, , , ,

Is it easier to secure the cloud?

On 7 Nov 2011, senior Defense Department officials and IT industry experts met in Arlington, VA to discuss how to better protect military and commercial cyberspace. At that time, the director of DARPA said that 2004 was the first year that proceeds from cyber crime activities were greater than those from illegal drug sales.

Army Gen. Keith Alexander, commander of U.S. Cyber Command and director of the National Security Agency said that the Defense Department is looking at cloud computing platforms. In cloud computing, remote servers are used to store data. “It’s easier to secure the cloud and it’s cheaper,” Gen. Alexander said, noting potential savings of 30%.

 — DOD, Industry Address ‘Intense Challenge’ of Cyber Security

On the wisdom of a DoD transition to the cloud

The article said, “Another change that would upgrade the military’s cyber defense and save money is adopting cloud computing platforms. It’s easier to secure the cloud…”

Please be careful about reliance on cloud computing! The cloud is cheaper. That’s great. There are probably other benefits, for example, better performance and improved access in the field. The field could be any remote location, say, Antarctica, or underwater, not just the battle field! But there’s nothing as safe and secure as a server and processor accessed over dedicated lines, no internet connectivity, with people on location controlling physical access 24/7, and all of it ring-fenced by, well, fences! The Centers for Disease Control and Hoover Dam operate under that paradigm or similar, as stated on each entity’s public-facing website. Shouldn’t the NSA, CIA and DOD too?  If you transition to cloud computing, test it thoroughly. Thank you for allowing me to share my concerns and opinions.
— Ellie Kesselman, Arizona, U.S.A. 11/8/2011 5:48:26 AM


My hesitancy about the wisdom of relying on vendor cloud computing has increased since then. I am not certain that it is easier to secure the cloud. I fear that reliance on contractors, facilitated by FedRAMP, is likely to cost us dearly in the long-run.

Federal Risk Authorization Management Program (FedRAMP) is a cost-cutting initiative to dispense with case-by-case security checks of vendor services. Instead, the services need only clear FedRAMP’s boilerplate security audit. For example, CGI Federal is, or was, a FedRAMP provider. CGI is the Canadian IT services provider that was awarded the contract for developing and operating Healthcare.gov. After the disastrous debut of the website last year, the contract was reassigned to Accenture in January 2014.

Amazon.com and FedRAMP

Amazon is increasingly dominant in IaaS (infrastructure as a service) and SaaS (software as a service, e.g. for email) through its Amazon Web Services (AWS) cloud computing subsidiary. Amazon went through an agency ATO (authority to operate) process using the FedRAMP guidelines in May 2013. This means that AWS is considered to be a secure cloud service provider meeting FedRAMP requirements at the “moderate impact level”.

Amazon is notorious for poor labor practices, and its failure to ever book a profit, 17 years after the company’s initial public offering. AWS is a commodity web services provider, and its parent company, Amazon.com, is a mass-merchandising retailer with a history of non-competitive practices, specifically, price discrimination. The AWS public cloud is infested with malware, fostering crime-as-a-service. Amazon’s majority shareholder and founder, Jeff Bezos, is now the sole owner of The Washington Post. I do not believe that Amazon is the correct choice for the DoD, certainly not as part of an effective response to the “intense challenge of cyber security”.