U.S. Nuclear Agency Enhances Cybersecurity With Cloud Computing
Officials aim to have a solution in place by year's end.
The U.S. agency responsible for the management and security of the nation’s nuclear weapons, nuclear proliferation and naval nuclear reactor programs is racing to put unclassified data on the cloud this year. Cloud computing is expected to provide a wide range of benefits, including greater cybersecurity, lower costs and networking at any time and from anywhere.
Officials at the National Nuclear Security Administration (NNSA), an agency within the Department of Energy, expect to have a cloud computing capability this year. The solution, known as Yourcloud, will provide the NNSA with its own cloud computing environment to manage data more securely, efficiently and effectively. It is part of an overall effort to modernize the agency’s information infrastructure. Yourcloud replaces an aging infrastructure that resulted in too many data centers and an inability to refresh equipment as often as necessary.
The Yourcloud infrastructure will be built and owned by industry, while the NNSA will control the data residing in the cloud. “We’ll be using a commercial data center space with a managed cloud provider as well as a managed security provider to offer us fee as a service back to our customer base,” says Travis Howerton, NNSA chief technology officer.. I don’t want to own my own infrastructure on the unclassified side, but I do want to own my own data. That’s why we’ve been pushing the innovation agenda around security, taking advantage of the lower-cost industry options while not compromising our security posture. What we really have to do is figure out how to insource security and outsource computing, to keep the keys of the kingdom inside, to protect the crown jewels, to make sure we own the security of our data, but then to take advantage of low-cost computing wherever it may be. We are evolving to that model.”
Although Yourcloud is strictly for unclassified data, security is a top priority because of the nature of the agency’s work. “We will have much better security across the board in a cloud environment. If you do it right, you can have a lot more enforcement points; you can add a lot more sensors; and you can do a lot more things than you can in a distributed environment,” Howerton emphasizes. “It’s not without some challenges, but I think we will significantly harden our systems, which is for us, probably the most important outcome.”
And because of the agency’s special mission, officials are tailoring a solution to its specific needs. “The reason we’re doing a custom build is that we could not find anything in the commercial marketplace that could meet our security standards, being that we’re the nuclear weapons wing of the federal government,” Howerton explains. “We think we’ve pushed the boundaries of what’s possible in cloud security, combining that with network security and storage security in an innovative way. We’ve solved some foundational problems around federated identity management.”
Yourcloud allows the agency to build a defense-in-depth solution, which Howerton describes as unique. “We built security defense in depth in every layer of the stack. Instead of just doing a physical firewall at the edge, we’ve got both physical and logical firewalls all the way down into the infrastructure,” he says.
He describes a solution that includes separation of hypervisors, or virtual machine managers, which he says is based on commercial best practices. “We’ve got hypervisor segregation based on VMware best practices, as well as a unique storage-level approach layered with the hypervisor segregation. That provides defense in depth all the way down to where the data lives, making sure there’s no point of failure within our overall architecture,” Howerton elaborates.
Acting as a cloud service broker also is an important part of the NNSA strategy. It allows best-in-class security that the agency could not afford in a distributed architecture while respecting site autonomy and allowing its laboratories and plants to deliver unique mission value. “The reason that’s important for us is that we’re a government-owned, contractor-operated shop,” Howerton says. “We hire some of the best and brightest companies to operate our labs and plants. Each one of those has a separate contract and its own business systems. The contractors bring their own expertise to solve the problem set we chartered them to go after.” He adds that, under the circumstances, an all-powerful, “Lord of the Rings” solution is not appropriate. “We took a different approach. That’s why we call it Yourcloud. We provide the base infrastructure, but users own it and manage the workloads and provide economies of scale.”
Yourcloud is expected to save money in several ways. For one thing, the NNSA is using a “no capital expenditure,” or no-capex, approach, a model so unusual in government that industry “had a hard time getting its mind around this,” Howerton contends. “It’s a commercial model instead of a traditional government model. It’s more of an as-a-service model, which is unique from a contracting perspective.”
The no-capex solution allows the agency to avoid some of the upfront costs normally associated with building a cloud infrastructure. “Usually, what happens if you want to build out a cloud is that you would sink a million or more dollars into networking, servers and storage infrastructure that would be quite expensive. It requires a big outlay of cash, and you have to preprogram that into your budgets,” Howerton relates.
With no capex, the service provider builds the infrastructure and amortizes it over the contract period of performance, and the NNSA purchases it as a service based on what the agency uses, providing savings in operations and maintenance and “avoiding the capex bubble of the initial outlay,” Howerton explains. “It’s an approach that’s good for industry and good for us. Industry gets a little bit longer contract with revenue coming in; we get lower costs. Everybody wins with that model.”
Additionally, Yourcloud will save money by allowing greater automation capabilities. “We’re also looking at business savings. Right now, we pay a lot of people to do things manually. In a cloud infrastructure, you can automate a lot of that,” Howerton states. He adds that cloud computing also provides energy savings, which is important to an Energy Department agency.
Furthermore, Howerton says, he expects Yourcloud to “open up an entirely new suite of capabilities to our mission lines” and to allow users to “do things they just cannot do in the field today. And it will allow NNSA to recruit and retain top talent, which is harder to do “when you’re behind in technology.”
The NNSA is pursuing an agile acquisition process with new capabilities being fielded approximately every 90 days, which Howerton says is better than waiting five years to field something and expecting it to be awesome. “We think that reduces risk. It keeps our customers happier because they’re always getting newer things,” he adds.
The agency also seeks to reward industry for good work with what Howerton describes as an all-carrots, no-stick approach. “I don’t think the ‘ivory tower, thou shalt’ approach is very effective. What we are going to do instead is to give them something more secure than they can deliver on-premise and cheaper than they can deliver on-premise, and the natural outcome of that will be widespread adoption. I don’t think we need a stick in this case,” he offers.
Although Yourcloud should be operational this year, challenges remain in supporting any device anywhere. From an infrastructure perspective, the agency needs to make additional investments in wireless infrastructure.
The agency also needs to continue beefing up security to meet its goal of allowing anytime, anywhere networking. “There’s some additional security that needs to be done to support the full suite of bring-your-own-device use cases. We have some cases we can support today with some of the investments we’re making, but we can’t support the full suite of them without some additional research, development and investment,” Howerton says. “There will be additional cycles of innovation in 2014 and 2015 that will take us the rest of the way down the road map, but I think we’ll make progress in 2013 that will position us to make those subsequent investments.”
Furthermore, the agency faces some cultural challenges, especially because its culture is largely rooted in the 1950s-era Cold War. “It’s a cultural mindset of having grown up very compartmentalized—and for good reasons. But as the world has moved to a work from anywhere at any time capability, we’ve greatly lagged behind,” Howerton contends.
While Yourcloud is for unclassified data only, the NNSA is not entirely opposed to placing more sensitive data in the cloud, Howerton reveals. “The cloud for us, this iteration, is the unclassified cloud. There will be nothing related to classified data or nuclear weapons in this cloud computing infrastructure. We are doing some exploratory work on a classified NNSA Network Vision, but because of the nature of who we are and what we do, there’s not much I can say about that in a public forum,” he says.