Shifting to the Cloud: A Security Benefit for the Department of Defense
The modern data center is evolving like few ever thought possible, and this progression is in play across the public and private sector for good reason. Cloud migration delivers tangible benefits, ranging from reduced operational costs, lower head counts, and improved security posture, just to name a few.
While the thought of the U.S. Department of Defense utilizing cloud computing might seem like a foreign concept to some, this attitude is evolving as well. When I served as the Chief of Operations for the Joint Task Force Global Network Operation, a precursor to Cyber Command, and at Army Cyber Command respectively, moving data to the cloud was met with apprehension at the very least.
Opinions, however, have shifted. This comes after considering the advantages that the cloud can offer by creating a defendable terrain to thwart a seemingly overwhelming enemy. The ability to narrow an attack surface to protect an enterprise’s most important assets is a significant advantage the cloud provides. It can no longer be ignored.
When discussing the “cloud” at the beginning of this decade, most people assumed reference to the public cloud offerings that were taking off at that time, and security was a big problem. In fact, the Pentagon had to block access to many of those cloud environments because nation-state threat actors were using them for attack infrastructure.
Much like ARPANet, the first digital network created by the Pentagon in the late 1960’s and 70’s, the early public cloud offerings provided little to no security tools – a repetition of mistakes. There were very few vendors whose intrusion protection systems and/or firewalls could be virtualized because selling big appliances were big money for those vendors. Therefore, they had little incentive to get into the cloud business. However, we should have looked past the cloud security challenges then and instead try to think about where we were going to be rather than where we were.
Ultimately, 90 percent of the cyber security challenges – not only faced by the Pentagon, but by all large and small enterprises – extend from the fact that they are trying to secure a legacy architecture that was not designed to be defended.
For historical comparison, Leonidas’ 300 could have never repelled hundreds of thousands of attackers for seven days had he not chosen a chokepoint in a mountain pass surrounded by high cliffs, where his much smaller, yet highly-trained, force could hold steady. The modern-day cloud has the same advantages for those in the cyber fight today.
First, a true defense-in-depth architecture is achievable in the cloud today, because all of the major security vendors have realized they will be left behind if they don’t have a virtualized, cloud-ready security offering. This brings parity with the security models for the cloud that have always been available for legacy networks. In the cloud, however, we can go further with that strategy. Where the legacy network defense-in-depth model normally breaks down is in the internal security monitoring between servers and users. Physical devices and architecture are replaced with software for these internal connections, which are much easier to manage and monitor for malicious activity inside the network.
Since these network controls are orchestrated at the cloud hypervisor level, the threat actor has no ability “see” these controls when they compromise a Virtual Machine server, and it basically stops them in their tracks when they try to move laterally or escalate privileges. In a legacy network, segmentation is normally managed with access control lists on routers and switches. This is a manpower intensive model that in many cases leads to human error and/or lack of configuration control, thus opening up holes in the network. Additionally, as you may have noticed with the recent leaks of nation-state actor hacking tools, many of them were exploits for these kinds of networking devices.
The second major security advantage to moving to the cloud is the agility you gain during the containment, eradication, and recovery phase of an incident response. In my active military days, if someone had told me we had a datacenter with over a hundred compromised servers, I probably would have fallen to my knees and broken down. This would have taken months to properly contain the threat, individually reimage each bare metal server with a new image, all the while trying to ensure the threat did not persist in the environment.
While the threat actor has many advantages in attacking the defender, the one variable they need is time to progress through the kill chain. Taking months to remediate a compromised environment allows them to move effortlessly around the datacenter as you try to clean up the mess. Today, with its modern tools and processes, most virtualized cloud environments, large and small, can be torn down and replaced with a “clean” environment within minutes.
This also helps with another huge legacy datacenter challenge – keeping systems patched for vulnerabilities. Most organizations who are cloud-savvy today, don’t patch their production environments. Using the same DevOps processes and tools, they deploy clean, patched images of their servers in minutes with little to no operational impact. What is the one variable that impacts the cyber threat the most? Time. If you can limit a threat actor’s dwell time in your datacenter, you significantly drive down the likelihood that they can achieve their objectives.
Department of Defense’s Move to the Cloud
Sounds like a no-brainer. There are a slew of civilian companies “draining” the datacenter and moving to the cloud. However, the Pentagon, like most large enterprises, has the challenge of legacy applications that have been operational for 20 or more years, some potentially still operating on mainframes and/or outdated operating systems. In January 2015, Defense Department CIO Terry Halverson highlighted some of the same advantages of the cloud. He estimated it would be another ten years before the Pentagon could have a significant advantage in the cloud – a less than optimistic assessment. There has always been a “server hugger” culture in the Pentagon, but this project should proceed with ruthless governance that forces it to prepare for a cloud migration.
The future of the Pentagon’s cloud strategy will be a hybrid cloud approach. More important data and applications that work with “For Official Use Only” data will probably be hosted in a multi-tenant private cloud provided by the Defense Information Systems Agency (DISA). Furthermore, as DISA will not be able to keep up with the capacity demand, we will see DISA utilized as the contracting arm for public cloud use for the Pentagon’s unclassified applications and data. Many major vendors already have government clients on their “Gov Cloud” infrastructure that helps these government agencies by providing the required security capabilities to achieve FedRAMP certification.
Ultimately, the Department of Defense should aggressively begin mandating that all new applications be “cloud ready” and start draining the legacy datacenters faster than within the next ten years so they can take advantage today of the favorable cyber terrain that the cloud provides.