Cloud Computing Risks and National Security

Sponsored by Booz Allen Hamilton Risk Management TFG and Cisco Systems.

Related Publication:
Cloud Computing Risks and National Security: Keeping Pace with Expanding Technology
HSPI Issue Brief
by Frank Cilluffo, Ron Ritchey, and Timothy Tinker


Overview

On Wednesday, March 24, 2010, The George Washington University Homeland Security Policy Institute (HSPI) hosted a forum on Cloud Computing Risks & National Security, sponsored by Booz Allen Hamilton and Cisco Systems. The event featured Tim Grance, Program Manager of Cyber & Network Security Program, National Institute of Standards and Technology; Dan Kent, Federal Systems Engineering Director, Cisco Systems; Dr. Michael Nelson, Visiting Professor, Georgetown University; Nils Puhlmann, Co-founder and Board Member, Cloud Security Alliance; Dr. Ron Ritchey, Principal, Booz Allen Hamilton; and Henry Sienkiewicz, Technical Program Director of Computing Services, Defense Information Systems Agency (DISA). Frank Cilluffo, HSPI’s Director, moderated the session.

The event brought together key civilian and military stakeholders from across government, as well as thought leaders and private sector executives. In basic terms, cloud computing is a fundamentally new approach that allows Internet users (including companies and individuals) to tap almost instantly all the data, software, storage, and computing power the user needs. Ron Ritchey, however, cautioned that cloud computing is “not particularly well-defined.” He went on to identify a number of security issues associated with cloud computing: data security—in terms of the physical location of the infrastructure where the data is housed, as well as who owns it; compliance—meaning who is responsible for adhering to specified standards; multitenancy—that is, the ramifications of competitors working side-by-side in the cloud; and governance—who sets standards and establishes consistency.

Tim Grance moved the focus of the discussion to opportunities created by cloud computing. He noted cost reductions, scalability of operations, agility, and the ability to innovate quickly as some of the benefits available to those who understand and harness the power of cloud computing.

Henry Sienkiewicz of DISA added that one way the military is innovating is by engaging young service personnel to figure out how best to use social media to support the warfighters’ needs, which is his organization’s bottom line. Nils Puhlmann echoed this comment from a private sector point of view, observing that new hire employees provide guidance to their companies about how to operate more efficiently using new technologies—as opposed to the old model where companies dictated how employees should accomplish certain tasks.

Michael Nelson stressed the need to engage and inform the public. The task before government and industry, he said, is “to convince people that this fundamentally new approach is at least as secure as what is being used today.” He outlined several future challenges, including the need for agreement on standards; getting users to adhere to standards; and ensuring cooperation between and among people and companies.

Recognizing these challenges, Dan Kent argued that getting to cloud computing “does not have to be a light-switch move; it can be an evolutionary process.” For example, agencies and corporations can first develop an internal process to work out operations safely and build comfort and experience. When they are ready, they can expand externally.

Puhlmann argued that cloud computing can actually enhance security. For example, cloud computing can make attacks more difficult by removing the “notion of a static target.” There exists the potential to constantly move data so that an attacker does not know where the target resides. However, such a technique could be used by those with malign intent as well. Puhlmann also observed that the security principles of cloud computing are quite similar to those with earlier technologies, but the culture underlying cloud computing is what makes it novel.

All panelists addressed the issue of leadership in the cloud computing domain, though some disagreement existed. Several noted that government—the Department of Defense in particular—will undoubtedly play a large role in driving the technology. Kent countered, suggesting instead that the market will play a significant role, largely because market forces can move more quickly than government. Puhlmann proposed that the user, the end customer, will lead by placing demands that will shape the trajectory of market forces and the government.

Cilluffo concluded the discussion, emphasizing the overarching theme that “cloud computing can seem like a purely technical issue, but it soon becomes clear that there are national security issues here that should not be treated as afterthoughts, but rather, ought to be baked in at the front end.”

Featured Speakers:

Tim Grance, Program Manager of Cyber & Network Security Program, National Institute of Standards and Technology | Event Slides Available Soon

Dan Kent, Federal Systems Engineering Director, Cisco Systems | View Event Slides

Dr. Michael Nelson, Visiting Professor, Georgetown University

Nils Puhlmann, Co-founder and Board Member, Cloud Security Alliance

Dr. Ron Ritchey, Principal, Booz Allen Hamilton

Henry Sienkiewicz, Technical Program Director of Computing Services, Defense Information Systems Agency | View Event Slides


Speaker Biographies

Tim Grance, Program Manager of Cyber & Network Security Program, National Institute of Standards and Technology

Tim Grance is a senior computer scientist in the Information Technology Laboratory at the National Institute of Standards and Technology in Gaithersburg, MD. He is the Program Manager for Cyber and Network Security (CNS) Program and exercises broad technical and programmatic oversight over the NIST CNS portfolio. This portfolio includes high profile projects such as the NIST Hash Competition, Cloud Computing, Security Content Automation Protocol (SCAP), Protocol Security (DNS, BGP, IPv6), Combinatorial Testing, and the National Vulnerability Database. He has extensive public and private experience in accounting, law enforcement, and computer security. He has written on diverse topics including incident handling, intrusion detection, privacy, metrics, contingency planning, forensics, and identity management. He was named in 2003 to the Fed 100 by Federal Computer Week as one of the most influential people in Information Technology for the US Government. He is also is a recipient of the US Department of Commerce’s highest award—a Gold Medal, from the Secretary of Commerce.

Dan Kent, Federal Systems Engineering Director, Cisco Systems

Dan is the Director of Systems Engineering for Cisco Systems’ Federal Organization. He leads a team of engineers supporting the Dept of Defense, Civilian Agencies, and the Intelligence Community which focus on the design and deployment of integrated, enterprise communication platforms and network solutions. Mr. Kent’s primary role in this position is to support Federal customers by matching their mission and agency needs to scaleable, secure solutions. Mr. Kent is also responsible for ensuring government unique requirements are understood and met within Cisco product lines. He brings the market leading experience and technology strategies of Cisco System’s to the technology requirements of the Federal customers.

Mr. Kent has worked in the communications field of the Federal market over 20 years. This allows him to utilize his experience to share best business practices for the Federal marketplace. Mr. Kent’s prior positions include ten years at Nortel Networks as the Director of Federal Engineering and as a senior consulting engineer for Network Solutions, Inc., where he supported several government agencies. In these roles, Mr. Kent participated in the complete life cycle of communications systems. He is very knowledgeable on various Federal Certification requirements including JITC, TIC, FISMA, FIPS and Common Criteria while having a proven track record ensuring Commercial products meet these requirements.

Dr. Michael Nelson, Visiting Professor, Georgetown University

Michael Nelson is currently Visiting Professor of Internet Studies in Georgetown University's Communication, Culture, and Technology Program. Since January, he has been doing research and teaching courses on "The Future of the Internet" and Internet governance as well as consulting and speaking on Internet technology and policy.


Prior to joining the Georgetown faculty, Nelson was Director of Internet Technology and Strategy at IBM, where he managed a team helping define and implement IBM's Next Generation Internet strategy. His group worked with university researchers on NGi technology, shaped standards for the NGi, and communicated IBM's vision of NGi and the future of computing to customers, policy makers, the press, and the general public. He worked closely with governments around the world on next generation Internet technologies and applications.


In 2003 Nelson was selected as the Internet Society's Vice President for Public Policy. In that role, he attended the UN's World Summit on the Information Society in Geneva in 2003 and has been very involved in the second phase of WSIS in Tunis in November, 2005, and the recently-completed Internet Governance Forum. He is serving on the Applications, Middleware, and Services Advisory Council of the Internet2 university consortium. In February, 2008, he became the chairman of the Information, Computing, and Communications Section of the American Association for the Advancement of Science (AAAS).


Prior to joining IBM in July, 1998, Nelson was Director for Technology Policy at the Federal Communications Commission. There he helped craft policies to foster electronic commerce, spur development and deployment of new technologies, and improve the reliability and security of the nation's telecommunications networks.
Before joining the FCC in January, 1997, Nelson was Special Assistant for Information Technology at the White House Office of Science and Technology Policy where he worked with Vice President Al Gore on telecommunications policy, information technology, encryption and online privacy, electronic commerce, and information policy.


Nelson has a B.S. in geology from Caltech and a Ph.D. in geophysics from MIT.

Nils Puhlmann, Co-founder and Board Member, Cloud Security Alliance

Nils Puhlmann is the Chief Security Officer for Zynga Game Network, the largest social game provider. At Zynga, Puhlmann is leading a converged security department managing all security risks for the company and chairing the Security Risk Committee.


Puhlmann is also the Co-Founder and a member of the Board of the Cloud Security Alliance, a community of over 6,000 security professionals with the goal to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.

As Chief Security Officer of Qualys, Puhlmann was responsible for security, risk management and business continuity planning for Qualys. His responsibilities included the security of the cloud-based QualysGuard SaaS platform. He also led the Qualys CSO Advisory Board and evangelized at various international industry events in areas of security management and cloud security.

Prior to Qualys, Puhlmann was the CISO for Electronic Arts, with global responsibility for information security, intellectual property protection, risk management, compliance, physical security, forensics & investigations and business continuity management/disaster recovery. He was also previously the CISO at Robert Half International, where he had global responsibility for managing information security, risk management, privacy, forensics & investigations, CERT and business continuity management enterprise wide.

Puhlmann also was previously Director Global IT & Security and Chief Privacy Officer at Mindjet Corp, where he was responsible for managing Mindjet’s global information security, physical security and privacy programs. He was Senior Manager Product Security at Adobe Systems, responsible for creating and managing Adobe’s product vulnerability program, overseeing security assessments of Adobe applications, driving product security certifications and promoting secure development practices. He created Adobe’s product security incident response team, chaired Adobe’s Security Task Force and managed Adobe’s first Common Criteria Certification.

Puhlmann held senior positions at Nortel Networks and START Amadeus, and was an independent security consultant with clients such as the State of California. He maintains numerous security certifications, including CISSP-ISSMP and CISM. He has held several Board of Directors positions (ISACA Silicon Valley, OVAL), is a member of the CSO Interchange, the CISO Executive Council and a subject matter expert for ISACA and ISC2. He is also a member of the Advisory Council for the CISO Forum of ISSA.

Dr. Ron Ritchey, Principal, Booz Allen Hamilton

Dr. Ritchey is a leading technologist specializing in information assurance (IA) with over 20 years experience working within the IT industry. He is an active researcher in the IA field and is widely published on network security topics including co-authoring recent books on Software Assurance and Insider Threat. He has authored courses on computer security that have been taught across the country and is a faculty member of the SANS Institute, the Institute for Applied Network Security, and George Mason University. Dr. Ritchey holds masters and bachelors degrees in computer science from GMU and a Ph.D. in Information Technology from their School of Information Technology and Engineering. At Booz Allen, he leads a team dedicated to the development and maintenance of state-of-the-art information assurance capabilities. His focus is on the identification and elimination of the root causes of information assurance weaknesses.

Henry Sienkiewicz, Technical Program Director of Computing Services, Defense Information Systems Agency

Henry J. Sienkiewicz is the Technical Program Director, Computing Services Directorate, Defense Information Systems Agency.

Upon graduating from Notre Dame, Sienkiewicz was commissioned an infantry second lieutenant in the United States Army. He served 11 years of active service. In 1996, he left active duty and joined OAO Corporation, Greenbelt, Maryland, as its Director for Corporate Information Services. He focused on corporate metrics, technology standardization and business development. Mr. Sienkiewicz was one of the architects of the winning outsourcing proposal for NASA’s Jet Propulsion Laboratory’s DNS contract.


In 1998, Mr. Sienkiewicz joined User Technology Associates, Arlington, Virginia, as its Director, Corporate Information. He focused on corporate metrics and developing a commercial outsourcing business unit. In 1999, he left government contracting to enter the travel industry as the Vice-president for Computing Service for the Airline Tariff Publishing Company (ATPCO), Dulles, Virginia. At ATPCO, he was directly responsible for the daily distribution of over 97% of the pricing information for the global airline carrier community. During this period he remained a member of the United States Army Reserve.

In 2004, he was mobilized and returned to active duty. Mr. Sienkiewicz retired from the United States Army Reserve in July 2008, with the rank of lieutenant colonel.


In 2005, Mr. Sienkiewicz left ATPCO to start and run Open Travel Software, an open source, open standards software company. He had been the company’s Chief Executive Officer until assuming his current position.

Open Travel Software provides web-based enterprise resource planning solutions for small and medium hotels and car rental agencies throughout the world The company has won multiple awards for innovation within the travel industry. As of April 2008, the company has delivered over 2500 instances of its applications, in 14 languages, to every region of the world. Mr. Sienkiewicz actively supported open standards for the travel industry as a member of the Open Travel Alliance’s architecture committee. The Open Travel Alliance is the standards body for the travel industry. He is a founding member of George Washington University’s technology transfer council and had been Entrepreneur-in-Residence for the University. In 2006, he completed and published his first book, Centerlined.


Mr. Sienkiewicz retains professional memberships in numerous organizations to include the National Association of Corporate Directors, AFCEA, and MindShareDC. He currently resides in Alexandria, Virginia.

Resources

Visit HSPI's Hot Topic--Cyber webpage. HSPI also recommends the following sources for additional information:

"Reading Assignments" given by Michael Nelson and Tim Grance at the event:

(2008) Let IT Rise. The Economist (subscriber/registration only. Available here from a third party)

Carr, Nicolas. (2008) The Big Switch. W.W.Norton

Christensen, Clayton. (2003) The Innovator's Dilemma. HarperCollins

Various OECD papers on Cloud Computing. Organization for Economic Cooperation & Development

Introduction to Cloud Computing:

Geelan, Jeremy. (2009) Twenty-One Experts Define Cloud Computing. Cloud Computing Journal

Cheng, Roger. (2010) Cloud Computing: What Exactly is it Anyway? Wall Street Journal

Federal Cloud Computing Services. US General Services Administration

Hanna, Steve. (2009) Cloud Computing: Finding the Silver Lining Juniper Networks

Gardner, Dana. (2010) Executives Experimenting With Mostly 'Private' Cloud Architectures Cloud Computing Journal

Technical Cloud Computing Reports:

(2009) Private Cloud Computing for Enterprises: Meet the Demands of High Utilization and Rapid Change. Cisco Systems

Rayport, Jeffrey F. (2009) Envisioning the Cloud: The Next Computing Paradigm. Marketspace

Grance, Tim. Mell, Peter. (2009) Effectively and Securely Using the Cloud Computing Paradigm. National Institute of Standards and Technology

Security and Cloud Computing:

(2009) Security and Cloud Computing. Booz Allen Hamilton

(2009) Cisco 2009 Midyear Security Report. Cisco Systems

(2009) ENISA Clears the Fog on Cloud Computing Security. European Network and Information Security Agency


Hanna, Steve. (2009) A Security Analysis of Cloud Computing. Web Security Journal

(2009) Security Guidance for Critical Areas of Focus in Cloud Computing. Cloud Security Alliance

Brodkin, Jon. (2008) Gartner: Seven Cloud Computing Risks InfoWorld

Binning, David. (2008) Top Five Cloud Computing Security Issues. Computer Weekly

(2009) Security Issues Hobble Cloud Computing. Homeland Security Newswire

(2009) Building Customer Trust in Cloud Computing With Transparent Security Sun Microsystems

Cloud Computing in the Government Sector

(2009) The Government's Effective Migration to a Cloud Computing Environment. Booz Allen Hamilton

Arthur, Charles. (2010) Government to Set up Own Cloud Computing System. The Guardian

(2009) Cloud Computing in Government. IBM Center for the Business of Government

Foley, John. (2010) Air Force Seeks Secure Cloud Computing. Information Week

Claburn, Thomas. (2009) Google Plans Private Government Cloud. Information Week

(2009) Industry Perspectives of Federal Cloud Computing at FOSE. Booz Allen Hamilton

Beizer, Doug. (2010) Cloud Computing success depends on knowing what to ask. Federal Computer Week

Calabresi, Massimo. (2009) Wikipedia for Spies: The CIA Discovers Web 2.0. Time Magazine

Hoover, J. Nicholas. (2009) Department of Defense Pursues Private Cloud. Information Week

Roth, Bill. (2009) CIA Falls for Cloud Computing in a Big Way. Web Security Journal

About HSPI's Policy & Research Forum Series

HSPI's Policy & Research Forum Series spotlights cutting-edge security policy solutions and innovative research. The Series is designed to provide thought leaders in the United States and abroad with a uniquely constructive venue in which to discuss current and future security issues and challenges.