Committed to Cloud Computing
The National Security Agency stays the course following the Snowden controversy.
Recent insider security breaches have put increased scrutiny on the U.S. intelligence community’s cloud computing plans. But cloud computing initiatives remain unchanged as the technology is expected to enhance cybersecurity and provide analysts with easier ways to do their jobs in less time.
With cloud computing, reams of data reside in one location rather than in a variety of repositories. Combining data leads to greater efficiencies for intelligence analysts, but in the view of some, it also means greater vulnerabilities. “There’s a school of thought that says if you co-locate data, you actually expose more of it in case of an insider threat than if you keep it all in separate repositories by data type,” explains Lonny Anderson, National Security Agency (NSA) chief information officer. “The onus is on us to convince the rest of the community, the rest of the Defense Department, that we can secure their information in the cloud in a way that they simply can’t secure it today.”
Anderson acknowledges that the recent insider leaks have increased doubts within the intelligence community about cloud computing, but he expresses confidence that the agency and the intelligence community are on the right path. “I think everybody is a little more nervous and a little more security conscious.
“Everything we’ve learned so far of [NSA leaker Edward Snowden’s] activities has reinforced for us that the path we’re already on is the right path. The lesson we’ve learned is the need to share information but to share selectively, only with those with a need to know,” Anderson says. “The leaks actually reinforced the need to move to the cloud and move there more quickly.”
The NSA has been using cloud computing for more than 18 months and, along with the Central Intelligence Agency (CIA), is implementing cloud computing across the intelligence community. Anderson describes cloud computing as the centerpiece of the Intelligence Community Information Technology Enterprise (ICITE) strategy. The strategy moves all intelligence agencies and organizations to a single, enterprise-level architecture, similar to the Defense Department’s Joint Information Enterprise. The new architecture is expected to offer enhanced information sharing capabilities and improved agility, scalability and security while also lowering operating costs. The enterprise architecture also includes thin client desktops, widespread virtualization, application stores known as an apps mall and improved security. ICITE was announced in 2011, several days after Director of National Intelligence James Clapper announced budget cuts of more than $10 billion to the intelligence agencies. As much as half of those savings are to come from information technology budget items.
Anderson asserts that it is not unusual for analysts to be less than enthusiastic about new information technology tools. “We’re in the middle of fighting a war on terror. We’ve got Afghanistan. We’ve got increased cyber activity. So, our analysts are busy. They’ve got a lot on their plates,” he says. “When we open the door from the technology directorate and say we’ve got a new tool, they’re generally not happy because it’s just another tool.”
Still, Anderson predicts a day when those same analysts will be among cloud’s biggest supporters. “As the agency demonstrates the benefits of finding all the data needed in one place rather than having to search different types of repositories for different types of data, analysts will see that it will save significant amounts of time for individual tasks,” he asserts.
The agency has been working with analysts, walking them through the workflow on the cloud computing architecture so they can compare the difference with legacy systems. Cloud computing can save up to 90 percent of an analyst’s time, depending on the personnel and the individual tasks, Anderson indicates. “Once analysts start to see that, they will become the people who are screaming that we’ve got to get to the cloud faster. That’s the approach we’re taking—let the users become our greatest advocates,” he asserts.
Additionally, having the data co-located should make it easier to connect the dots between bits of data. Cloud computing is considered the best solution for the challenge presented by big data—the overwhelming reams of intelligence streaming in from a various systems, such as unmanned aerial vehicles. Al Tarasiuk, chief intelligence officer for the Office of the Director of National Intelligence, has said that intelligence personnel have to determine almost in real time, in a streaming format, whether information needs to be shared immediately or if it can be held for deeper analysis (SIGNAL Magazine, October 2012, “Managing Change in the Intelligence Community.")
The solution comes in being able to tag information quickly and properly, using such protocols as Extensible Markup Language. Anderson points out that information is tagged as soon as it is loaded into the cloud. He uses the phrase “tag the data, tag the people” to describe the process for ensuring personnel have access only to the data for which they are cleared. “We’re not the only ones going through it. Everybody is dealing with this challenge of big data,” he says.
Additionally, data in the cloud can be tracked, so that officials know who has accessed the data and what they did with it. And if someone attempts to access data without the proper clearance, alarm bells immediately go off.
For now, the agency is storing data in both the cloud environment and the legacy systems. “We’re still transitioning analysts into a world where they can take advantage of things you get to do with big data that you can’t do surfing from repository to repository,” Anderson states. He also points out that Snowden apparently did not steal the data from the cloud. “To the best of our knowledge, none of the information released to date came from the cloud. NSA has combined and extended cloud technology to provide a secure capability to connect, detect, protect, preserve and remove data of many types with precision. Many of these features are already in place and are being used to provide precise control and auditing of sensitive data to users.”
Additionally, cloud security can be continually improved. “The design of NSA’s cloud architecture makes possible a number of additional security improvements at the developer, administrator and maintainer levels,” Anderson states.
Although plans for the new architecture remain, the agency is taking definitive steps to thwart any future insider threats. Changes include access levels, training, certifications, oversight and governance. For example, the agency directed an across-the-board, out-of-cycle password update. Officials also have reviewed and validated the responsibilities of all government employees and contractors who have privileged access while reducing that list to those who truly are performing system administrator functions. “This focused review helped us better define levels of access to our global NSA network and align privileged user roles to those required for the performance of duties,” Anderson says. The agency also is establishing a two-stage administration process to ensure all administrative activities are done in an environment that is audited and logged while removing the ability to act unilaterally. And, officials plan to implement two-person access to all managed machine rooms and data centers, which will mitigate the risk of anyone bypassing the networked two-stage administration process to directly access data centers. “Finally, we are accelerating additional changes to the security architecture that were already underway. These changes will complement our existing system protection with additional measures to protect the data that resides on our network,” Anderson offers.
The intelligence community chief information officers have adopted a service provider approach from among their number in parceling out the development and future management of ICITE. The CIA and the NSA will design the integrated hosting environment, so jointly they will provide cloud computing services to the community, including data, utility and storage clouds and information assurance. The National Geospatial-Intelligence Agency and the Defense Intelligence Agency lead the desktop design effort. “One of the things we decided with ICITE is that no one agency would provide all of the services. Different agencies would be selected to provide different services, and the intelligence community will leverage those services,” Anderson says.
The intelligence community has run into other road bumps on the way to cloud computing. The CIA awarded a $600 million cloud computing contract with a four-year base and two options to Amazon Web Services Incorporated, Seattle. IBM, Armonk, New York, launched a protest, and the Government Accountability Office recommended in June that the agency reopen the bidding.
The NSA has chosen an open source model based on designs by Google, Amazon, Facebook and others and placed a security wrapper around it. The NSA and CIA are bringing different emphases together that will provide the community with a full breath of cloud services, Anderson says. “Industry—big and small—is getting involved in the architectures we are using. From large companies like IBM and Oracle to new companies like Cloudera and MapR, a rapidly growing and evolving commercial market around open source and proprietary cloud capabilities has formed. This gives agencies and organizations the opportunity to leverage these capabilities as both turnkey systems and custom-developed mission systems,” Anderson reports.
Despite obstacles, however, this past summer Tarasiuk approved operation of the desktop, cloud and the apps mall, which allows the transition to the new architecture across the intelligence community, Anderson reveals. He says officials have no set date by which they will reach full operational capability, largely because the different agencies and organizations will be on different schedules. The transition may progress more rapidly as analysts realize the benefits of cloud computing and create a tipping point. “It will start slowly, it will build momentum, and then all of a sudden, it will dramatically increase in pace. It’s an evolutionary process,” he says.