How IARPA invents its way to security

Rather than trying to improve the security "of the cloud," the Intelligence Advanced Research Projects Agency wants to use the cloud to increase security.

According to IARPA Program Manager Kerry Long, security problems like spear phishing are not the result of "stupid" users, but rather a function of the design of the interface they're required to work with. IARPA's plan "to invent its way out of the security problems," he said, resulted in the virtuous user environment, or Virtue.

Speaking at the FCW "Security Innovation in the Cloud" workshop in February, Long described how the Virtue program has sought to redesign the traditional desktop interface so that when users accidently click on links in spear phishing emails, for example, they are not opening the enterprise to attack. By separating apps and functions into separate cloud containers, Virtue creates an environment based on user roles – email reader/respondent, web researcher, database contributor, for example.  That means an attacker who gets into a user's email only sees email and can't connect to the computer's other applications.

A user-friendly presentation interface hides the virtual environment in which apps/roles function in separate containers.

"Imagine five or six virtual machines, basically running in the cloud, all separate, doing these different roles, so they're isolated from each other. But your interface hides that from you," Long said. "When you're opening Word, you don't realize you're running it in Germany, on a container there," he said. "You're on the cloud, you don't care."

VirtUE code and documentation will be released as open source so researchers, industry and innovators can use it to build more secure cloud-based products and services.

For additional coverage of cloud computing, check out GCN's Cloud & Infrastructure portal.

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • automated processes (Nikolay Klimenko/Shutterstock.com)

    How the Army’s DORA bot cuts manual work for contracting professionals

    Thanks to robotic process automation, the time it takes Army contracting professionals to determine whether prospective vendors should receive a contract has been cut from an hour to just five minutes.

  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

Stay Connected