The Secure Cloud Computing

Published Date: 02 Nov 2017

Abstract

"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards."
– Gene Spafford

The purpose of this study is to analyze the effectiveness of cloud computing security from within the Department of Defense. Three sub-questions were researched, (1) How did cloud computing come into existence? (2)What are some of the management considerations affecting cloud computing? (3) What factors and concerns are associated with securing the cloud?

The methodology for this direct study project was a combination of qualitative and quantitative, which exhibited the pros and cons of cloud computing. Interviews were conducted using 25 Department of Defense employees ranging from contractors, federal employees all the way up to the Chief Information Officer. The surveys used by these individuals consisted of eight questions that gauged their awareness about cloud computing from different aspects. The results of these surveys were in direct correlation with the research findings found throughout the development process of this project.

This research listed chronological events throughout the initial introduction of cloud computing and included brief illustrations that led to the Department of Defense transformation of its initiatives. Consideration was given to factors outlining the beneficial outlook with instituting a cloud environment. Several key areas of security concerns were examined to determine what threats and vulnerabilities were facing cloud computing. The results of these studies were obtained from websites, textbooks, industry publications and conducted surveys.

CHAPTER 1

INTRODUCTION

Context of the Problem

Cloud computing is known merely as a platform used for computing purposes that is widely used and resides in a medium to large data center. It is able to provide servers dynamically while addressing several varieties of needs from research to data back up and even e-commerce. Having the provision of resource computing similar to electricity presents major problems within the information policy to include individual security, access, privacy, and reliability. These problems have to be regulated and controlled to remain consistent with information assurance practices. The future potential that cloud computing has yet to reach along with security issues that have been raised will form the basic of this research.

Standards associated with any information technology function are consider critical in terms of cloud computing. In order to ensure a successful adoption and immediate delivery of this widely growing technology within the public and private sector standards must be adopted to ensure its un-wavering security practices. There is increased competition that makes application portable across multiple providers and allows many different agencies from Federal to local governments to shift their services between providers for cost effective means. This increase allows for them to take full advantage of cost efficiencies that recommend newly innovative functional products. These platforms also have to be able to work collectively together seamlessly without thought as to which sector they are originating from in order to deliver an effective product. National Institute of Standards and Technology (NIST) will be providing a leading role in the definition of standards. The NIST ensures collaboration with Chief Information Officers across wide variety of both private and public agencies.

Many non-federal agencies have embarked on cloud computing to more effectively manage their capabilities to provide better services for their customers. The transition to an outsourced environment like this continues to have a huge risk management factor. Risk management encompasses identifying and assessing risk while taking the appropriate steps to reduce it to an acceptable level. Throughout the system lifecycle, risks that are identified must be carefully balanced against the security and privacy controls available and the expected benefits. Too many controls can be inefficient and ineffective.

Having the concept that cloud computing is a computing platform that actually resides within a large data center that is usually geographically separated and is dynamically able to provide servers with the synchronized ability to address a never-ending variety of wide range needs, from scientific research to e-commerce. There are many major problems in regards to computing resources. Having the mindset that these resources are similar to a common household utility, reinforces the fact that cloud computing is a revolutionary computing service and plagues issues such as privacy, security, reliability, access, and regulated controls. The research explored will contain the nature and potential of cloud computing, policy issues raised, and any research questions related to cloud computing. Policy issues are ultimately a larger part of the problem in response to this rapidly growing technological evolution.

Statement of the Problem

As the concept of the Federal Government continues to move closer towards cloud computing, one truth remains, that is the need to remain vigilant while protecting the privacy of citizens and national security. The projected research will examine the potentially devastating impacts as a result of the some of the associated security risks that the federal government may face throughout the system lifecycle. Secondly, any assumed risks that are identified must be carefully balanced against all of the security and associated privacy controls that have been made available along with the expected benefits.

Research Questions

The purpose of this research is to determine the following: What is required to ensure a secure cloud computing environment within the Federal Government? To answer this question, this paper addresses the following sub-questions:

How did cloud computing come into existence?

What are some of the management considerations affecting cloud computing?

What factors and concerns are associated with the security of cloud computing?

Significance of the Study

The importance of this research study is mainly due to the number of Department of Defense agencies that have adapted towards cloud technologies and their realization of the considerable benefits that this technology can have in the future. For instance, think of the many different governmental agencies that now can give researchers access to Information Technology (IT) services relatively inexpensively within minutes. Prior to the government adopting this approach, it could take researchers several months to be able to procure and configure comparable IT services. This would require significant resources significant management oversight to be able to monitor and upgrade applicable systems. The application of cloud technologies within the Department of Defense can potentially yield tremendous benefits in the areas of efficiency, agility, and innovation. The benefits associated with this are described below.

The study will aid in the clarification of the nature and origins of cloud computing along with the key technical characteristics and their benefits to its users. Regardless of the promise and future potential, cloud computing still remains at the difficult intersection associated with new computing concepts and information policy. Cloud computing continues to raise major issues in regards to privacy, security, anonymity, telecommunications capacity, liability, reliability, and government surveillance, but the existence of relevant laws have not shown to be applicable to this new concept.

This study reveals a rapid provision for IT services for the Department of Defense. Providing for these IT services it is expected to include an agile yet simple acquisition and certification processes that is elastic and usage-based for the delivery of efficiently pooled computing resources. Being able to ensure that these resources are portable, reusable with business-driven solutions is a key element. Agencies must maintain browser-based ubiquitous internet access to services that are always on and available, with utility-like solutions to help the resources have an advantageous outcome. When access to these services is limited or affected in any way it places a strain on reliability and productivity. Knowing that your information is readily available and security provisions are in place ensure a nearly seamless workflow to internal and external customers.

Research Methodology

Research methods used in this proposal will aim at further defining the strategy for ensuring security parameters are established, maintained and adhered to for Department of Defense cloud computing. The research provided will first outline the nature along with the origins of cloud computing depicting current examples of initiatives within cloud computing. The next topic to be examined will be key technical characteristics and benefits to its users. There are several key policy issues related to cloud computing that will then be discussed as well as any policy gaps that cloud computing has raised. Next will be a discussion involving security concerns such as threats and vulnerabilities that present potential problems. Finally, the research will describe how issues of policy and cloud computing can be reconciled to facilitate the growth and development of cloud computing as a more beneficial component for individual, corporate, and governmental computer users.

Cloud computing raises a range of important policy issues, which include issues of privacy, security, anonymity, telecommunications capacity, government surveillance, reliability, and liability. Some of the trade press and popular media accounts of cloud computing have raised potential issues of privacy and intellectual property. The multiple types of policy issues that have been raised by cloud computing merit significant consideration. Cloud computing allows the Federal Government to use its IT investments in a more innovative way and to more easily adopt innovations from the private sector. Cloud computing will also help our IT services take advantage of leading-edge technologies including devices such as tablet computers and smart phones.

If an emphasis is placed on a technology that is used widely enough such as cloud computing and it also encounters significant policy issues, perhaps that generate adequate momentum for a more broad reassessment of the information-policy–making process in the electronic age. While it is known that cloud computing is a very new concept, it is feasible to considering whether and how its development will ultimately have any impact on the large mosaic of policies related to technology. Though it is easy to identify potential information policy issues in cloud computing, potential policy-based solutions to these issues are far less obvious due to the technology being relatively new and the previously discussed connections between technology and policy in the United States. The unique nature that cloud computing has gives it vast potential for it to become a truly ubiquitous technology employed by individuals.

Academic institutions, corporations, and perhaps even some governmental agencies provide a remarkable opportunity to consider essential issues of technology and policy. Those organizations that embrace change are destined to have increased opportunity for growth as the evolution of technology continues to expand. This research is intended to identify and outline the policy issues that are related to cloud computing. It is hoped that providing serious consideration for and research about these issues, as cloud computing is in its developmental stages that will allow any policy concerns to be addressed in timely and satisfactory manner before cloud computing becomes too large or too widely used to regulate effectively.

Organization of the Study

This research paper will consist of four chapters. Chapter one presents the scope os the problem, significance of the study along with the methodology of the research. Chapter 2 takes a look at the question involving what is required to ensure a secure cloud computing environment within the Department of Defense? The third chapter addresses the evolution of cloud computing, some management considerations surrounding the cloud and factors and concerns associated with the security of cloud computing. The last chapter "summary and conclusion" will present all of the findings concerning secure cloud computing and list the benefits and certain drawbacks of using this technology from a Department of Defense perspective.

CHAPTER 2

SECURE CLOUD COMPUTING

Introduction

This chapter explains what cloud computing is and how its evolution has changed computing and impacted new technology. The purpose of this chapter is to define cloud computing and discuss how its overwhelming popularity has contributed to many concerns involving it security. This chapter will also discuss what role each of the cloud computing models play in determining the business type needs. The secondary research will consist of textbooks, newspaper articles, company websites and government and industry publications. Many topics that relate to cloud computing and its affect on the Federal Government move towards the future of Information Technology will be researched.

Definition

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.

Essential Characteristics

On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.

Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).

Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.

Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.

Measured service. Cloud systems automatically control and optimize resource use by leveraging a metering capability1 at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.

Service Models

Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure2. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user- specific application configuration settings.

Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider.3 The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.

Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).

Deployment Models

Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

Community cloud. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.

Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

Whatever name that is used, cloud computing as a service, or the internet as a computer platform it will change the common ingredient of computer computation. The use of local software and hardware is slowly becoming a thing of the past, as companies are shifting more of their IT departments to the cloud. Cloud computing is not new, almost 50 years ago when service bureaus and time sharing was being introduced as a service for the sharing of software in the IT community. As we look at the benefits of cloud computing and how it will change the way we think of the computing environment it does not come without risks. We will take a look at some of the known risks and how they can be mitigated to receive the full benefits of cloud computing.

Hidden Risks within the Cloud

Challenges posed with Data Center Consolidation

Department of Defense is initiating a plan to boost efforts to overcome cultural and policy problems and technological barriers associated with information sharing and joint capabilities. Within the next few years the federal government is expected to close 800 of their roughly 2,100 data centers to help towards cost efficiencies. With these ongoing cuts there are still concerns about business continuity and disaster recovery. Maintaining operations throughout contingencies helps to ensure that all resources are available not only to the organization but to the customer as well. Key topics such as the direction in which virtualization along with new technologies are heading can determine the life span of a data center. Trends that can affect organizations across the board such as server and storage consolidation efforts are driving factors that require security controls above and beyond the normal. Personnel have to not only be adequately trained but they must also be available for 24 x 7 on-site operations. With budget constraints they way that they are today this can be a strain on many organizations that may loose personnel either because of budget cuts of key personnel departures.

Cost-saving factors

By moving to a cloud, GSA was able to reduce site upgrade time from nine months to one day; monthly downtime improved from two hours to 99.9% availability; and GSA realized savings of $1.7M in hosting services (McClure, 2010). Cloud computing drastically provides for a quick return with limited investment by reducing paperwork, lowering transaction costs and minimizing the need for investment in additional computer hardware. Another factor is that it’s scalable in the fact that similar to electricity and water some cloud computing services allow business to only pay for what they use. Of course as your business grows you are able to make the necessary adjustments to add more server space. Migrating government web services not only improves scalability but it also provides for reduced costs and has an immediate impact on the environment. According to a recent Carbon Disclosure Project report, companies that streamline operations to improve IT performance will not only reduce capital expenditures but they’ll shrink energy consumption and carbon emissions. The group estimated that, by 2020, U.S. organizations that move to the cloud could save $12.3 billion in energy costs and the equivalent of 200 million barrels of oil. As you are able to see in a survey that was conducted on Federal employees they reasons for either using or not using the Cloud vary tremendously. Reduced hardware infrastructure costs ranks high in the standings to those users that have a vested interest in using Cloud services.

Through more in-depth research and analysis there will be a more direct approach to determine the types of security measures that are in use currently and those that need to be implemented in order to maintain a more secure Cloud computing environment for all governmental agencies. As with most new technologies the increased demand for cloud computing will ultimately result in a more saturated market whether in the Federal Government or private sector.

With increased growth as seen in the graph above there is very little uncertainty the Cloud computing is here to stay. Our part as users of data is to ensure that we do our part in seeking out the necessary training, be aware of the vulnerabilities affecting cloud computing and lead a more active role in this fast pace technology world.

Why is there so much emphasis placed on security

Cloud computing shifts Information Technology to more of a creator and distributor of services, but brings with it increased security concerns such as data security, application security, compliance, privacy, and other issues around these evolving technologies. Defense Information Technology Security Certification and Accreditation Process (DITSCAP) to Defense Information Assurance Certification and Accreditation Process (DIACAP) Transition Guide provides details that guide the implementation of the transition process and procedures that have been established. These details provide procedural, technical, administrative and supplemental guidance for all information systems, whether business or tactical, used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or receipt of data. The key to Cloud computing is having a product that is not only functioning as originally intended but also you have to ensure that the data that is being stored is safeguarded and the necessary security parameters are installed. Security is a primary reason why many users also are very hesitant towards making that leap of faith to Cloud computing as shown in a recent survey conducted by Federal employees asking is Cloud security was strong enough.

The overwhelming majority of the users stated they feel that Cloud computing is not strong enough. Think about the user that still uses checkbooks to make payments and they prefer to have a personal conversation with the salesperson that they are dealing with, those are the users that will have the most difficult time convincing that Cloud computing is right for them.

Security concerns

Cloud computing may seem risky because its perimeter can not be secured due to the inefficiency of cloud’s boundaries. In addition, many government agencies must comply with regulatory statutes, such as the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes–Oxley Act of 2002 (SOX), and the Federal Information Security Management Act (FISMA). Yet organizations can move forward even while security standards have yet to be completely defined. The National Institute of Standards and Technology (NIST) likens the adoption of cloud computing to that of wireless technology.

Security as we all know is at the top of the list amongst user when it comes to Cloud computing. Compromising any of these areas could very well result in legal implications. That is why if you take a look around you will find that the primary concern for all organizations is Information Assurance.

CHAPTER 3

HISTORY, REQUIREMENTS AND SECURITY

Introduction

This chapter covers topics surrounding the existence of cloud computing, key reliability and liability concerns, along with a strict emphasis placed on security, privacy and anonymity. The information that is contained within this chapter is not all-inclusive however it is important to note that this information should be used as a total collaboration effort with all of the other chapters of this paper.

Evolution

In relation to how cloud computing evolved throughout the years Sourya Biswas stated it clearly by saying that the best time to trace the growth of any paradigm, whether technology or culture or any other human endeavor, is when it has grown out of infancy but not attained maturity. Back in the 1960s John McCarthy wrote that, "computation may someday be organized as a public utility". Shortly after that in the early 1990s the concept of grid computing originated as a concept for making computer power easily accessible as an electric power grid. Telecommunication companies made a radical shift from point-to-point data circuits to Virtual Private Network (VPN) services in the mid-1990s. Their technique which comprises the use of optimizing resource utilization enabled work to be done more efficiently while adding to the cost savings. The actual term cloud computing was first used by Ramnath Chellappa in 1997 during a lecture where he defined it as a new "computing paradigm where the boundaries of computing will be determined by economic rationale rather than technical limits alone". The first to actually move in the direction of this concept was Salesforce.com which back in 1999 actually introduced the concept of delivering enterprise applications via a simple website. As always there is someone that is laying low and ready to jump on the bandwagon, in this case that was Amazon, which launched Amazon Web Service in 2002.

The public wasn’t exactly knowledgeable concerning this concept until Google Docs was introduced in 2006. Also during that year Amazon introduced the Elastic Compute cloud (EC2) as a commercial web service in which smaller businesses and individuals were able to lease computers in order to run their own computer applications. This innovation led to a massive industry-wide collaboration effort between Google, IBM and several universities within the United States. Eucalyptus came on the scene in 2008 with the first open source AWS API compatible platform for deploying private clouds. Shortly thereafter, OpenNebula became the first open source software for deploying private and hybrid clouds. Microsoft couldn’t be denied a place in the cloud computing market so it launched Windows Azure in November and suddenly there were major players jumping in from al over the place.

Information Technology’s fundamental shift towards Cloud Computing

In order to get a clear understanding of cloud computing you must first have a clear interpretation of what the term relates to. With this new technology it allows end users to provision computing resources as required, on-demand with instant results. Using cloud computing services, many Federal agencies such as the Department of Defense look at this as a way to launch a capability that serves millions of users while substantially providing a cost savings. The adoption of this initiative has enabled government agencies to realize that there are considerable benefits available through it use. To be successful in IT, agencies cloud services are managed much different that the traditional IT assets. By continually reviewing and studying articles related literature we will be able to support the research throughout this chapter.

The Beginning of Cloud Computing within the Department of Defense

Just like there are many different companies that have already begun the transition from the desktop scene to a more conventional method of storage known as cloud computing, the Department of Defense (DoD) has also begun this transformation. It has established a set of initiatives that are aimed at achieving improved mission effectiveness and cyber-security in a reengineered information infrastructure. The result of this newly engineered effort is referred to as the Joint Information Environment (JIE). The JIE consists of a robust and resilient enterprise capable of delivering faster, increased collaboration insight along with decisions enabled by a more secure, streamlined access to information regardless of the peripheral type or its geographic location. As a result of this, the DoD Enterprise Cloud Environment has become a key component in ensuring that they achieve the JIE goals.

Federal and DoD Cloud Computing Mandates

The Federal Government intends to accelerate the pace at which it will realize the value of cloud computing by requiring agencies to evaluate safe, secure cloud computing options before making any new IT investments. In alignment with Federal and Department-wide IT efficiency mandates, the DoD is committed to cloud computing, and to provide a secure, resilient Enterprise Cloud Environment. A few of the mandates that have been instituted include:

2012 National Defense Authorization Act (NDAA) (Public Law 112-81). Mandates that DoD CIO submit a Performance Plan that includes a strategy to address "migration of Defense data and government-provided services from Department-owned and operated data centers to cloud computing services generally available within the private sector that provide a better capability at a lower cost with the same or greater degree of security" and "utilization of private sector managed security services for data centers and cloud computing services."

Secretary of Defense (SecDef) efficiencies Initiatives. The SecDef announced a DoD-wide efficiencies initiative to move America’s defense institutions toward a "more efficient, effective, and cost-conscious way of doing business." This initiative directed the consolidation of IT infrastructure to achieve savings in acquisition, sustainment, and manpower costs to improve DoD’s ability to execite its mission while defending its networks against groqing cyber threats.

Office of Management and Budget (OMB)‐directed Federal Data center Consolidation Initiative (FDCCI). The FDCCI (See Appendix B,(Reference D)) directed a reduction in data centers to be achieved primarily through the use of virtualization techniques and leveraging cloud computing.

Federal CIO 25 Point Implementation Plan to Reform Federal Information Technology Management. The 25 point plan (See Appendix B,(Reference E)) specifies that "Agencies must focus on consolidating existing data centers, reducing the need for infrastructure growth by implementing a Cloud First policy for services, and increasing the use of available cloud and shared services."

Federal Risk and Authorization Management Program (FedRAMP). FedRAMP (See Appendix B,(Reference F)) provides joint "provisional" authorizations and continuous security monitoring services applicable to "Executive departments and agencies procuring commercial and non‐commercial cloud services that are provided by information systems that support the operations and assets of the departments and agencies, including systems provided or managed by other departments or agencies, contractors, or other sources."

DoD IT Enterprise Strategy and Roadmap (ITESR). The ITESR (See Appendix B,(Reference G)) presents the DoD CIO’s plan for achieving the goals of the SecDef’s Efficiency Initiative and the mandates of OMB’s FDCCI and 25 Point Implementation Plan.

When you are dealing with a product that has many new aspects available sometimes they can be hindered by the knowledge of the user. Recently a survey was conducted on Department of Defense personnel to show their overall knowledge of Cloud computing.

Training obviously is a key element in ensuring that users are knowledgeable about the Cloud concept. It helps to ensure that users are properly equipped with the skills not only to administer Cloud services but also to manipulate files and data. It’s a scary thing when you hear users say I know enough to be dangerous, especially when it comes to storing data.

While records show that 2010 saw a maximum number of companies entering the cloud spectrum it is expected that the number of future organizations utilizing this technology will continue to rise well before it reaches its full maturity. With this growth the Department of Defense will continually strive to make improvements for a more streamlined approach to handling information. As the Department of Defense moves towards a more efficient aspect of cloud computing, it must also be vigilant enough to ensure that the security and proper management of all governmental information is adequate to protect the privacy of U.S. citizens along with national security. These aspects will be thoroughly researched in this chapter to further show how the implementation process works and is carried through until completion.

Figure 1 is a logical depiction of he envisioned DoD Enterprise Cloud Environment end state. It illustrates that the DoD Enterprise Cloud is an integrated environment on the GIG, consisting of DoD Components, commercial entities, Federal organizations, and mission partners.

Benefits

When discussing new technology the first topic to come to mind is what are the benefits of this particular product. Cloud computing is no exception when taking into consideration personnel, data and cost factors.

Reduced Costs. Transforming high fixed-capital costs to low variable expenses. Setting up an internal cloud within a company provides an efficient service platform while placing a limit on internal capital expenditures for IT infrastructure. The Federal Chief Information Officers Council has charged the government with leveraging cloud computing services to reduce costs and provide greater efficiencies, according to the U.S. CIO council website. Cloud computing allows customers to scale capacity on demand and greatly reduces energy consumption.

Scalability. Infrastructure providers pool large amounts of resources from data centers and make them easily accessible.

Cloud computing drastically provides for a quick return with limited investment by reducing paperwork, lowering transaction costs and minimizing the need for investment in additional computer hardware. Another factor is that it’s scalable in the fact that similar to electricity and water some cloud computing services allow business to only pay for what they use. Of course as your business grows you are able to make the necessary adjustments to add more server space.

Migrating government web services not only improves scalability but it also provides for reduced costs and has an immediate impact on the environment. According to a recent Carbon Disclosure Project report, companies that streamline operations to improve IT performance will not only reduce capital expenditures but they’ll shrink energy consumption and carbon emissions. The group estimated that, by 2020, U.S. organizations that move to the cloud could save $12.3 billion in energy costs and the equivalent of 200 million barrels of oil. As you are able to see in a survey that was conducted on Federal employees they reasons for either using or not using the Cloud vary tremendously. Reduced hardware infrastructure costs ranks high in the standings to those users that have a vested interest in using Cloud services.

Through more in-depth research and analysis there will be a more direct approach to determine the types of security measures that are in use currently and those that need to be implemented in order to maintain a more secure Cloud computing environment for all governmental agencies. As with most new technologies the increased demand for cloud computing will ultimately result in a more saturated market whether in the Federal Government or private sector.

Management Considerations

Liability. Liability and potential litigation is a growing concern of cloud computing providers, who function in a currently gray area. Unnecessary litigation would stifle innovation, as no technical system is infallible, and 100% uptimes and services simply cannot be guaranteed.

Reliability.

Security Factors

Security as we all know is at the top of the list amongst user when it comes to Cloud computing. Compromising any of these areas could very well result in legal implications. That is why if you take a look around you will find that the primary concern for all organizations is Information Assurance. The issue of security is apparent with the survey that was conducted to see what were the concerns regarding Cloud Computing.

Threats.

Malicious Insider. Cloud computing related insider threats are often listed as a serious concern by security researchers, but to date this threat has not been thoroughly explored. There is belief that the fundamental nature of current insider threats will remain relatively unchanged in a cloud environment, but the paradigm does reveal new exploit possibilities. The common notion lists a cloud insider as a rogue administrator of a service provider.

Vulnerabilities.

It’s not that cloud computing solutions are any more vulnerable that some traditional solutions, rather the fact that with cloud vulnerabilities operate on a much larger scale. Although some of the weaknesses of the cloud revolve around basic issues that are often easily resolved, the weak authentication protocols, port management along with managing resources from a remote location contribute to its vulnerability. There are many areas of concern, during the next few pages the most common concerns that hinder security will be addressed.

Availability. As part of the cloud infrastructure services the availability needs are addressed because downtime limits effective production. The concern can revolve around platform services differentiating from one provider to another. Although availability should not be an area of concern for DoD because they centrally manage their cloud services through each service agency, it still remains an area of concern based off of Platform as a Service.

Data Protection (Privacy). Cloud customers remain ultimately responsible for maintaining control of data and the protection of individual rights. The challenge lies in defining the allocation of responsibilities and obligations for security and privacy between customers and cloud providers. Building strong privacy protections are key to establishing trust within cloud computing. As shown below through identification, monitoring and correlation of data the protection of data can be greatly enhanced.

CHAPTER 4

Summary and Conclusions

Introduction

The purpose of this study was to analyze the effectiveness of cloud computing security from within the Department of Defense. Three sub-questions were researched, (1) "How did cloud computing come into existence?" (2) "What are some of the management considerations affecting cloud computing?" (3) "What factors and concerns are associated with securing the cloud?"

The methodology for this direct study project was a combination of qualitative and quantitative, which exhibited the pros and cons of cloud computing. Interviews were conducted using 25 Department of Defense employees ranging from contractors, federal employees all the way up to the Chief Information Officer. The surveys used by these individuals consisted of eight questions that gauged their awareness about cloud computing from different aspects. The results of these surveys were in direct correlation with the research findings found throughout the development process of this project.

This research listed chronological events throughout the initial introduction of cloud computing and included brief illustrations that led to the Department of Defense transformation of its initiatives. Consideration was given to factors outlining the beneficial outlook with instituting a cloud environment. Several key areas of security concerns were examined to determine what threats and vulnerabilities were facing cloud computing. The results of these studies were obtained from websites, textbooks, industry publications and conducted surveys.