloud Computing SRG 
(Security Requirements Guide) Version 1 February 7, 2015

The 15 December 2014 DoD CIO memo regarding
Updated Guidance on the Acquisition and
Use of Commercial Cloud Computing Services
defines DoD Component responsibilities
when acquiring commercial cloud services.
The memo allows components to responsibly acquire
cloud services minimally in accordance with
the security requirements outlined in FedRAMP
and this Security Requirement Guide (SRG).
DISA previously published the concepts for
operating in the commercial cloud
under the Cloud Security Model.
Version 1 defined the overall framework
and provided initial guidance for public data.
Version 2.1 added information for
Controlled Unclassified Information.
This document, the Cloud Computing SRG,
documents cloud security requirements
in a construct similar to other SRGs
published by DISA for the DoD.

Level 4: Controlled Unclassified Information [CUI]:
... refers to unclassified information that requires
protection from unauthorized disclosure
as established by Executive Order 13556
or other mission critical data.

Level 5: Controlled Unclassified Information:
. accommodates CUI that requires
a higher level of protection;
Level 5 also supports unclassified
National Security Systems (NSSs)
due to the inclusion of NSS specific requirements
in the FedRAMP+ controls/control enhancements (C/CEs).
As such, NSS must be implemented at Level 5.

Level 6: Classified Information up to SECRET:
. Level 6 accommodates information that has been
classified as SECRET,
Services running at higher classification levels,
to include compartmented information,
are governed by other policies
and are beyond the scope of this document.
Impact Level 6 requires a similar set of
tailored controls as Level 5
and includes the CNSSI 1253 Appendix F, Attachment 5
Classified Information Overlay C/CEs.

DoD CLOUD COMPUTING SRG:

the DoD Cloud Service Catalog
is not publicly available;
[ as this could lead to publishing
the physical locations of DoD assets? .]

A Cloud Service Provider (CSP)
is an entity that offers one or more
cloud services in one or more deployment models.
A CSP might leverage or outsource
services of other organizations and other CSPs
(e.g., placing certain servers or equipment
in third party facilities such as data centers,
carrier hotels / collocation facilities,
and Internet Network Access Points (NAPs)).
CSPs offering SaaS [software as a service]
may leverage one or more third party CSP's
(i.e., for IaaS or PaaS [infrastructure or platform as a service])
to build out a capability or offering.
A Cloud Service Offering (CSO) is one of the
actual IaaS/PaaS/SaaS solutions available from a CSP.

milCloud is a DoD-operated CSO;
DoD CSP programs and services must follow
DoD Risk Management procedures
in accordance with DoD I 8510.01.

At a level 4 and above, it’s important to recognize
that the DoD PA evaluation process also assesses
the risk to DoD of permitting CSPs to
interconnect with DoD networks .
--[ is this referring to physical connections,
implying that DoD networks are
not accessible from the internet?
are they worried only about denial of service,
or do they think the internet is infectious
no matter how secure your site is? ]

The DoD cloud baseline C/CEs, which are
beyond what is required by FedRAMP
(otherwise referred to as FedRAMP+ C/CEs),
were selected primarily because they address
issues such as
the Advanced Persistent Threat (APT)
and/or Insider Threat,
and because the DoD, unlike the rest of the Federal Government,
must categorize its systems in accordance with CNSSI 1253,
based on Moderate Confidentiality and Integrity,
not including a baseline for Availability .