Government agencies understand that the success of future missions increasingly depends upon their ability to effectively share and utilize data as an enterprise asset, deploy digital services, and pool IT resources for greater efficiency. Consequently, many agencies are adopting an open hybrid cloud approach to modernization in order to enable the integration and sharing of multiple IT infrastructures.
Some fear that integrating multiple IT infrastructures and sharing data and applications across agencies could weaken security. However, agencies are finding that cloud environments, if they are properly managed, integrated, and designed, can be equally or more secure than traditional on-premise environments. Jennifer Kron, deputy CIO for the Intelligence Community (IC) at the Office of the Director of National Intelligence (ODNI), said this is demonstrated by the IC’s cloud modernization initiative, called the Intelligence Community Information Technology Environment (ICITE). “The cloud can be an enabler of security,” she told a recent Red Hat webinar.
During the webinar, titled “Securing Intelligence in an Open Hybrid Cloud,” Kron and Shawn Wells, Chief Security Strategist for Red Hat Public Sector and a former NSA developer, explained that only a multifaceted approach to cloud security can achieve successful outcomes. For the 17 agencies that comprise the IC, the stakes could not be higher. Cloud security, Kron said, is “the keystone of our IT modernization efforts, and it’s how the IC is going to be able to function as truly one community.”
APPROACHES TO SECURITY WITH OPEN HYBRID CLOUD
In the webinar, Kron and Wells explained several effective approaches that government agencies are adopting to ensure their cloud initiatives are highly secure even as they enable greater data sharing and collaboration across agencies.
1. EXPAND THE DEFINITION OF SECURITY BEYOND COMPLIANCE TO INCLUDE TRUST
For national security agencies, security is typically defined in terms of compliance with policies, protocols, and guidelines and is demonstrated by metrics, procedures, and forms. But as agencies strive to share more data, applications, and technical services with each other via cloud service delivery models, there is an emerging concept of cybersecurity that is based not on compliance, but on trust.
As Kron explained, “Different IC elements have different tolerances for risk concerning particular missions, actors, and data. If they don’t trust the security, they won’t adopt cloud services — it won’t matter how safe they are. If we cannot demonstrate trust and transparency, we won’t achieve adoption.” Data stewards and IT service providers must trust the security of the cloud-based environments they are adopting.
Intelligence agencies are building trust by applying a set of core requirements to ensure that security controls are implemented in a standard, consistent way. Kron said this should help assure ICITE customers that the highly sensitive data they are entrusting to the cloud “is protected at a level that is consistent with their own appetite for accepting risk.”
Effective policy and transparency are also critical ingredients for building trust, Kron added. The Office of the Director for National Intelligence’s Office of the Chief Information Officer is conducting a comprehensive policy refresh to include ICITE cloud and service providers. To improve transparency and balanced decision-making, ICITE leaders have assembled IC-wide governance forums to address the technical, security, and business aspects of ICITE. For example, each agency across the IC, including at the ODNI, has appointed a chief data officer (CDO) who will work with security professionals to fashion data-centered policies and initiatives.
2. SHIFT FROM A NETWORK-CENTRIC SECURITY APPROACH TO A DATA-CENTRIC APPROACH
Data security for many agencies is analogous to a “castle and moat” system. If you are in the right agency or office, you can see the data — if not, you can’t. But agencies, including within the IC, increasingly are migrating to systems that are more data-centric, where information can be seen by anyone who has a need to know and the proper clearances, regardless of which agency they work for or where they are located. ICITE planners are designing the system to automatically know what an individual user should know and then connect that user to the pertinent data. This is accomplished through extensive use of tags that control how individual pieces of data are stored, moved, and accessed. Applying clearly articulated and consistent access control policies to check user activity attributes against data labeling tags provides for precise user authorization. The result is that access to data is based upon data type and sensitivity, not on the network on which the data lives. “A phrase that we use often is ‘tag the people, tag the data,’” Kron said. “The matching between these two provides a much more precise level of access control than we have had before.”
Another model for enabling precision access to data is the OpenSCAP project, a collaborative Linux®-based platform developed by numerous civilian, intelligence, and defense agencies in partnership with Red Hat and other companies. The OpenSCAP platform automatically applies practical security guidance, baselines, and associated validation mechanisms using Secure Content Automation Protocol (SCAP) to validate and revalidate applications and images, creating a trusted registry of operating systems, applications, and structured data that may reside across multiple hybrid clouds. The platform enables secure queries from multiple data sources and formats — including Oracle MySQL, Hadoop, Splunk, and Elasticsearch — across multiple IT infrastructures. With OpenSCAP, access controls can be applied to ensure that people with particular clearances can access only appropriate subsets of data.
3. DEVELOP AND AUTOMATE MINIMUM STANDARD SECURITY REQUIREMENTS AND BASELINES
When multiple agencies or IT infrastructures are sharing data, they also share cybersecurity risks. A risk to one is a risk to all, and the federated enterprise becomes only as strong as its weakest link. So minimum security control standards and baselines are critical to providing a strong security foundation.
Across the IC, this approach translates to the core concept of “Do in common what is commonly done.” Kron explains: “If we all have an apps mall, we should do that in common. If we all have a desktop, we should do that in common.” This approach means that specific agencies are responsible for delivering certain common services to all members of the IC via the ICITE architecture. For example, the Defense Intelligence Agency and the National Geospatial-Intelligence Agency are responsible for providing a common desktop environment throughout the IC. The National Security Agency and Central Intelligence Agency are responsible for providing identity authentication and authorization management services. Also, those agencies are required to meet a minimum stan- dard set of security requirements affecting those services across the IC. “This approach enables our agencies to fully understand a standard implementation across the ICITE service providers, which facilitates authorization reciprocity,” Kron said.
The OpenSCAP model is another approach to applying standard baselines automatically to all services and data within an open hybrid cloud architecture. OpenSCAP delivers standardized inputs, such as compliance, baseline, and status information. It also provides standardized outputs, such as compliance reports that are mapped back to specific security tests and formalized policies, like NIST 800-53 controls or the Defense Information Systems Agency (DISA) Operating System Security Requirements Guide (OS SRG). “And through that, we have templates to do automated security paperwork,” Wells said.
4. INCREASE THE RIGOR OF THE SECURITY AUTHORIZATION PROCESS TO PROMOTE TRUST AND RECIPROCITY
Traditional security focuses on compliance. But, as Kron noted, “Security as an enabler of adoption is a powerful tool and allows us to see security in a different light.” For the IC, that means adding extra emphasis on the security authorization process for cloud-based services. As with all IT systems used by the government, ICITE services must be authorized to operate under a Risk Management Framework approach. Each agency conducts security assessments and grants authorizations to operate (ATOs) for the services they provide. Those ATOs are then accepted throughout the IC, providing the fullest extent of reciprocity.
ODNI then aggregates those ATOs for each individual service into an overall enterprise risk assessment and ATO. The purpose is to identify key risks that may be introduced when these numerous services are integrated. In conducting this enterprise-level assessment and ATO, ODNI is examining not just the security controls in effect but the applications of those controls in the operational environment. It does this by conducting a variety of use case exercises with a focus on five highrisk areas: identity and risk management; data protection; audit collection and reporting; incident response; and contingency management.
To cut spending and achieve better outcomes, government agencies with common missions and applications are increasingly pooling their data and IT resources to promote greater collaboration. To accomplish this, many departments are relying on cloud architectures that integrate on-premise datacenters with private or public cloud infrastructures with varying degrees of classification. In some cases, this may mean an open hybrid cloud that connects to a public cloud, while in others — such as with the IC — it consists of a private community cloud that operates at a high security classification level.
This leaves agencies challenged with the dual tasks of architecting effective ways to share data and applications securely and precisely across multiple IT infrastructures while also bolstering security.
These four approaches — developing trust through security; installing precise access controls to embed security at the data level; applying minimum security standards across the enterprise automatically and consistently; and employing rigorous IT assessment and authorization processes — will help agencies address these challenges.