Cloud computing: myth or reality?

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Ron Ritchey and Robert Harbick
 

Connecting state and local government leaders

By Ron Ritchey and Robert Harbick

|

Although it has its own challenges, cloud computing could be the only technology that can scale to meet the security threats of the future.

The threat to our nation’s computer networks is real, and growing every day. Yet the point-level solutions we have come to depend on, even when combined with the most sophisticated security systems, can no longer adequately protect critical government information.

Given the mounting costs of information technology, organizations cannot hope to use their organic IT capabilities to deliver the defense-in-depth strategies needed to protect our critical IT assets. Those capabilities simply don’t have the agility and scalability to respond to threats in a timely way. Although it has its own challenges, cloud computing could be the only technology that can scale to meet the security threats of the future.

To date, cloud computing has been offered as the solution to a wide variety of IT issues: reducing costs, improving efficiency and promoting collaboration. Yet acceptance of cloud computing, especially on the part of corporations and other large enterprises such as government agencies, has been slow in coming. Concerns remain about the technology’s reliability in a large-scale enterprise setting, the upper limits of its scalability and, most of all, its security in a large-scale setting.

The cloud offers the potential to provide a level of security sufficient for most situations in both government and corporate computing environments — though there will also be a number of key enterprise applications involving complex legacy interfaces that either may not be ready for the cloud, or simply don’t need to be moved there. Cloud computing is not an all-or-nothing proposition.

Cloud computing as defense-in-depth

Given the nature of the government’s computing environment, the business demands that are placed on that environment, and the government’s need for security, it is critical to see security as a multidimensional challenge that requires a holistic, defense-in-depth approach from a systemic perspective. It should not be simply a single-point solution that, once thwarted, leaves the business solution vulnerable.

Cloud computing possesses many features that argue for its use in this context. Its inherent architecture and its very power contain the source of the cloud’s strength as a secure environment.

The goal of defense-in-depth is to create a series of perimeters, each with its own authorization and authentication mechanisms that would keep people from gaining full access to the enterprise. The architecture would also allow the system to assess any threat to any parts of the environment, while at the same time working to move sensitive assets under attack to other areas.

Thus, it must include a Web tier, an application tier and a data tier, each of which might secure its assets differently. In its size and its dynamic nature, and the agility with which it can adapt to and control impending threats, the cloud offers just such an environment.

Structuring the cloud

The fact that the cloud’s structure is both logically centralized and physically distributed has the potential to give it a significant advantage in offering security. Just because storage architecture is centralized does not necessarily mean that it has a single point of entry. Since a cloud environment can be structured so that its stored data is logically, not physically, centralized it can be designed with fewer points of entry.

Indeed, the cloud’s architecture is based on a multilayered service-oriented architecture, and its flexibility allows for its various components, including its communication, storage and application services, as well as the facilities housing it and the people using it, to be compartmentalized for maximize security. Those compartments can be designed right into the fabric of the business solutions that reside on top of the architecture, creating an inherently resilient overall structure.

Moreover, the cloud’s agile, flexible computing architecture is well-suited to a defense-in-depth approach to security. By allowing services and data stores to be dynamically redistributed when necessary, based upon perceived or real attacks, both data and services can be compartmentalized and segmented to protect them from the threat, and then the attack can be defended against by moving it elsewhere.

Similarly, data under attack can be quarantined, while the cloud’s multiprocessing power can scan for malware and viruses, thus minimizing the time required to cleanse the data and bring it back online elsewhere in the cloud. In that way, business systems can be secured simply by leveraging the agility of the cloud itself. Agility can also be used to thwart denial-of-service attacks by quickly and flexibly establishing new security perimeters around the sections being attacked, while adding duplicate service areas to support main-line business operations.

Commercially available technology

Many of the commercial products on which a cloud computing environment might run — the facilities, processors, message queues, networks and storage spaces — have been engineered to operate in isolation, with the goal of keeping separate friends and foes, who might be operating in the same environment as their own corporate computational grid.

By the same token, the cloud’s compartmented architecture allows for powerful identity management and engineered authority controls to be built in as a part of its foundational fabric, thus enabling a defense-in-depth approach to system delivery.

A cloud computing environment also has the capacity to alleviate what has become, especially since the attacks of Sept. 11, 2001, one of the government’s primary security concerns: continuity of operations, or COOP.

Stand-alone data centers are particularly vulnerable to a variety of attacks, not just in cyberspace but through power loss and bombs as well. Yet the cost of ensuring continuity of operations has been so high that all too often it gets minimal support and nominal funding, resulting in the implementation of the absolute minimum operational capabilities — at least until a catastrophic event occurs.

Since cloud computing already has virtualization and instantiation agility built into it, the foundation of its provisioning can quickly stand up while business continuity can be restored, regardless of changes to business needs or when under threat of an attack.

Security scenarios

Cloud computing has yet to meet every imaginable security concern, yet the combination of free-floating centralization, compartmentalization, agility and sheer power suggest a number of possible ways in which governmental computing environments might be made significantly more secure.

By exploiting the cloud’s ability to allow the rapid, flexible compartmentalization of data and services, a “demilitarized” computing environment could be created to segregate sensitive and less-sensitive data and processes. Not all services and data are at equal risk in business solutions. So protecting the core and ensuring the integrity of key business processes and data is possible with the agility and defense-in-depth elements which serve at the core of cloud computing.

A second possibility could involve the formation of a cloud environment that uses the cloud’s power and agility to intercept threats and thwart attacks by dynamically reallocating processors, storage and communication around the cloud.

The cloud’s power and ability to scale dynamically when called upon should allow for increased monitoring of potential threats and defense against them. Through such technologies as transaction replication and check sum validation, individual transactions and sets of batched transactions could be made significantly more secure.

Finally, the dynamic computing power of the cloud could help in developing strong data encryption that would enable data owners to thwart access to data in virtual space rather than trying to protect it through physical barriers. Deeply encrypted data would have the further advantage of being protected, even if it had been physically lost or stolen.

Not every government agency could move its operational systems or data to the cloud. What works for the Transportation Department or the Environmental Protection Agency might not be suitable for the Defense Department, depending on the degree of sensitivity of their operations and data. Every agency would need to be evaluated on a case-by-case basis, as part of an institutional risk analysis that considers the nature of the assets to be secured, and the degree of security required.

Intelligent security

The advent of true utility computing, or on-demand computing — embodied in the currently popular phrase, cloud computing, demands that we think not just about this technology’s vulnerabilities in the face of potential threats, but also its advantages for improving cybersecurity.

It is no longer a viable solution to consider locking up our technology behind ever-higher, more expensive walls, accessible only with ever-more cumbersome keys. Instead, the cloud demands a very different way of thinking about the meaning of security — not as a static wall but as a combination of zone defense and spread offense, dynamically responding to attacks and creatively generating new strategies to outwit the attackers, coupled with identity and authentication management. In short, the cloud can ultimately become an intelligent partner in our ongoing efforts to secure our most precious information.

NEXT STORY: Could government keep pace with Kundra?

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.