As DOD begins sending its most sensitive information into the cloud, the Defense Advanced Research Projects Agency (DARPA) is developing a new generation of resilient cloud services that are designed to maintain and support military objectives during a cyber attack.
According to DARPA, a traditional perimeter defense focus can't sufficiently secure existing network enclaves. The approach is even less likely to provide reliable security in cloud environments, where a massive concentration of homogeneous hosts on high-speed networks lack internal checks and rely on implicit trust among hosts within limited perimeter defenses.
DARPA's Mission-oriented Resilient Clouds (MRC) program aims to bolster cloud security by developing technologies that would detect, diagnose and respond to attacks on cloud services and infrastructures, effectively building a "community health system." DARPA researchers are also working on technologies that would enable cloud applications and infrastructures to continue functioning while under attack.
In effect, the idea is to enable a cloud-based architecture that provides fault tolerance and mission assurance for widely distributed multi-host systems similar to business-critical online transaction processing systems that tie together a fabric of varied network nodes into a host architecture that can survive any individual component failure or predicted class of attack.
The MRC program's most important aspect is its focus on preserving access to mission critical resources, said Geoff Webb, director of solution strategy at NetIQ, a Houston-based user access and security systems vendor. "While cloud computing generally offers a much higher degree of availability due to the inherently distributed nature of clouds, there is a very real threat that monoculture in the cloud might result in a targeted attack against a specific type of host infecting all of the connected systems in a cloud, which could put a mission at risk," he said. Webb noted that the MRC initiative addresses this issue by "introducing manageable diversity and dynamic trust models that could potentially identify and stop an attack or failure before it affects the entire cloud."
Until MRC is ready for deployment, DOD will have to rely on existing government and commercial security technologies and practices, despite the fact that they too are undergoing an evolution and have not yet been fully tested within a military cloud environment.
The major guidance for cloud computing from research and application are the NIST Cloud Computing Initiative and guidance on the 800 series publications; the GSA FedRAMP (Federal Risk and Authorization Management Program); the DISA RACE (Rapid Access Computing Environment) and STAX (Secure Technology Application eXecution) programs.