Cloud and BYOD Security Concerns Make Military and Intelligence Agencies Hesitate
Citing security issues, IT leaders at Department of Defense and National Security Agency warn that BYOD policies and public clouds are a long way from taking hold in environments rife with classified information.
By Kenneth Corbin
WASHINGTON — If the shift to cloud computing and the adoption of BYOD policies seem like an inevitability in the corporate world, they are anything but in the military and intelligence communities.
In a panel discussion Tuesday at a government IT conference, Debora Plunkett, information assurance director at the National Security Agency, joked that she would break out into hives at the mere mention of the term “BYOD.”
But just as private-sector employees have been clamoring for authorization to bring their iPhones, Androids and other devices into the workplace, federal workers–including those who deal with classified information–have been voicing similar requests.
“We have a–not unexpected at all–a large client set who are just craving for the ability to do the things at work that they do at home. It’s not rocket science,” Plunkett said. “It’s really happening across the corporate landscape. That’s where it originated and there is a groundswell of interest and actual implementation in corporate America and the corporate world. And, not surprisingly, what has been proven successful in a corporate environment drives our requirements for the same capabilities in government.”
BYOD Productivity Brings NSA Concerns
And she acknowledged that opening the doors to a new crop of ever-more sophisticated devices could translate into a more productive and efficient workforce, just as many private-sector CIOs have concluded.
“But what comes with those opportunities are some significant challenges, and I live in that space on a daily basis,” Plunkett said. “It really starts with an understanding that there really are adversaries out there who have every intent to gain access to the secrets that we try to protect. And who have every intent of disrupting our ability to conduct the business of government. And who have every intent of reducing our confidence in the information that resides in the information systems that we trust. So our responsibility then is to raise that bar from a security perspective while still enabling the business of government to go on, and to go on in a way that allows us to use state-of-the-art technologies and tools and techniques, but being every mindful to the right of the adversary who is out there.”
IT officials at the Pentagon are experiencing a similar friction.
“It’s very simple: ‘I want one device.’ I don’t think it’s any more complicated than that,” Robert Carey, principal deputy CIO at the Department of Defense, said of the growing demand for BYOD policies. “Balancing ease of use and security is always the dynamic. Security is the antithesis of convenience.”
By its sheer scale, the DoD is a uniquely challenging IT environment. Carey has been leading recent efforts to consolidate and standardize the DoD’s far-flung computing environment while also working to bolster the security of its enterprise architecture. At present, the department runs about 10,000 distinct systems, maintains 1,500 data centers and upwards of 65,000 servers.
But in the mobile arena, the DoD is a fairly homogenous environment.
“We have very few devices at the DoD. We are pretty much a BlackBerry house,” Carey said.
Carey noted that the Pentagon is currently running multiple pilot programs to test various devices from other manufacturers, and working with vendors to harden mobile operating systems to meet DoD security requirements. But he held RIM, the maker of the BlackBerry, apart from other device makers for its focus on enterprise-grade security from the outset, while Apple, Android and other operating systems began with a consumer-centric approach, and have only been beefing up security in response to concerns from corporate and government customers.
“We have to manage this very carefully as we move into the future and make sure that these are not additional attack surfaces,” Carey said. “I don’t know that we’ll quite get to a pure BYOD environment.”
Plunkett also posed a practical challenge that agencies like the NSA have to deal with concerning what’s known as “spillage,” when a set of information from one level of clearance is made available at a lower classification domain. The normal response at the NSA is to remove the device involved from the network, which sometimes means destroying it.
In a BYOD environment, would that mean confiscating and potentially destroying an employee’s personal phone? “That’s a whole new scenario, isn’t it?” Plunkett said.
IT managers in the military and intelligence communities are similarly cautious in their approach to cloud computing. While the Obama administration has issued directives calling for agencies across the government to put the cloud at the forefront of their technology agenda, the issue is complicated when sensitive or classified information is in play.
Plunkett and Carey were both dismissive of public-cloud deployments for all but that information which is publicly available without restriction. The DoD is currently focused on private, internal clouds that it builds in-house, applying stringent security standards and skirting the thorny issues that arise in the drafting of contracts with private vendors.
“You’ve got to make some pretty big decisions up front,” Carey said. “You have to understand, A: your information, and B: is it suitable and germane to go into a public or private cloud.”
In any case when an agency is working with an outside vendor to aid with a cloud deployment, federal personnel must ensure that their private-sector partners have a “crisp understanding of the security requirements,” Plunkett said, emphasizing the importance of including the specific security stipulations spelled out in the government’s FedRAMP program in the contract.
“To the extent that we can get industry understanding and comfortable with the requirements that we have, and then get them committed to making changes in their products, that really not only raises the bar from our requirements, but raises the bar really for the world, because these are now commercial commodity products,” she said. “They’re going to become available for everyone.”
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.