In the wake of reports that US bank websites were repeatedly hacked via cloud computing platforms, a key Department of Defense agency is interesting itself in cloud security.
DARPA (Defence Advanced Research Projects Agency) has taken on an impressive portfolio of tasks related to Internet security. It worked on the construction of a functioning simulacrum of the Internet, to serve as a cyber-range for military exercises. It also took partial ownership of the trusted identity problem, trying to develop behavioral footprinting as an alternative to passwords.
The agency has now bitten off a big new piece of the cyber-security puzzle with its new MRC program: Mission-oriented Resilient Clouds. The program is designed to dovetail with the Federal Cloud Computing Strategy put together by former government CIO Vivek Kundra.
As part of this strategy, we already have a cloud risk management program known as FedRAMP. Essentially, FedRAMP sets out a standardized security assessment program for cloud platforms and cloud service vendors. Whereas FedRAMP examines compliance with currently known best-practices, MRC seeks to extend and strengthen cloud defenses.
Rejecting the concept of perimeter defense, MRC focuses on what it calls a "community health system" for clouds. In other words:
...Turning the cloud's connectivity from a vulnerability to a source of strength. The idea is that information about potential attacks is shared throughout the cloud, diverting resources around compromised nodes where possible, while mobilizing defensive systems to contain the damage.
The fear, of course, is that a weak link among multiple clients of a cloud can put all the cloud's users at risk. The challenge is that the implementation of what DARPA calls "shared situational awareness and dynamic trust models" runs against the intuitions of traditional cyber-security.
Instead of constructing a secure wall around the datacenter, the "neighborhood watch" approach asks clients to monitor the behavior of each others' applications, and to share defensive resources to respond to deviant situations. Responsive capabilities would be distributed throughout the cloud, not unlike an immune system, enabling parts of the system to continue working -- and conducting a defense -- despite other parts being contaminated.
Although these are early days for MRC, I think it's fair to see the program as a specific application of the distributed security model promulgated last year by the Department of Homeland Security.
If it makes sense to treat cyberspace generally as a unitary domain requiring automated collective action to maintain security, it's a no-brainer to see clouds as smaller ecosystems demanding similar treatment.
MRC will need to contend not only with the interoperability issue -- ensuring that neighboring nodes in a cloud platform actually can communicate and take collective action -- but also with the prevailing security ethos of maintaining firewalls against everyone, neighborly watchdogs and predatory wolves alike.
I know it's not fashionable in all circles to say this, but I think there are some things the government should take ownership of: one of them is cyberdefense. I'm no more comfortable leaving that to the private sector than leaving military defenses to private armies.
Agreed - defensive computational technology is important. We cannot expect individual users to be able to comprehend the complexities that natio-states can thwart upon our systems. I applaud the efforts of Darpa to try to come up with new and innovative ideas. It all sounds so non-governmental, but then again the government is in fact where the internet came from in the first place.
What, from a strictly political & strategic standpoint, must be understood is that Iran is not Iraq or Afghanistan. What they have done despite all the constraints upon them is quite amazing.
US military sources are saying that Iran strengthened its cyberwar capabilities of Stuxnet. But of course, we need to take note of what the source for that it.
The new front in the War has arrived. The US has been waging the war since 2005 primarily against Iran (despite denials). Interesting that DARPA has been given the mission--there is no choice, is there? The question is whether again we would be paranoid enough to start being disengaged?
DARPA has hosted a bunch of really interesting challenges -- ranging from autonomous cars to real-time crowdsourced tracking.. so cloud security seems like an important enough topic that it shouldn't be left out.
Given the advances in nation-sponsored malware, creating more defensive computer technology seems only logical -- but it might not be possible AND useful at the same time. A computer not connected to the internet at all is pretty secure, but what can you do with that computer?
DARPA certainly has a role to play here, although it will be good to see some actual concrete results from this, as well as from the DARPA project on trusted identities.
I'm hearing versions of this distributed security idea in all kinds of contexts. There must, though, be the fear of letting the bad guys in -- disguised as "neighborhood watch."
I'm glad DARPA is taking such a proactive role in cloud security, something we definitely need. Although I don't usually advocate for more government, in this area I think our government has played far too passive a role. We've got some great private, third-party developers doing terrific work in this space, but because of the national security implications and the threat to commerce and so forth, it's vital that government gets more involved in ensuring cloud security. DARPA would seem a natural fit.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Precor, which makes exercise equipment for gyms and homes, needed to transform itself into a cloud services provider in order to keep up with the changing demands of its customers.
Like other leading technology-using businesses, Walmart is starting to look like a vendor in its integration of the latest technologies to serve its customers. That's what led it to buy two Silicon Valley cloud startups this week.
IT executives are worried about business units that use social media, Dropbox, Skype, and other public clouds without working through IT. This "cloud sprawl" creates concerns about security, compliance, and other potential problems for the enterprise, according to a study.
Cloud computing helped Netflix score a big win this week, meeting a thousandfold increase in demand and driving the Internet video service provider back to profitability. It provided Netflix with "availability, scalability, and cost savings," chief executive officer Reed Hastings wrote in a letter to shareholders.
All the recent hoopla about cloud security overlooks an important point, which is that it's not strictly a cloud problem. The linkage of online services into cooperative chains creates the risk, and only biometrics and federation of providers can save us.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Multi-tenant clouds assure security for clients, but not necessarily for their ideas. Here's one thing you should discuss with your cloud provider before you sign on.
Sean Smith, a US Foreign Service IT manager, gave his life in service of his country and the world. His life and death are a humbling example for all of us who work in IT.
Enterprises are discovering that using social networking within the secure setting of a SaaS provider's network gives them an unusual opportunity to freely collaborate with partners, suppliers, and even competitors.
Microsoft's recent decision to bundle its Office software with business partner offerings indicates that cloud software may be in the news, but licensed packages are still in demand for failover.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
Less than a year ago, we were debating whether private or public cloud would prevail. Private cloud now appears to be a clear favorite. The reason? Organizations of all sizes are getting comfortable with cloud, and vendors are providing solutions that make the adoption of private cloud straightforward and less risky.
65% of CIOs are on board with cloud, but 55% are still thinking about it. Risk is the major barrier to entry. Cloud purveyors can help to address this by providing turnkey cloud solutions targeted at specific vertical industry markets.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
