The Cloud Offers Lessons for Cybersecurity
Multilevel security, new applications can vex or aid planners.
As cloud computing gains greater numbers of adherents, their increasing demands are straining security measures designed to guard operations. This problem is going to worsen dramatically when applications such as artificial intelligence development assume a significant presence in the cloud.
Yet those same complications offer opportunities. The new types of security that will need to be applied to the cloud can be used for other forms of cyberspace operations. Solutions to the difficulties of cloud security could help protect data elsewhere commensurate with the enhanced role played by the cloud.
Currently, the greater threat to cloud security is with data at rest, says Brian Hajost, president and CEO of SteelCloud LLC. Data in motion is protected by good controls and protocols, as virtually all transmitted information is encrypted. However, large parts of stored data are not encrypted, and access controls often have vulnerabilities. “Data that moves is typically under the control of a system, of a network, of protocols, of encryption, of keys,” he posits. “Data at rest many times is loosely controlled. We don’t know where all of our data is.”
Cloud thinking ought to be applied in many cybersecurity activities, Hajost offers. “A cloud is thought to be a highly automated, highly mechanized thing, whereas security and the compliance part of security and risk management is something that heretofore has been very manual, very human-intensive,” he relates. “Think of the cloud in total—think of all the things that can be mechanized; and as a user is moving an application or an infrastructure into the cloud, there’s a huge opportunity to mechanize those things.”
One application that will depend heavily on the cloud is artificial intelligence (AI). The cloud can serve as a repository for the massive amounts of data needed to empower AI, and it can provide the agility and elastic computing necessary for AI development. But its development processes will require a new approach to security.
Hajost continues that industry and government tend to focus on accreditation and security as it relates to their production systems. But when machines are doing work that is not fully understood—such as in AI—the development environment must have the same levels of security and compliance as the production environments. Vulnerabilities in AI can be exploited to dramatic effect in production systems, and they would be difficult to detect, Hajost notes.
“AI poses vulnerabilities that we really have not experienced in business systems or traditional weapon systems, where we can test and validate the logic of capabilities,” he explains. “In AI, where you have machine learning, it’s virtually impossible to test all of the capabilities of AI to ensure you are going to get the results you expect.” With vulnerabilities more hidden, a new level of scrutiny must be applied to the development, testing and deployment of AI in the cloud.
Yet AI actually can improve a degree of security by expanding control over data. “AI, in its ability to take more control over more data, bring more data under a system umbrella, actually [can] provide a lot more security than we have today,” Hajost says.
“Data that’s under AI control allows us to do things we cannot do with humans,” he continues. “It allows us to tag everything, it allows us to secure [data]. There are user opportunities to get more secure with AI than we have today.”
Hajost points out that the cloud isn’t necessarily a good solution for all applications. But where it works—when the cloud gives a mission a real advantage—the user now has a software-driven data center that allows more control. To best exploit the cloud, the focus must be on applications that should be there and could provide real advantage to the mission, he says. That approach should eliminate most of the issues that give users reluctance to embrace the cloud.
Information sharing is the most active aspect of cloud operations, Hajost states. Legacy physical data centers and information silos do not easily lend themselves to data sharing, but the cloud provides a flexible and agile capability for sharing data. Its lack of physical boundaries also breaks down barriers between branches of government and the private sector. Data sharing among these diverse entities will become increasingly important, especially in terms of homeland security and cybersecurity.
The applications that migrate to the cloud first tend to be those that do not work well in a traditional data environment, and these are usually data-sharing applications, he says.
The cloud capability that Hajost foresees users exploiting the most is the entire software development/technology operations, or DevOps, process. The cloud could provide an integrated development, deployment and operational environment where users can get to a continuous compliance process. Operators could take advantage of the cloud for DevOps to a much greater extent than is possible in an on-premises environment, he states.
Another popular use would be in elastic computing. The cloud is perfectly suited for adapting computing resources to varying demands, and many cloud vendors currently offer it, Hajost says. Users have not taken full advantage of it, he allows. “You’ll see almost unlimited flexibility and compute power as users need it when they stand up new missions and new operations or close those down, and move from CONUS to OCONUS [contiguous United States to outside contiguous United States] and back and forth,” he suggests.
One key area of cloud security involves its role in information modernization. When organizations migrate applications to the cloud, they must go through risk management framework (RMF) and authority to operate (ATO) activities as for any new system. So not only must the cloud infrastructure be secured or be created in a way that provides security, but also the application and the environment must go through the RMF process, Hajost points out. Both of these are human-oriented activities.
The RMF process requires a methodology for staying in compliance, and continuous monitoring is one way of ensuring that levels of compliance are met and problems are fixed. A subset of this approach is continuous compliance, as opposed to continuous assessment, Hajost offers. Instead of assessing and then fixing, this process would continually fix the cloud without manual intervention or human labor.
Unlike a data center where hardware, wires and building security exist with their own guardrails for inputting an application, the cloud allows virtually any capability in its software-driven environment. This versatility can be a double-edged sword when it comes to security, as capabilities must be chosen carefully and introduced in a secure manner, Hajost says.
“At the end of the day, nothing matters except live capabilities that a mission can use,” Hajost states.
To meet this goal, all of the processes connected to cloud operations must move at cloud speed, he points out. These include the ATO process, hardening, compliance, documentation, testing and procurement. The weak link will slow everything down, which could be severe for cloud capabilities delivered to the warfighter, he says.
With a hybrid cloud, operators must ensure that the risk framework used for securing the cloud matches the one inherent in the organization’s internal system. For example, if the internal system operates at the classified Secret level, its links to the cloud must also be at the classified Secret level, and the cloud formation also must be built to that level. Even below Secret, at impact level (IL) 4 or 5, these elements must match. This can create issues, Hajost says.
Addressing these issues can be complex in a hybrid cloud environment with an application environment that handles all ILs below Secret but a cloud that addresses only one of those ILs, he continues. If the cloud IL is lower than the internal environment, the application would clash.
The user organization is responsible for creating and evaluating the controls that will be used for obtaining an ATO for this environment, Hajost notes. Many organizations in the midst of hybrid cloud migration often find themselves duplicating their efforts to create documentation in applications and organization. Having more building-block techniques based on best practices with documentation would help this migration through preapproval and faster implementation, he suggests.
In effect, the government would generate cookbooks that would guide the installation of a specific IL network. This would spare cloud installers from having to reinvent every aspect of the network’s security from scratch and instead give them the recipe for each IL. While FedRamp states that a particular cloud can be made compliant, it doesn’t say how or what to do to achieve that compliance. With a cookbook, cloud operators can avoid inefficiency and help ensure compliance, Hajost suggests.