Cloud computing has burst recently into technology and business scene promising great technical and economic advantages, like offering On-demand provisioning of computer services, improved flexibility and scalability as well as reducing costs. Another attractive point of the cloud is its ability to enable a mobile workforce, which brings enhanced flexibility and efficiency. But cloud computing systems also provide attackers with new opportunities and can amplify the ability of the attacker to compromise the computing infrastructure.
Defense Department senior leaders have directed DoD to adopt cloud computing to support the warfighter, a direction that will become a pillar of the department’s strength and security, officials said. Navy Rear Adm. Nancy A. Norton, DISA’s vice director, said the cloud will simplify and provide flexibility to the way DoD works with information that’s secure, rather than having many servers scattered around the globe for every command. The February 2011 Federal Cloud Computing Strategy released by the U.S. Chief Information Officer reinforces the United States Government’s plans to move information technology away from traditional workstations and toward cloud computing environments.
However Military has concerns about security of the cloud. There is a high degree of implicit trust between the computational nodes within a cloud or a distributed computing infrastructure, which allows malware to propagate rapidly once it is within the enclave, says DARPA. Cloud computing infrastructures, in particular, tightly integrate large numbers of hosts using high speed interconnection fabrics that can serve to propagate attacks even more rapidly than conventional networked systems. Today’s hosts, of course, are highly vulnerable, but even if the hosts within a cloud are reasonably secure, any residual vulnerability in the hosts will be amplified dramatically.
The Military has stringent security requirements, hence calls for development of Secure Cloud Services with stringent compliance and security measures like, Federal Information Security Management Act (FISMA), Federal Risk and Authorization Management Program (FedRAMP) and Federal Information Processing Standards (FIPS). The trend is to focus on developing private clouds, so as not to compromise on national security from inside and outside threats, and be more reliable to handle mission critical workloads. IDC reports predicts that by FY 2014 U.S. Federal government spending on private cloud will be $1.7 billion vs. just $118.3 million on a public cloud.
Cyber security and Information Assurance Research and Development (CSIA) is one of the priority areas of Federal Government’s multi-agency Networking and Information Technology Research and Development (NITRD) Program. DoD agencies have added a fifth element to CSIA Strategic Plan called “Assuring the Mission.” This program element focuses on developing technologies to be aware of missions and threats, compute optimal assurance solutions, and implement protection as needed via mission agility or infrastructure reinforcement.
DARPA believes that we must not only address host vulnerabilities but must also pursue clean‐ slate approaches to the design of networked computations and cloud‐computing infrastructures. Since 2011 DARPA’s Mission-oriented Resilient Clouds (MRC) program has been working to research and develop methods to increase the security and reliability of the cloud.
The program indicates a shift in the way DOD is approaching cloud security, said Bryan Ward, cloud computing practice director at Serco, a military technical services provider that’s considering an MRC bid. “Most of the cloud tools that are out there are one-off manifestations of traditional tools that focus on the physical infrastructure,” he said. “Standards bodies and research organizations…are all recognizing that a lot of these tools need to be revamped to look at the virtual network that’s created by the cloud.” Ward said he thinks that MRC’s approach is designed to get researchers thinking about cloud security in different and novel ways. “They want people to think out of the box,” he said.
But Ron Ritchey, a cloud security principal at Booz Allen Hamilton, a firm based in McLean, Va., that provides technology consulting services to DOD and other government agencies, noted that as DARPA explores the thin forward edge of cloud security, it needs to be careful that any new technologies it cultivates don’t cause inadvertent harm.
Challenges to Secure Cloud Computing
The problems with securing cloud computing are many. Today the cloud is secure for only certain types of data, Carey said. The department also faces difficulties transitioning from its legacy systems in a cost-effective manner. And how to measure cloud security is in its infancy. “At the end of the day, the metrics of cloud security are, at best, nebulous,” he said. Then there is the structure of the cloud itself. Centralizing data, while cost-effective and a boon to data sharing, can also create a single point of failure. Shared code means a virus can spread rapidly through the system, which is difficult in siloed computer systems with different legacy coding.
Where compelling incentives to do this exist, security implications of concentrating sensitive data and computation into computing clouds have yet to be fully addressed. The perimeter defense focus of traditional security solutions is not sufficient to secure existing enclaves. It could be further marginalized in cloud environments where there is a huge concentration of homogeneous hosts on high-speed networks without internal checks, and with implicit trust among hosts within those limited perimeter defenses.
In a computing monoculture, all of the nodes/servers are identical and share the same vulnerabilities. So any attack that can take over a single node can take over the entire cloud. In addition, Shrobe said, by adding a layer of software to coordinate the individual computers, the cloud creates more complexity, which means more opportunities for something to go wrong and create a vulnerability by mistake. For example, hypervisors, the software that manages the multitasking and virtualization process at the heart of cloud computing, add additional complexity to cloud computing nodes.
DOD is addressing security on several fronts, one of which is DARPA’s Mission-oriented Resilient Clouds (MRC) initiative, announced in 2011. MRC aims to protect its mission-focused cloud infrastructures by developing resilient cloud services that would continue to operate and support military objectives despite being hit by a cyberattack. Upon completion, the MRC program will run alongside DOD’s Clean-slate design of Resilient, Adaptive, Secure Hosts program for limiting host vulnerabilities.
DARPA’s Mission-oriented Resilient Clouds (MRC)
DARPA had launched the Mission-oriented Resilient Clouds (MRC) program in 2011 to address some of the security challenges by developing technologies to detect, diagnose and respond to attacks in the cloud. The MRC program is using a “community health system” approach to protect cloud computing networks from these threats — turning the cloud’s connectivity from a vulnerability to a source of strength. The idea is that information about potential attacks is shared throughout the cloud, diverting resources around compromised nodes where possible, while mobilizing defensive systems to contain the damage.
MRC about building a system that can keep functioning while under an attack and continue to provide useful services even after some resources have been corrupted. The research stresses designing resilient, adaptive systems able to fend off attacks, said MRC program manager Howard Shrobe. To achieve these goals the program will research development of innate distributed cloud defenses, construction of shared situational awareness and dynamic trust models, and introduction of manageable and taskable diversity into an otherwise homogeneous cloud, as well as development of mission aware adaptive networking technologies.
Under this system, there would be several watchdog mechanisms in the cloud monitoring how applications behave. To begin with, each node monitor s its own applications, as well as keeping an eye on other nodes. This self-evaluation may potentially use the hardware and software self-defense procedures being developed in another DARPA cybersecurity program, CRASH, Shrobe said. One way to police the nodes is to have groups of them compute the same answer. Any node deviating from the consensus answer is considered to be suspect, he said. This information is collected into a trust model, a database that estimates how much a resource can be trusted and for what purposes it can be trusted for.
When a compromise or any kind of deviation is detected, the MRC’s diagnostic and self-repair capabilities would kick in to develop filters that can recognize and repel the specific attack; work-arounds that can achieve the same system operating goals, but without exposing the vulnerability; and patches that repair the vulnerability once and for all.
These capabilities are then distributed to every node in the cloud in an approach similar to human public health system’s immunization program, Shrobe said. Just like a public health system, reports of possible attacks are collected and analyzed for trends and patterns such as an “epidemic” of a particular type of system failure. The system might then quarantine affected nodes, to stop them becoming avenues of attack, or set up new barriers to accessing cloud nodes to prevent a multi-stage attack from continuing.
MRC also aspires to develop resource allocation and optimization techniques that orchestrate interactions between components that maximize effectiveness while accounting for potential risk from perceived threats. The idea behind the research is that the cloud is being used to support multiple missions, so resources should be allocated to maximize mission effectiveness. How efficiently those resources support a mission would be measured by the concept of “net expected utility.”
There may be many possible ways to achieve a mission’s goal and each way requires a unique set of resources, Shrobe said. The complication is that any resources needed for a specific method might be corrupted in a way that causes the mission to fail. The trust model is designed to measure the probability of corruption, Shrobe explained.
DARPA researchers are developing methods to allocate resources to tasks to maximize the net expected utility for the entire mission. “Notice,” Shrobe emphasized, “that this means that we will try to avid potentially compromised resources, but we will use them when the benefit far outweighs the risk.”
DARPA has issued several grants to develop solutions, including one to the Massachusetts Institute of Technology and a second to Johns Hopkins University, Purdue University and the University of Virginia. MRC system design and development will run through the end of 2014, with integration and testing ending by 2015.
Cloud Intrusion Detection and Repair project
MIT CSAIL’s Cloud Intrusion Detection and Repair project is developing a system that observes normal interactions during the secure operation of the cloud to derive properties that characterize this secure operation. If any part of the cloud subsequently attempts to violate these properties, the system intervenes and changes the interaction (by, for example, adding or removing operations or changing the parameters that appear in operations) to ensure that the cloud executes securely and survives the attack while continuing to provide uninterrupted service to legitimate users.
The crux of our approach revolves around a new technique that we are developing called Input Rectification. Applications are typically able to process the vast majority of inputs securely. Attacks usually succeed because they contain an atypical feature that the application does not process correctly. Our input rectification research observes inputs that the application processes correctly to derive a model (in the form of constraints over input fields) of the “comfort zone” of the application (the set of inputs that the application can process successfully). When it encounters an input that is outside the comfort zone, the rectifier uses the model to change the input to move the input into the comfort zone of the application. Our results show that this technique eliminates security vulnerabilities in a range of applications, leaves the overwhelming majority of safe inputs unchanged, and preserves much of the useful information in modified atypical inputs. This project is currently funded under the DARPA Mission-Oriented Resilient Clouds (MRC) program. MIT is the sole performer.