7/29/2019 Cyber Security and Reliability in a Digital Cloud
1/95
JANUARY2013
7/29/2019 Cyber Security and Reliability in a Digital Cloud
2/95
REPORTOFTHE DEFENSESCIENCEBOARD
TASKFORCEON
CyberSecurityandReliabilityina
DigitalCloud
JANUARY2013
Officeofthe UnderSecretaryofDefense
for Acquisition,Technology,and Logistics
Washington,D.C.203013140
7/29/2019 Cyber Security and Reliability in a Digital Cloud
3/95
ThisreportisaproductoftheDefenseScienceBoard(DSB).
TheDSBisaFederalAdvisoryCommitteeestablishedtoprovideindependentadvicetotheSecretaryof
Defense.Statements,opinions,conclusions,andrecommendationsinthisreportdonotnecessarily
representtheofficialpositionoftheDepartmentofDefense(DoD).TheDefenseScienceBoardTask
ForceonCyberSecurityandReliabilityinaDigitalCloudcompleteditsinformationgatheringinMarch
2012.ThereportwasclearedforopenpublicationbytheDoDOfficeofSecurityReviewonJanuary
16,2013.
Thisreportisunclassifiedandclearedforpublicrelease.
7/29/2019 Cyber Security and Reliability in a Digital Cloud
4/95
OFFICE OF THE SECRETARY OF DEFENSE3140 DEFENSE PENTAGON
WASHINGTON, DC 203013140
November27,2012MEMORANDUMFORUNDERSECRETARYOFDEFENSEFORACQUISITION,TECHNOLOGY&LOGISTICS SUBJECT: FinalReportoftheDefenseScienceBoard(DSB)TaskForceonCyber
SecurityandReliabilityinaDigitalCloud
IampleasedtoforwardthefinalreportoftheDSBTaskForceonCyberSecurityandReliabilityinaDigitalCloud.ThisstudycomprisesonepartofaDSBCyberInitiative.AstudyonResilientMilitarySystemsistheothercomponentoftheinitiative.TheTaskForceassessedtheimplicationsofusingcloudcomputingresourcesandservicesforDepartmentofDefense(DoD)missionneeds.ThereportoffersimportantrecommendationsfortheDoDfocusedon:identificationandapplicationofcloudcomputingresourcestoDoDmissionareas;improvingDoDsimplementationofcloudcomputing;enhancingcloudresiliencyindegradedoperations;andfinally,areasrequiringfurtherresearchanddevelopment.Particularemphasisisgiventoimprovingcloudcomputingresiliencefordeployedforces.IfullyendorsealloftheTaskForcesrecommendationscontainedinthisreport,andurgetheircarefulconsiderationandsoonestadoption.
Dr.PaulKaminski Chairman
DEFENSE SCIENCE
BOARD
7/29/2019 Cyber Security and Reliability in a Digital Cloud
5/95
OFFICE OF THE SECRETARY OF DEFENSE3140 DEFENSE PENTAGON
WASHINGTON, DC 203013140
November27,2012
MEMORANDUM FOR UNDER SECRETARY OF DEFENSE FOR
ACQUISITION, TECHNOLOGY, AND LOGISTICS
Subject: Report of the Defense Science Board Task Force on Cyber Security and
Reliability in a Digital Cloud
The final report of the Defense Science Board Task Force on Cyber Security
and Reliability in a Digital Cloud is attached. The Task Force conducted an
independent assessment of the suitability of cloud computing architectures for DoDapplications. Key factors in the assessment included DoD mission enhancements,
cyber security benefits and risks, and potential cost savings associated with cloud
computing.
The Task Force also investigated the benefits and risks of cloud computing for
the needs of deployed forces. Several enhancements in cloud computing architectures
and training and operational exercising are recommended to improve the access toimportant data and computing resources under degraded operational conditions.
The Task Force recommends that for sensitive, classified, or time-critical
applications, the DoD should pursue private cloud computing to enhance missioncapabilities, provided that strong security measures are in place. This reportrecommends several improvements in cloud computing implementations to
strengthen cyber security and reliability.
Dr. Eric D. Evans Dr. Robert L. Grossman
Co-Chairman Co-Chairman
DEFENSE SCIENCE
BOARD
7/29/2019 Cyber Security and Reliability in a Digital Cloud
6/95
TABLE OF CONTENTS
v
TableofContents
ExecutiveSummary...................................................................................................vii
1. ScopeoftheReport................................................................................................1
1.1 TermsofReference............................................................................................... 1
1.2 TaskForceApproach............................................................................................. 1
1.3 OrganizationoftheReport................................................................................... 2
2. OverviewofCloudComputing.................................................................................5
2.1 TheLatestStepinanEvolutionaryProcess.......................................................... 5
2.2 WhatisCloudComputing?.................................................................................... 6
2.3 ManagingCloudComputing................................................................................ 11
3.Cloud
Computing
Architecture
and
Implementation
.............................................
15
3.1 TheBuildingBlocksofCloudComputing............................................................ 15
3.2 TheScaleofCloudComputing............................................................................ 16
3.3 SpecificCloudCharacteristicsAffectingArchitectureandImplementation.......18
3.4 ArchitectureofaModernCloudDataCenter..................................................... 20
4. CloudComputingBenefitstotheDoDMission......................................................25
4.1 Example:CommunicationandNetworking........................................................ 25
4.2 Example:AnalysisofLargeDatasets................................................................... 26
4.3 Example:OperationalSupportfortheWarFighter............................................ 26
4.4
Example:Situational
Awareness
for
Cyber
Security
...........................................
27
4.5 Example:WideareaPersistenceSurveillance.................................................... 27
5. CloudComputingSecurity.....................................................................................29
5.1 SecurityAssessment............................................................................................ 29
5.2 DataCenterSecurity........................................................................................... 35
5.3 SecureCloudComputingSoftware..................................................................... 36
5.4 SecureCloudComputingHardware.................................................................... 38
5.5 SecureDataCenterOperations.......................................................................... 40
6.
The
Economics
of
Cloud
Computing
......................................................................
46
6.1 CloudServiceEconomicDrivers.......................................................................... 47
6.2 BusinessCaseConsiderationsforCloudServiceUse.......................................... 49
6.3 ServiceLevelAgreements................................................................................... 50
6.4 CloudComputingCaseStudies........................................................................... 51
7/29/2019 Cyber Security and Reliability in a Digital Cloud
7/95
TABLE OF CONTENTS
vi
7. TechnologyInvestmentandResearchOpportunities..............................................53
7.1 Scalability............................................................................................................. 55
7.2 Security................................................................................................................ 57
7.3 Usability............................................................................................................... 60
7.4 CombiningTechnologies...................................................................................... 61
8. FindingsSummaryandRecommendations............................................................62
8.1 FindingsSummary................................................................................................ 62
8.2 Recommendations............................................................................................... 64
8.3 ConcludingRemarks............................................................................................ 67
TermsofReference....................................................................................................68
TaskForceMembership.............................................................................................70
PresentationstotheTaskForce.................................................................................71
AbbreviationsandAcronyms.....................................................................................76
7/29/2019 Cyber Security and Reliability in a Digital Cloud
8/95
EXECUTIVE SUMMARY
vii
ExecutiveSummary
Cloud computing is viewed by many as the next major step in the evolution of
computing infrastructure. Very large commercial cloud computing data centershave
emergedaroundtheworldwithpetaflopsofprocessingcapacity,hundredsofpetabytes
ofdatastorage,andwidebandnetworkaccess.Services,includingelectronicmail,data
storage,databasemanagement,applicationhosting,verylargedatasetprocessing,and
highperformancecomputing,aregloballyavailabletodayfrommanycloudcomputing
datacenters.Cloudcomputingadvocatespromiseondemanddeliveryofthesemassive,
warehousescalecomputingresourcessimplyandeasilythroughanetworkbrowser.
Much of the technology and computer architecture that enable modern cloud
computinghasrootsinthemainframe,clientserver,andearlyinternetcomputingeras.
Whathasemergedinrecentyears,however,differsfromalloftheseinmanyattributes.
Cloudcomputingdata centershavedifferentcapabilities,risks,andsecurityconcernsthanconventionalnetworks,aswellasdifferentcostandefficiencymodels.
Thesedifferencesaresubstantial,andhaveresultedinawidevarietyofrealisticand
unrealisticclaims for cloudcomputing,aswellasa gooddealofhypeandconfusion.
With theproper implementation andoperations, cloudcomputing data centershave
demonstratedasgoodorbettercybersecurity,capabilities,andcostthaniscurrently
availableinDepartmentofDefense(DoD)datacenters.Theseimprovements,however,
arebynomeansguaranteedforeverycaseandverymuchdependonthespecificdetails
oftheimplementationandoperations.
Cloud computing offers theDoDnew, agile computational capabilities to support
increasinglymultifaceted missions. Some DoD missions likely to benefit from cloudcomputingserviceswill involvevaryingorunpredictable computingrequirements, or
the integration of many, highcapacity data feeds from sensor networks and other
sources.Othermissionsmayincludetheanalysisofverylargedatasetsorthosethat
require the ability to move computational resources. An additional benefit is the
productivity gained from a ubiquitous connection to common cloudbased services,
suchasemail,sharedcalendars,unclassifiedtraining,ordocumentpreparation.
This study investigates the suitability of the cloud computing approach for
addressing the DoD enterprise and operational computing needs. Over the past few
years, DoD has transitioned some of its computing needs to cloud computing data
centers.Themainfactorsdrivingthistransitionincludeenhancedmissioncapabilities,
potentialreductionindatacentercosts,andpotential improvementin cybersecurity.
Thisstudyhasinvestigatedthesefactorsindetailandhasanalyzedthecharacteristics
that should be considered when DoD contemplates moving applications onto cloud
computingdatacenters.ThestudyalsoinvestigatedwaysfortheDoDtomanagethe
cybersecurityrisksandbenefitsassociatedwithcloudcomputing.
7/29/2019 Cyber Security and Reliability in a Digital Cloud
9/95
EXECUTIVE SUMMARY
viii
ImportantCloudComputingIssuesfortheDefenseUse
Typesof
cloud
computing
service
configurations
An important issue is selecting anappropriateconfigurationofcloud services for
DODcloudcomputingapplications:
Cloudcomputingservicesmaybeprovidedbyacompanythatprovidessimilar
servicestothepublic,adefenseonlycontractor,ortheDoDitself.
Cloudcomputingresourcesmaybesharedamonganumberofcustomers,oronlya
singleorganization.
Thestaffthatmanagesthehardware,software,andservicesmaybeuncleared
employeesofapubliccompany,clearedDoDcontractors,orDoDemployees.
Thecloudcomputinghardwareresourcesmaybelocatedinsharedspacewithother
customers,indedicatedspaceinabuildingwithothercustomers,atadedicated
facility,oronamilitarybase.
Cloudcomputingsoftwareresourcesmaybebasedonastandardormodified
softwarestackusedbyapubliccloudcomputingservicesprovider,standardor
modifiedopensourcesoftwarestack,proprietarysoftwarestack,customsoftware
stack,orsomecombinationofthese.
As is clear from this list, multiple dimensions distinguish how cloud computing
servicesmaybeprovisioned.Simplydistinguishingbetweenpubliccloudscommercial
publiccompaniesoperatingtheirowndatacentersthataresharedamongmanyexternal
customers using their own custom software and their own staffand nonpublic or
private cloudscan causeconfusion. Inthis report, the task forcedescribes the specific
aspectsofthecloudcomputingconfigurationthatarerelevanttoavoidthesimplechoice
ofpublicorprivateclouds.
Nationalsecurityconcernsclearlyprecludeputtingthecomputingresourcesofsome
sensitiveDoDmissionsandcapabilitiesinpublicsharedcloudsoperatedbynoncleared
personnel.Ingeneral,however,thedecisionwhethertohostaparticularapplicationina
particular cloud computing data center depends upon the specific details of the
applicationandthedatacenter.
Detailedmandatesforenhancedcybersecurity
An issue of importance to DoD is the development of a detailed approach for
enhancedcybersecurityacrossbothitsconventionalandcloudcomputingenterprise.
Thehardwareandsoftwareusedincloudcomputing,likeallhardwareandsoftware,
mayhavevulnerabilitiesthatcanbeexploitedbyadversaries.Cloudcomputingprocesses,
fortunately, offer the potential for improved cyber security through a number of
attributes, primarilybetter traffic filteringandmalware scanning,monitoring of usage
7/29/2019 Cyber Security and Reliability in a Digital Cloud
10/95
EXECUTIVE SUMMARY
ix
patterns and enddevice configurations, varying provisioning of data resources, and
improvedmanagementofsystemsoperations.Whetherallocatinganexistingapplication
toacloudcomputingdatacenterincreasesordecreasescybersecuritydependsuponthe
specific application, the specific characteristics of the configuration, and the specific
implementation.
Thecybersecurityofcloudcomputingneedsadditionalattentionwhenitisusedto
support missioncritical DoD applications. The task force found that, in many cases,
deploying applications to cloud computing data centers increased cyber security,
especiallyagainstlesssophisticatedthreats.Thetaskforcealsofoundthatmanyriskscan
be managed with available hardware and software measures, but the DoD needs to
carefully implementthesemeasuresbefore transitioningexistingapplications to cloud
computingsystems.
ResearchanddevelopmentworkwithintheMilitaryServices,theDefenseAdvanced
ResearchProjectsAgency(DARPA), andthe intelligencecommunityofferstechnologythatpromisessignificantimprovementsforcloudcomputingcybersecurityinthelong
term,andthisworkshouldbebetterintegratedwithacquisitionplanningforDoDcloud
computing data centers. In some DoD cloud computing implementations currently
underway,alargeremphasisoncybersecuritymeasuresisneeded.
Controlofcloudcomputingtransitionandsustainmentcosts
Realizingthepotentialcostsavingsassociatedwithcloudcomputingisimportantto
DoD. The transition of Federal government applications to cloud computing data
centershave,insomecases,resultedincostsavings.Thetaskforcefoundtheactualcost
benefitstobehighlycasedependent.Thiscostsavingsforthetransitionfromconventionalenterprisecomputingtocloud
computing has been achieved ina number ofways: through staffing, electric power
usage, and computing efficiency. Conventional systems typically require one
professionalstaffpertenstohundredsofservers,whereasmostcloudcomputingdata
centersonlyrequireoneprofessionalstaffforthousandsofservers.Electricpowerisa
largecomponentofdatacentercosts,andcloudcomputingdatacenterscanbelocated
wherepower isrelativelylessexpensive.Finally,throughvirtualizationandimproved
processing management, servers in cloud computing data centers can be more
efficiently used, often achieving greater than five times the server efficiency as
comparedwithconventionalcomputing.
The required cost to enhance cyber security for any cloud computing
implementation will need additional investigation. Some additional hardware and
software will be required, and the cost for these components will need to be
incorporatedintothetransitionandsustainmentcostswhencontemplatingtransition
toacloudcomputingdatacenter.
7/29/2019 Cyber Security and Reliability in a Digital Cloud
11/95
EXECUTIVE SUMMARY
x
DoDcloudcomputingdatacenters
Of particular importance to DoD will be finding ways to mitigate risk while
achieving the capability benefits and potential cost reductions that cloud computingpromises. An important aspect of cloud computing is the ability to operate
infrastructureatawarehousescaledatacenterand,thus,toprovidenewcapabilities
andenablecostsavings.Butwarehousesare,bytheirnature,highlyvisible;havingonly
a few,very largeDoD data centersmay create attractive targets for anadversary to
attack.Further, thecentralization impliedbya Fort Knox approachwitha single,
very large data centercannot provide DoD with resilience or lowdata transfer
latenciesrequiredforglobaloperations.
ThetaskforcethereforerecommendsthatDoDdesign,implement,anddeployasetof
geographicallydistributeddatacentersthatcouldbecouldbeoperatedasasinglesystem.
A few tens of such consolidated cloud computing data centers, established across the
UnitedStatesandaroundtheworld,seemslikeagoodstartatcreatingasensiblecloud
capabilityforDoD.Ifappropriatelydesigned,acollectionofmodulardatacenterswould
provideDoDwithrobustandelasticcomputingcapacity.
Commerciallyavailabledatacenters,withserversembeddedinmodularunits,offer
DoD a relatively low cost and rapid way to develop a defense cloud computing
infrastructure.TheDoDcouldsituateclustersofthesemodulardatacentersinphysically
secureareas.Thesemayincludemilitarybasesthathaveaccesstolowcostandreliable
powerandwidebandnetworks.
Thesemodulardatacenterscouldbedesignedasaunitandpurchasedovertime.In
this way, standard best practices could be applied, such that onethird of the
decentralizeddatacentercouldberefreshedeachyeartoensureongoingmodernization.Suchadesigncanalsoprovideagilitybecausecomputinginfrastructurecouldbemoved
betweengeographiclocationswhenneeded.
Resilientcloudcomputingresourcesfordeployedforces
A final issue of importance for the DoD is to provide resilient cloud computing
resources at the warfighter edgelocations and times with scarce bandwidth.
Deployed forces often execute their missions under degraded conditions and
disadvantageddatalinks,andthislimitsawarfighter'saccesstothemostcurrentdata.
Inthesecases,thickclientswithenhanceddatastorageandredundantdatalinks
could ensure limited access to data. When lowlatency processing is needed, cloud
computingdataresourcescouldbedeployedincloseproximitytothedatastreams.
Theavailabilityof secure,modularcloudcomputingresourcescouldprovideDoD
withthecapabilitytoforwarddeploydataandcomputingresourcestomeetwarfighter
needs.
7/29/2019 Cyber Security and Reliability in a Digital Cloud
12/95
EXECUTIVE SUMMARY
xi
SummaryofKeyFindingsandRecommendations
TheSignificance
and
Impact
of
Cloud
Computing
Finding1:Althoughcloudcomputingisanoverloadedterm,cloudcomputingproviders
areofferingservicesthatarefundamentallynewanduseful,typicallydeliveringthe:
abilityformassivescaleupofstorageandcomputing
rapid,agile,elasticitywiththeabilitytoincreaseanddecreasestorageand
computingcapacityondemand,whenthecommunityoftenantsdontallrequire
thatcapacityatthesametime
meteredserviceswheretheuserpaysonlyforwhatisused
selfservicestartupandcontrol
Finding2:Modulardatacentersofferanapproachtoquicklysetupcloudcomputing
capacity,toaddadditionalcapabilitytoexistingcloudcomputingdatacenters,andto
easilyrefreshorupdateexistingcapability.ThisconceptisillustratedinFigureF1.
Finding 3: Cloudcomputing servicescan scale todata centers or warehousescale
computing. Elastic, warehousescale cloud computing is fundamentally new and can
provideDoDwithimportantnewcapabilities.
FigureF1.ConceptforageographicdistributionofDoDdatacenters
7/29/2019 Cyber Security and Reliability in a Digital Cloud
13/95
EXECUTIVE SUMMARY
xii
TheSecurityofCloudComputing
Finding 4: Cloud computing is not intrinsically more secure than other distributed
computingapproaches,butitsscaleanduniformityfacilitateandenablethewholesaleandconsistentapplicationofsecuritypractices.Secureaspectsincludelargescalemonitoring
andanalysisofdatatodetectattacks,andautomatedandpersistentprovisioningandre
provisioningtofoilintrusions.Forthesereasons,welloperatedcloudcomputingfacilities
can exhibit better security hygiene than conventional data centers. However, the
centralizationofresourcesinahugedatacenteralsoencouragesmoredeterminedattacks,
especiallyoncriticalcomponentsbroadlyaffectingsecurity.Thisissimilartoconventional
systemswhereattacksareobservedtofocusoncentraldirectories.
Finding5:Thescaleofcloudcomputingenablestheanalysisofpacketandlogdatathat
provides new capabilities for event forensics and realtime detection of malicious
behavior. Theability tomanage very large, diverse datasets facilitates a datacentricsecurity model in which users are authorized to work with data based upon their
securitycredentialsandthesecuritymarkingsonthedataratherthantheconventional
enclavecentricsecuritymodelinwhichusersareprovidedaccesstoanenclaveandcan
accessallthedataintheenclave.
Finding6:Nocloudcomputingdeploymentmodelisuniformlysuitableforhostingall
DoD applications. In general, sensitive, classified, and timecritical DoD applications
shouldbedeployedonlyinprivatecloudsorconventionalnoncloudapproaches.
Finding 7: The case for transitioning a DoD application to a cloud computing data
center must include a security assessment detailing the impact of the transition.
Whethersecuritywillbeimprovedbytransitioninganapplicationtoacloudcomputingdatacenterwilldependonfactorsspecifictotheapplication,tothecloudcomputing
datacenter,andtothetransitionprocess.
Finding 8: The DoD has not established effective plans for cloud computing facility
backuporfordealingwithanyanticipateddegradationofcommunicationsbetweenthe
cloudcomputingfacilitiesandtheenduser.
TheCostsAssociatedwithCloudComputing
Finding9:Potentialcostreductionsorincreasesincurredduringthetransitiontoand
sustainment of cloud computing infrastructure depend on the specifics of theimplementation.Potentialcostreductionfactorsincludeahigherutilizationofservers,
lowerprofessionalsupportstaffneeds,economiesofscaleforthephysicalfacility,and
theflexibilitytolocatedatacentersinareaswithlowercostpower.
7/29/2019 Cyber Security and Reliability in a Digital Cloud
14/95
EXECUTIVE SUMMARY
xiii
ResearchandDevelopmentforCloudComputingTechnologies
Finding10:TheDoDhasactiveresearchanddevelopmenteffortsintechnologyareas
applicabletocloudcomputingperformanceandsecurity.SustainedDoDinvestmentin
cloudcomputingsecuritytechnologyiscriticallyimportanttoallowDoDdatacentersto
continueimprovingtheirdefensesagainstevolvingthreats.Researchanddevelopment
in softwarestackprotection,monitoring, andforensicsof very large datasets, secure
hypervisors,andadvancedencryptionoffersignificantpossiblesecuritybenefits.
OverarchingRecommendations
Recommendation1:Forsomesensitive,classified,andtimecriticalapplications,theDoD
shouldpursueprivatecloudcomputing,providedthatstrongsecuritymeasuresareinplace.
Inparticular,
cloud
computing
based
solutions
should
be
considered
for
applications
that
require the agility, scaleout, and ability to integrate and analyze massive data that cloud
computingcanprovide.Examplesofsuchapplicationsinclude:bigdataanalysisandallsource
intelligenceintegration;processing,exploitation,anddisseminationofdatagatheredthrough
intelligence,surveillance,andreconnaissance(ISR);largescalemodelingandsimulation;open
sourcedatacollection,storage,andassessment;andadvanceddecisionsupportsystems.
Recommendation2:TheDoDCIOinpartnershipwiththemilitaryServicesshoulddeploy
interconnected,modularcloudcomputingdatacenterslocatedatsecurelocations,such
asmilitarybases.
The
development
of
large,
private
community
clouds
in
DoD
will
enable
greater
computing
and storage elasticity and the improved ability to operate under degraded conditions. The
DoD CIO should guide this development with an eye on both current and future DoD
computingneeds.
A DoD private community cloud may include inhouse, insourced, or outsourced private
clouds.Implementedthroughinterconnected,modularcloudcomputerdatacenters,thiscan
beoperatedasanintegratedunittoimprovethepotentialreducingcosts.
Because largedatacenterscanalsobeattractivetargets,geographicallydistributedmodular
datacentersare recommended thatareoperatedasasingle, largescale,distributedcloud.
Thedesignshouldincludeadistributeddatacenterarchitecturethatallowsaccessbymultiple
Services
and
Agencies.
Cost
savings
would
be
achieved
through
shared
development,
operations,andmaintenancesupport.
These modular data centers could be located on military bases in order to provide good
physicalsecurity.Thelocationshouldalsobeinfluencedbythecostandavailabilityofreliable
electric power. It is anticipated this will be similar to the National Security Agency private
7/29/2019 Cyber Security and Reliability in a Digital Cloud
15/95
EXECUTIVE SUMMARY
xiv
cloud models. Shared cyber security event response and rapid forensics would be an
enhancedcapability.
By
designing
and
acquiring
these
data
centers
as
a
system,
the
DoD
can
achieve
theeconomiesofscaletypicallyassociatedwithlargedatacenters.
Recommendation3:TheDoDCIOandDISAshouldestablishclearsecuritymandatesforDoD
cloudcomputing.
Security mandates should be aimed at reducing the number of cloud compromises and to
mitigatethosethatoccur.Someexamplesofpotentialmandatesinclude:
HypervisorshostingDoDoperatingsystemsshouldhaveeffectivecryptographicsealing,attestation,andstrongvirtualmachineisolation.
Dataatrestshouldbestoredinencryptedformwithkeysprotectedusinghardware
attestation,such
as
atrusted
platform
module
(TPM).
Dataintransitoncommunicationlinesshouldbeencryptedwithkeysprotectedusinghardwareattestation,suchasaTPM.
Accesstocloudcomputingsystemsshouldrequiremultifactorauthentication.
Recommendation4:TheDoDCIOshouldestablishacentralrepositorytofullydocument
cloudcomputingtransitionandsustainmentcostsandbestpracticesforprograms
underwayorcompleted.
Becausethecostsavingstobegainedthroughcloudcomputingarecasedependent,acentral
repositorydocumentingDoDcloudcomputingprogramsisneeded.Thegoalofthisrepository
isto
improve
the
understanding
of
the
following:
systemcostsbeforetheswitchtocloudcomputing,costsduringtransition,andsustainmentcosts
enhancedfunctionalityattributabletocloudcomputingarchitectures
bestpracticesforcloudcomputingsecurity
issuessurroundingservicelicenseagreements
metricsforavailabilityandreliability
Thisrepositorywillenable leveragingthe lessons learnedfromseveralDoDcloudcomputing
initiativesunderway,including:
NSAdevelopmentanduseofprivateclouds
DISARapidAccessComputingEnvironment(RACE)
ArmyEnterpriseEmail
7/29/2019 Cyber Security and Reliability in a Digital Cloud
16/95
EXECUTIVE SUMMARY
xv
RecommendationstoImproveDoDsImplementationofCloudComputing
Recommendation5:TheDoDUSDAT&LandtheDoDCIOshouldestablishalean,rapid
acquisitionapproach
for
information
technology
infrastructure,
including
cloud
computing
hardwareandsoftware.
Acquisitionguidelinesforallinformationtechnologynotonlycloudcomputinghardwareand
softwareshould strive to create a lean, capabilitiesbased approach with strong, clear
security mandates. Rapid certification and accreditation (C&A) and other characteristics to
streamlineacquisitionofcloudcomputinghardwareandsoftwareshouldbedevelopedand
implementedquickly.
Recommendation6:TheDoDCIOandDISAshouldestablishstandardservicelevel
agreementsforprivateandpubliccloudcomputing.
Key
attributes
that
should
be
included
in
service
level
agreements
include
availability,
authenticationandauthorizationapproaches,dataprocessingandstoragelocations,software
anddatabackupapproaches,cyberattackeventnotification, requiredstaffclearancesand
background checks, software and data disposition, risk disclosure requirements, and
contingencyplan.TransparencyinalloftheseaspectsforDoDserviceproviderswillhelpset
standardsforsecurecloudcomputingacrosstheeconomy.
Recommendation7:TheDoDCIOandDISAshouldparticipateinthepublicdevelopment
ofnationalandglobalstandardsandbestpracticesforcloudcomputing.
Akeyoutcomeofthisactivitywillbetoinformtheprivatesectorandopensourcedevelopers
abouttheagilityandauditabilityrequirementsforDoDcloudcomputing.
RecommendationstoImproveCloudComputingforDegradedOperations
Recommendation8:TheDoDandtheintelligencecommunityleadershipshoulddevelopa
unifiedapproachfortrainingandexercisingwithdegradedinformationinfrastructure,
includingcloudcomputinghardwareandsoftware.
Degradedoperationsinarealisticoperationalexercisemustbeimplementedorganically,i.e.,
beyondsimplyholdingupawhitecardto introduceacybereventtoanexercise.Advanced
cybersecuritythreatsshouldbeexercised, includingagradualrampupofthreatand lossof
disadvantagedcommunicationanddatalinksaswellasprimarycapabilities.Enhancedredand
blueteaming
should
be
established
along
with
operational
exercises
incorporating
degraded
cloud computing infrastructure. Participants should demonstrate a rapid forensics response
andeffectivebackupplans.
7/29/2019 Cyber Security and Reliability in a Digital Cloud
17/95
EXECUTIVE SUMMARY
xvi
Recommendation9:TheJointChiefsofStaffandCombatantCommandsshouldestablish
effectivebackupplansforoperationswithdegradedinformationinfrastructure,including
cloudcomputinghardwareandsoftware.
Candidateplanattributesincludeimplementingthickerclientsandforwardcachingofdataas
wellasbackupdatanetworks,processors,andstorage.Eachorganizationshouldalsodevelop
operationalcontingenciesfordegradednetworks.Potentialstrategiesalsoincludeusinglocal
network connectivity for forward clients and narrowband, analog communication links for
situationalawarenessandwarning.
RecommendationsforInvestment
Recommendation10:TheDoDshouldcontinueinvestingsignificantlyininformation
securityresearchanddevelopment,includingresearchanddevelopmentforsecurecloud
computingtechnology.
To best leverage stateoftheart cloud computing technologies for DoD, significant
investmentshouldcontinuefortechnologyresearchanddevelopmentactivitiesinareassuch
as: efficient operations of cloud computing data centers; cloud security; secure, lean
hypervisors; microvirtualization; advanced TPMs; homomorphic computing; and cloud
situationalawarenesssoftware.
7/29/2019 Cyber Security and Reliability in a Digital Cloud
18/95
1 SCOPE OF THE REPORT
1
1. ScopeoftheReport
1.1 TermsofReference
Overthepastseveralyears,cloudcomputinghashadamajorimpactoncommercial
informationprocessing.ThisreportexaminesthesuitabilityofcloudcomputingforDoD
infrastructure,supportapplications,andmissionapplications.
Thetermsofreferenceforthisstudyidentifiedthefollowingtopicsforinvestigation:
Characterizetheoperationalpropertiesofcloudsandthequalityofservicethatcan
bedeliveredtoconnectedusers.
Consideralternativedesignsandimplementationsofthesetechnologiesand
evaluatetheiruseforvariedmilitaryandintelligenceapplications. Evaluatethevulnerabilityofacloudinfrastructuretovariousattacks,comparedto
alternativeinfrastructures.
Determinehowtoavoidthedangerofconcentratingdataandcomputation.
Reviewandprojecttheconsequenceofcurrenttrendsindigitaltechnologyoncloud
deployments.
Commentoncustomerpracticesandmodesofinteractionwiththecloudthatmay
aidinincreasingsecurity.
Makerecommendationsonwhataspectsofthesetechnologiesshouldbeconsidered
toincreasereliabilityandtoassuresecurityasthemilitaryandintelligence
communitiesevolvetheirdigitalinfrastructure. Identifyresearchopportunitiesandestimatethelevelofinvestmenttoachieve
resultsconsistentwithDoDneeds.
Thefulltermsofreferencecanbefoundonpage68ofthisreport.
1.2 TaskForceApproach
As shown in Figure 1, the task force investigated in detail cloud computing
definitions, attributes, and service management models, as well as dimensions for
implementation. Proposed motivation that were assessed for transitioning to cloud
computing architectures included potential DoD mission capability enhancement,securityimprovements,andcostreductions.
Thetask force then developed examplesforareaswhere cloudcomputingwould
benefit DoD missions. This resulted in a set of findings and recommendations for
improvingtheDoDsabilitytousecloudcomputingarchitectureseffectively,withcost
reductionsandsufficientlevelsofsecurity.
7/29/2019 Cyber Security and Reliability in a Digital Cloud
19/95
1 SCOPE OF THE REPORT
2
Ina finalphase, the task forcediscussed in severalmeetingshow theDoD could
improve the implementation of cloud computing systems for DoD missions and
applications.
1.3 OrganizationoftheReport
AnoverviewofcloudcomputingispresentedinChapter2.Thischapteralsodefines
termsandconceptsusedthroughoutthereport.TheNationalInstituteofStandardsand
Technology (NIST) provided a consensus definition of cloud computing that was a
useful starting point for discussions; however, the task force found places where a
broaderdefinitionwasalsouseful.
InChapter2,avarietyofdifferentservicemodelsanddeploymentmodelsforcloud
computing are described. The task force found ithelpful toview a cloud computing
facilityas awarehousescale computing facilitythatsupportscomputing applications
andservicesforremoteusersconnectedusinganetwork.
SomewellknownexamplesofcommercialcloudserviceprovidersincludeGoogle,
Amazon, Yahoo!, and Microsoft, but these services can also be provided by defense
agenciesordefenseonlycontractors.ConfusionregardingDoDuseofcloudcomputing
hasarisen,inpart,becauseofunstatedassumptionsonwhoprovidestheservice.
Chapter 3 looks in some detail at cloud computing architectures and how cloud
computingisimplemented.Acommercialcloudcomputingfacilitycancontainhundreds
of thousands of servers, with applications and services scaled to employing this
capacity.Computingatthisscaleisafundamentallynewcapability.
Figure1.
The
task
force
approach
7/29/2019 Cyber Security and Reliability in a Digital Cloud
20/95
1 SCOPE OF THE REPORT
3
Onewaythatcommercialcloudcomputingfacilitiesachieveefficienciesisthrough
virtualization. With virtualization, operating systems and applications operate on
independentvirtualmachinesthat share physicalprocessors.By implementingmany
virtual machines entirely in software on a large physicalmachine, the arrangement
more efficiently utilizes physical resources while providing computational isolation.
Because virtual machines can be migrated between computers located in different
geographically distributed data centers, the system experiences improved fault
toleranceandloadbalancing.
Chapter4looksatsomeofthebenefitstoDoDsmissionthatcouldbeenabledby
cloudcomputing.Themobilityofcomputinginfrastructurehasimportantimplications
forDoD.Theabilitytomovecollectionsofvirtualmachinesandthevirtualnetworks
thatconnectthemwillbecriticalforfutureDoDapplicationsandmissions.
Today, commercial cloud computing facilities offer an ability to selfprovision
computinginfrastructureondemandandasneeded,payingjustforwhatthecustomer
uses. This agility is extremely useful for settings where there is widely varying or
unpredictablecomputingneeds.Thetaskforcealsoobservedthatthewideavailability
ofcloudcomputingleadstothereasonableassumptionthatadversariesoftheUnited
Statesmayusecloudcomputingforbothdefensiveandoffensivemissions.
Chapter5discussessecurityof cloudcomputing,which hasbeen questioned ina
numberofstrategiesandstudies.1,2,3,4Thetaskforcefoundthistobeacomplexsubject
whereevolvingobjectivesmakeanalysisparticularlydifficult.Thetask forceobserved
severalsubtletiesthataffectthisanalysis.Thesearehighlightedhere,anddiscussedin
detailinChapter5.
The responsibility for security in most cases is shared between a cloud serviceproviderandacloudserviceclient.Differentcloudcomputingserviceanddeployment
models split this responsibility differently, with manymodels requiring that two or
more parties be involved in managing the computing infrastructure and security
measures. Such sharing can bea problemwhen the providerand client are different
organizationswithoutunrestrictedtwowaycommunication.
Securitycannot bediscussed independently of a defined threat. Protecting against
highlevelthreatsisextremelydifficult;thesafestcourseistoassumethatanycomputing
infrastructure might be compromised, to develop mechanisms that operate in the
1. L. Leong and N. MacDonald, Mitigating Risks in Cloud Infrastructure as a Service (GartnerResearch G00235858, July 11, 2012). Available at time of press at http://goo.gl/oIeq5
2. United States Department of Defense, Cloud Computing Strategy (DoD Chief Information Officer,July 2012). Available at time of press at http://goo.gl/MfFQg
3. IBM. X-Force 2011 Trend and Risk Report, IBM Security Collaboration (March 2012). Available attime of press at http://goo.gl/MW0qH
4. V. Winkler, Securing the Cloud: Cloud Computer Security Techniques and Tactics (April 2011).Available at time of press at http://goo.gl/AVEIO
7/29/2019 Cyber Security and Reliability in a Digital Cloud
21/95
1 SCOPE OF THE REPORT
4
presenceofsuch compromise,and todesign inaway thatwillmitigatethe impact of
compromises.Cloudcomputingdifferslittlefromconventionalcomputinginfrastructures
inthisregard.
Thescaleofcloudcomputingisvastlydifferentfromconventionalcomputingsystems.
Such scale requires automation for provisioning and management of the computing
infrastructurewithhumansoutoftheloop.Forthisreason,thesecurityhygieneofcloud
computingsystemstendstobebetterthancomputingsystemsofcomparablesize.Thus,
cloudcomputingcanofferequivalentorbetterprotectionagainstlowlevelthreatsthat
tendtoexploitvulnerabilitiescausedbypoorsystemhygiene.
Chapter 6 considers issues and circumstances inwhich cloud computing can be
expected to lower the costs of computing infrastructure. By leveraging scale,
commercialcloudcomputingsupplierscanoffercomputingservicesandapplicationsat
lowercostthanacompanyororganizationcanoftenachieveinternally.
For example, because of the scale and the automation of provisioning and
management of computing infrastructure, commercial cloud computing data centers
generally require far fewer systems administrators. As an example, conventional
enterprisecomputingmightrequireonesystemadministratorpertensorhundredsof
servers, while a commercial cloud service provider might only require one system
administratorperthousandsofservers.
Theseadvantagesmustbeconsideredagainstthehighercoststhatdefensesystems
may incur. These may include DoD acquisition process requirements or specific
certificationandaccreditationprocesses.
Chapter7suggestsareasforresearchanddevelopmentoftechnologythatcouldbeimportanttotheDoDsuseofcloudcomputing.Anemphasisisplacedonresearchthat
improvesthesecurityandcapabilities of cloud computing systems.Payoffs for some
investmentswillbeseeninafewyears;otherproblems,however,willbesolvedonly
withlongertermsustainedresearchsupport.
Finally, Chapter 8 presents the study recommendations that flow from the
assessmentsand findings in the first sevenchapters. The chapter includesproposed
DoDleadstotakeresponsibilityfortherecommendations,andsomeadditionaldetailis
providedtoclarifytheintentoftherecommendations..
7/29/2019 Cyber Security and Reliability in a Digital Cloud
22/95
2 OVERVIEW OF CLOUD COMPUTING
5
2.OverviewofCloudComputing
Thephrasecloudcomputinghasevolvedtohavedifferentmeaningsfordifferentpeople. Rather than defining it, this chapter describes some historical background,
various types of cloud computing platforms, and different characteristics of cloud
computing architectures. The task force believes that, over time, cloud computing
modelswillevolve,andthisevolutionmaynotbereflectedintodaysdescriptions.In
thisreport,standarddefinitionsareusedwheretheysufficeandareexpandedwhere
necessary.
2.1 TheLatestStepinanEvolutionaryProcess
Cloudcomputingcanbeviewedasthenaturalevolutionofavarietyofcomputing
technologies, includingvirtualization,clientserverarchitecture,theWorldWideWeb,and networking. The evolution of some computing platform precursors to cloud
computingisshowninFigure2.
Asearly as the 1960s, mainframe computerswere shared amongmultipleusers
acrossanenterprise,whilelogicallyisolatingtheirprocessinganddatafromeachother.
In the 1980s, standardized packet network protocols were developed and widely
deployed,alongwithclientserverarchitecturestoutilizethem.Theabilityto connect
userstocomputinganddataresourcesviastandardizednetworksisakeyenablerof
cloudcomputing.
Figure2.Historicalprecedentsforcloudcomputing
7/29/2019 Cyber Security and Reliability in a Digital Cloud
23/95
2 OVERVIEW OF CLOUD COMPUTING
6
ThedevelopmentoftheWorldWideWebinthe1990s,withitsstandardmarkup
language, transfer protocol, and graphical browsers, made clientserver computing
ubiquitous.Businessbegantoprovideserverstodelivercontentandservicesatatruly
globalscale.
Seen in this historical context, the development of cloud computing is the next
logicalstepintheevolutionofcomputation.Ithasbeenenabledbytheavailabilityof
broadband networks and inexpensive enduser devices, as well as commodity
computingnodesthatcanbesimplyinterconnectedandcontrolled,andvirtualizationto
providetheappearanceofisolatingprocessesthatsharecomputers.
2.2 WhatisCloudComputing?
OnewellknowndefinitionofcloudcomputingwasprovidedbyNIST.5Itbegins:
"Cloud computing is a model for enabling ubiquitous, convenient, ondemand
networkaccess toa shared pool ofconfigurable computing resources (i.e., networks,
servers, storage, applications, and services) that can be rapidly provisioned and
releasedwithminimalmanagementeffortorserviceproviderinteraction."
Thedefinitiongoesonto identifyfiveessentialcharacteristicsofcloudcomputing.
Theseareasfollows:
Ondemandselfservice.Aconsumercanunilaterallyprovisioncomputing
capabilities,suchasservertimeandnetworkstorage,asneededautomatically
withoutrequiringhumaninteractionwitheachserviceprovider.
Broadnetworkaccess.Thecloudscapabilitiesareavailableoverthenetwork
fromawidevarietyofedgedevices,includingworkstations,laptops,tablets,and
mobilephones.
Resourcepooling.Thecloudcomputingprovidersresourcesarepooledtoserve
multipleconsumersusingamultitenantmodel,withdifferentphysicalandvirtual
resourcesdynamicallyassignedandreassignedaccordingtoconsumerdemand.The
customer(ortenant)generallyhasnocontrolorknowledgeabouttheexactlocation
ofallocatedresources,butmaybeabletospecifylocationatahigherlevelof
abstraction(e.g.,country,state,ordatacenter).Examplesofresourcesincludestorage,
processing,memory,andnetworkbandwidth.
Rapidelasticity.Cloudcomputingcapabilitiesallocatedtothecustomercanbe
elasticallyprovisionedandreleasedasrequiredbydemand,insomecasesautomatically.Tothecustomer,thecloudcapabilitiesavailableoftenappeartobe
unlimitedandcanbeappropriatedinanyquantityatanytime.
5. P. Mell and T. Grance, The NIST Definition of Cloud Computing (September 2011). Available at
time of press at http://goo.gl/eBGBk
7/29/2019 Cyber Security and Reliability in a Digital Cloud
24/95
2 OVERVIEW OF CLOUD COMPUTING
7
Measuredservice.Cloudcomputingsystemsautomaticallycontrolandoptimize
resourceusebyleveragingameteringcapabilityappropriatetothetypeofservice
(e.g.,storage,processing,bandwidth,andactiveuseraccounts),typicallyonapay
perusebasis.Resourceusagecanbemonitored,controlled,andreported,providing
transparencyforboththeproviderandconsumeroftheutilizedservice.
Twoaspectsofcloudcomputingareofparticularsignificance.Thescaleofprocessing
andstoragethatbecomesavailablethroughcloudcomputingisunprecedented,withupto
hundredsofthousandsofcomputersactinginconcert.Itisthislargescalesometimes
calledwarehousescaleorinternetscalecomputingthatenablesthedesignofreliable
computingservicesusinglessthanreliablecommoditycomputers.Solvingthischallenge
hasprovidednewcapabilities.
Also new is the easeofuse of cloud computing services. Many cloud computing
serviceprovidersallowausertoconfigureanewcomputinginfrastructurethroughasimplewebformwith instantaneouspaymentbycredit card. Theability toremotely
requesthundredsofserversforafewhoursandtohavethemavailableafewminutes
later is another new capability. This capability has transformed the work of many
scientistsandengineers,aswellastheirinformationtechnologysupportpersonnel.
2.2.1 Data,utility,andothercloudcomputingservices
Different types of cloud computing are provided from large, remotely located,
interconnecteddata centershence, thecommonuseofcloudcomputing todescribe
different uses. Cloud computing servicesareprimarily categorizedasutilityor data
intensive,andalsoincludestorage,highperformancecomputing,andotherspecialized
functions.
Utility computing is a label for cloud service providers that make computing
resources available to consumers, much as electric companies and other utilities
provideservicestoconsumers.Withanelectricpowerutility,ahomeownercan,within
limits, requestelectricity simplyby flipping a switch onadevice, receive thatpower
instantlyfromadistantgeneratingfacility,sharethegeneratingfacilitywiththousands
of other customers, usemore or less power as needed, and pay only for the power
actuallyused.
Utilitycomputingcustomersinclude,forexample,aretailerwhochoosestopurchase
cloudservicesto host aninternetfacingecommerceweb site.In thisway, the retailer
gains increased capacity and geographic presence overwhat could be obtained if theretailer had to buy, operate, maintain, and upgrade their own dedicated computing
resources. Another exampleofa utility computing customerwas demonstrated by the
New York Times in 2008 to process more than a hundred years of digitized archivedimages,articles,andmetadatainordertoproducemorewebfriendlyimagesandmore
7/29/2019 Cyber Security and Reliability in a Digital Cloud
25/95
2 OVERVIEW OF CLOUD COMPUTING
8
accessibleJavaScriptdatafiles.ByusingAmazonWebServices,theTimescompletedthis
enormous task in less than 36 hours.6 In these examples, cloud computing service
providersenabledcustomerstoperformcomputeintensiveprocessesasneededwithout
alargeinvestmentininfrastructure.
Utilitycomputingenablesacloudserviceprovidertoexploiteconomiesofscaleand
uncorrelatedcustomerdemands to share computing capability among a collection of
customers,atanattractiveprice.Individualconsumersperceivethattheyareaccessing
an infinite resource on demand. They also perceive that their computing tasks are
operatinginisolationfromthoseofotherconsumers.
Dataintensivecloudcomputingisatypeofparallelprocessingappliedtoverylarge
datasets. An example of dataintensive computing is the process by which search
enginesindexthedataavailableontheWorldWideWeb.Theunderlyingcomputational
stepsrequiredtoindexdataaresimplesorting,counting,merging,andsoonbutthe
amountofdatatobeprocessedissolargethatitrequiresspeciallyadaptedsoftwarefordataingestion,analysis,databaseoperations,andfilesystemstorage.
Data centers will generally bedesigned and optimized for different requirements.
Utilitycomputingdesignfocusesonsharingresources,loweringthecostofcomputingto
the customer, and providing computing capacity ondemand. The utility computing
customer trades capital costs foroperatingcosts. Dataintensivecomputing focuses on
performing rapidanalysisof largedatasets, and vast amounts of computing resources
maybededicatedtoasingleuserortask.Adataintensivearchitecturewillbeoptimized
forlargescaleparallelization.
2.2.2 Cloudcomputingsoftwarestackandvirtualization
Today, cloud computing infrastructure usually consists of a large number of
interconnected, inexpensive, commodity processors. The software running on each
processorismodularandlayered.Figure3showsatypicallayeredstackof software
runningonasinglecloudcomputingnode,withdescriptionsofeachlayerinthestack.
The hypervisor provides virtualization by providing an interface to the virtual
machines(VMs)thatgiveseachof themtheillusionthattheyhavecomplete,exclusive
accesstotheunderlyinghardwareresources.Theabilitytorunmultiple,isolatedvirtual
machines on a single hardware node is fundamental to cloud computing because it
enablesresourcepoolingandrapidelasticity.Multipleuserscanusethesamephysical
node without interfering with each other, and nodes can be rapidly assigned and
reassignedasuserscomputingdemandsebbandflow.
6. D. Gottfrid, The New York Times Archives + Amazon Web Services = TimesMachine, New York
Times (May 21, 2008). Available at time of press at http://goo.gl/G7uvG
7/29/2019 Cyber Security and Reliability in a Digital Cloud
26/95
2 OVERVIEW OF CLOUD COMPUTING
9
Although virtualization is one of many enablers of cloud computing, cloud
computing ismorethanjustvirtualization,andthereareapplicationsofvirtualization
thatarenotinstancesofcloudcomputing.Forexample,adepartmentaldatacentermay
usevirtualizationtoallowasinglehardwareservertorunmultipleVMs,witheachVM
configured to run only one specific service. Such implementations may offer limited
resourcepoolingandnoelasticitythevirtualizationisusedinthiscasemerelyasa
convenientmechanism forensuringadequateisolationbetweenservices thatismorecosteffectivethanassigningonehardwareserverperservice.
Thevariouscloud softwareservicemodelsassignresponsibility formanagingthe
softwarestackdifferently.Figure4showsthatthecloudserviceproviderprovidesthe
underlyinghardwareandthehypervisorinallservicemodels,andthattheupperlayers
ofthestackcanbeprovidedandmanagedeitherbytheserviceproviderorbythecloud
computingcustomer.
2.2.3 Cloudcomputingservicemodels
Differenttypesofserviceareavailabletocloudcomputingcustomers,dependingon
how much control a customer requires. The NIST definition of cloud computingdescribesthreeservicemodels(asreflectedinFigure4):
Figure3.Themaincomponentsofacloudcomputingsoftwarestack
7/29/2019 Cyber Security and Reliability in a Digital Cloud
27/95
2 OVERVIEW OF CLOUD COMPUTING
10
SoftwareasaService(SaaS).WithSaaS,customersusesoftwareapplicationsthat
aredeveloped,managed,andoperatedbyaprovider.Theapplicationsareaccessible
fromvariousclientdevicesthrougheitherathinclientinterface,suchasaweb
browser(i.e.,webbasedemail),oraspecificallydevelopedprogrammaticinterface.
Thecustomerdoesnotmanageorcontroltheunderlyingcloudinfrastructure,
includingnetworkelements,servers,operatingsystems,storage,orevenindividual
applicationcapabilities,withthepossibleexceptionoflimiteduserspecific
applicationconfigurationsettings.
PlatformasaService(PaaS).WithPaaS,customerscreatetheirapplicationsusing
standardizedprogramminglanguages,libraries,services,andtoolssupportedbythe
provider.Thecustomerdoesnotmanageorcontroltheunderlyingcloud
infrastructure(includingnetworks,servers,operatingsystems,orstorage)thatexecutetheapplications,butthecustomerhascontroloverthedeployedapplications
andpossiblyoverconfigurationsettingsfortheapplicationhostingenvironment.
InfrastructureasaService(IaaS).WithIaaS,thecustomerprovisionsprocessing,
storage,networks,andotherlowlevelcomputingresources.AlsowithIaaS,the
customercandeployandrunarbitrarysoftware,whichcanincludeoperating
systemsandapplications.Thecustomerhassomecontroloveroperatingsystems,
Figure4.Acloudcomputingsoftwarestackresponsibilityasafunctionofservice
model
7/29/2019 Cyber Security and Reliability in a Digital Cloud
28/95
2 OVERVIEW OF CLOUD COMPUTING
11
storage,anddeployedapplications;andpossiblylimitedcontrolofselect
networkingcomponents(i.e.,hostfirewallsorsoftwaredefinednetworks).
In SaaS, customers have limited ability tomake configuration changes,but cannotmodifytheapplication,suchasawebbasedemailsystem.InPaaS,theconsumerisableto
buildanduploadhisownsoftwareapplicationsforrunningontheproviderscomputing
resources,butisconstrainedtousethetoolssupportedbythecloudprovider.Thisgives
the PaaS consumermore flexibility than SaaSwithout all the complexity ofmanaging
lowerlevelcomponents(i.e., theoperatingsystem).InIaaS, consumershavemaximum
control over the software running on the providers hardware, with responsibility for
manyoftheattendantmanagementandsecuritychallenges.
TheseNISTdefinedservicemodelsspanasingledimensionthelevelof software
controlcededbytheprovidertotheconsumer.Anotherimportantdimensionishowthe
computingprovidedbythecloudisused,whichleadstophraseslikedataasaservice
forcloudstorageofdata,andsecurityasaserviceforsecurityservicesprovidedvia
cloudcomputing,suchashostbasedantivirusandfirewallsoftware.
2.3 ManagingCloudComputing
TheNISTdefinitionlistsfourdeploymentmodelsforsharingcloudresources:
Privatecloud.Provisionedforexclusiveusebyasingleorganization,thecloud
infrastructuremightbeowned,managed,andoperatedbytheorganization,athird
party,orsomecombinationofthem,anditmayexistonoroffpremises.
Communitycloud.Provisionedforexclusiveusebyaspecificcommunityof
consumersfromorganizationsthathavesharedconcerns(i.e.,mission,securityrequirements,policy,and/orcomplianceconsiderations),thecloudinfrastructure
canbeowned,managed,andoperatedbyoneormoreoftheorganizationsinthe
community,athirdparty,orsomecombinationofthem,anditmightexistonoroff
premisesofoneoftheorganizations.
Publiccloud.Provisionedforusebythegeneralpublic,thecloudinfrastructure
mightbeowned,managed,andoperatedbyabusiness,academic,orgovernment
organization,orsomecombinationofthem.Itexistsonthepremisesofthecloud
provider.
Hybridcloud.Thecloudinfrastructureisacompositionoftwoormoredistinct
cloudinfrastructures(private,community,orpublic)thatremainuniqueentities,
butareboundtogetherbystandardizedorproprietarytechnologythatenablesdata
andapplicationportability(i.e.,cloudburstingforloadbalancingbetweenclouds).
Consumers of services with the least tolerance for sharing resources and
relinquishingcontrolusuallychooseaprivateclouddeployment,whilethosewithmore
tolerancewillchooseacommunity,hybrid,orpubliccloud.
7/29/2019 Cyber Security and Reliability in a Digital Cloud
29/95
2 OVERVIEW OF CLOUD COMPUTING
12
2.3.1 Cloudmanagementmodels
NISTdefines the four deploymentmodels, but usersofcloudcomputing services
facemanymorechoicesastheydecidewhowillown,manage,operate,andsupportthesiteofthecloudcomputinginfrastructure,whowillown,manage,operate,andsupport
the hardware, who will own, manage, operate, and support the various layers of
software,andsoon.Forallcloudcomputingusers,theseconfigurationoptionsmustbe
weighedagainsteconomics,security,andotherfactors.Thisbalanceisevolving.
Figure 5 lays out a range of possibilities for management and operating cloud
computinginfrastructure.Thefarleftofthetablesuggeststhatverysensitiveapplications
are not suitable for deployment in cloud computing architectures. Such applications
include nuclear weapon security systems, some command and control systems, and
weaponsystemfirecontrol.
Othersensitiveapplicationsarebestreservedforinhouseprivatecloudcomputing.
For the inhouse private approach, the DoD would host the cloud computing
infrastructure, control the hardware and software implementation, and use DoD
employedstaffsupport.
Fortheinsourcedprivatemodel,theDoDhoststhecloudcomputinginfrastructure.
Thehardwareandsoftwarestackandstaffsupportmightbeprovidedbyanexternal
contractor.Fortheoutsourcedprivatemodel,anexternalcloudserviceproviderwould
host hardware to beused exclusively by the DoD. The control of the hardwareand
softwarestack andstaffsupportmightbeprovidedbyboththeDoD and anexternal
contractor.Somelesssensitiveapplicationsmaybeappropriatefortheseapproaches.
Figure5.Cloudcomputingmanagementmodels
7/29/2019 Cyber Security and Reliability in a Digital Cloud
30/95
2 OVERVIEW OF CLOUD COMPUTING
13
For the public cloudcomputingmodel,anexternalcloudserviceprovideremploys
hardwareatitssite.ThehardwaremaynotbeusedexclusivelybytheDoD,andthecloud
service provider controls the software stackand employs the staff support. For some
applications,wheredataorprocessinghasbeenpubliclyreleasedandrequiredlatency
and system availability is consistent with public cloud service providers, public cloud
computingcouldbeacceptablefortheDoD.
Thefollowingclouddatacentermanagementmodelsaredescribedinmoredetail:
Inhouseprivatedesign.DoDprivatelyoperatesthedatacenterwithhighphysical
security.TheDoDdirectlycontrolsthehardwareandsoftwareconfiguration,and
theIToperationalsupportstaffisemployedbytheDoD.Theclouddatacentermay
haveasitstenantsasinglemissionormultiplemissions.
Insourcedprivatedesign.DoDprivatelyoperatesthisdatacenterwithhigh
physicalsecurity.DoDeitherdirectlyorthroughcontractorsassemblestheinfrastructure,withthegoalofmaximizingtheuseofwellvettedinfrastructure
components.However,DoD(oritscontractors)mightthemselvesbuildsome
infrastructureorapplicationcomponentswhenassuranceneedsdictate.The
clouddatacentermighthaveasitstenantsasinglemissionormultiple,shared
missions.
Outsourcedprivatedesign.ADoDcontractoroperatesthedatacenter.AllDoD
applicationsareruninaDoDenclave,physicallysegregatedfromnonDoDtenants
intheclouddatacenter.DatacenterpersonnelwithaccesstotheDoDenclaveare
U.S.citizens,meetingspecifiedpersonnelsecurityrequirements.Allsecuritycritical
componentsintheclouddatacenteraresubjecttoDoDreview.Thesecomponents
arelikelytoincludethoseconcernedwith,dataintegrity,softwareintegrity,key
management,andkeystorage.DoDhasaccesstoincidentandforensicinformation
concerningallcloudtenants.Individualtenantsareresponsibleforbuildingor
integratingapplications,butthoseapplicationsaresubjecttothedatacenters
securityrequirementsforoperationandaudit.
Public,withuserprovenancedesign.Acommercialcontractoroperatesthedata
center.Itprovidesservicesundercommerciallyavailableterms.Securitycritical
componentsintheclouddatacenteraresubjecttoDoDreview,includingcomponents
thataffectdatasecurity,dataintegrity,softwareintegrity,keymanagement,and
storage.DoDhasaccesstoincidentandforensicinformationconcerningallcloud
tenants.Individualtenantsareresponsibleforbuildingandintegratingapplications,andthoseapplicationsaresubjecttocommerciallyestablishedsecurityrequirements
foroperationandaudit.
7/29/2019 Cyber Security and Reliability in a Digital Cloud
31/95
2 OVERVIEW OF CLOUD COMPUTING
14
2.3.2 Cloudcomputingserviceprovidersandproprietarynetworks
Services offered by cloud computing providers may be connected to proprietary
networks to provide services that users require. These services might be deployedaccordingtoanyofthevariousdeploymentandmanagementmodelsdescribedabove.
A salient example is the Global Information Grid (GIG). The GIG is the DoDs
globally interconnected endtoend set of information capabilities, associated
processes, and personnel for collecting, processing, storing, disseminating, and
managing information on demand. Users include warfighters, policy makers, and
support personnel. The GIG includes DoDowned and leased communications,
computing systemsand services, software applications, data, security services, and
otherassociatedsystems.
Figure 6 is a simplified diagram that shows a notional relationship of cloud
computingtosometraditionalfunctionalcomponentsoftheGIG.Asshownhere,cloudcomputingbringsanewcapabilitytotheGIG,butitdoesnotreplacetheGIG.
Figure6.CloudcomputinghardwareandsoftwareascomponentsoftheGIG
7/29/2019 Cyber Security and Reliability in a Digital Cloud
32/95
3 ARCHITECTURE AND IMPLEMENTATION
15
3.CloudComputingArchitectureandImplementation
Cloudcomputingarchitectureshavedevelopedtosupportthekeybenefitsofcloud
computing:elasticity,economyofoperation,massivescalingofcomputingresourcesto
solvecriticalproblems,andrealtimeresponsiveness.
3.1 TheBuildingBlocksofCloudComputing
Technology in several key areas has driven cloud computing architecture
development and made cloud computing possible. A few critical developments are
describedhere:
Commoditizationofmicroelectronics.Digitaldeviceshavebecomecheaperand
morecapableovertimeand,asaresult,arenowwidelyavailableanddeployedina
broadsetofcontexts.Computingdevicesthatcostmillionsofdollarsinthe1960s
haveequallypowerfuldescendantscostinghundredsoreventensofdollars.The
explosionofthepersonalcomputingmarketfrom1975through2005represents
oneoutcomeofthisrevolutionincapacityandcost.
Networking.Fast,cheap,ubiquitousnetworkingbetweenpreviouslyunrelated
partiesiscriticalforthesuccessofcloudcomputing.TheInternetfulfillsthisroleby
imposinginteroperabilityrequirementsonitsendhosts.Theseinteroperability
requirements,inturn,haveledtostandardsforprotocolsandservicesthathave
facilitatedtheemergenceofalowcostandwidespreadnetworkinfrastructure.
Virtualization.AhypervisorprovidesaninterfacetoimplementVMs,givingeach
VMtheappearanceofexclusiveaccesstoaphysicalprocessor.Theabilitytorun
multiple,isolatedvirtualmachinesonasinglehardwareprocessorisfundamental
tocloudbecauseitenablesmultipleuserstousethesamephysicalnodewithout
interference,anditenablesnodestoberapidlyassignedandreassignedasuser
computingdemandsebbandflow.Virtualizationfacilitatestheresourcepoolingand
rapidelasticitythatcharacterizecloudcomputing.
Commodityhardware.Softwareisincreasinglytargetedatcommoditycomputer
hardware.Anoteworthyoutcomeofthistrendshapedhighperformancecomputing
(HPC),whereperformanceequaltoorbetterthancustomprocessordesigns(i.e.,supercomputerssuchasCraymachines)hasbeenachievedatmuchlowercostby
usingclustersbuiltfromcommodityprocessorsandhighspeedinterconnects.
Theseclustersaretheforerunneroftodayscloudcomputingdatacenters.
Opensourcesoftware.Unixwasamongthefirstoperatingsystemswithwidely
availablesourcecode.Thisavailabilityfosteredbroadcommunityparticipationin
7/29/2019 Cyber Security and Reliability in a Digital Cloud
33/95
3 ARCHITECTURE AND IMPLEMENTATION
16
thedevelopmentofoperatingsystems,applications,andtoolsthatcanbeusedasis,
orcanbeadaptedbyanydeveloper.Opensourcesystemshave,inmanycases,
outstrippedexpensivecommercialsoftwareinfunctionandquality,andmanycloud
computingsystems,developmenttools,infrastructure,andapplicationsarebuilt
fromopensourcecomponents.Cloudprovidersroutinelycontributelaborand
computingcapacitytotheseopensourcedevelopmenteffortsandthecloud
communityhasseveralcompleteopensourceframeworks.
3.2 TheScaleofCloudComputing
Combiningthetechnologydevelopmentslistedabovewouldbeapositivestepbut
would yield only incremental improvements in cost and capacity. The signature
characteristicofcloudcomputingisscale.Scaleisthedifferentiatorthatbroughtagiant
leap incomputational andstoragecapacityin recentyears.Searchenginesandother
massive data applications were initial drivers for the evolution of cloud computing
architectures,asexemplifiedbyGooglesmissiontoorganizetheworlds information
andmakeituniversallyaccessibleanduseful.7Today,cloudcomputinginfrastructures
supportthelargescalestorageandprocessingofmanydifferenttypesofdata.
The scale of a modern cloud computing data center is sometimes difficult to
comprehend.Theyaredesignedtosupporthundredsofthousandsofcentralprocessing
units,manypetabytesofdataonshareddiskdrives,andnearlyapetabyteofdynamic
storageofmemory.
Thus,asisshowninFigure7,cloudcomputingdatacentersareverylargephysical
plants,sometimeswithacresofcomputers.Evenasmallfacilitymightconsumeseveral
megawattsofelectricityforcoolingandpoweringtheelectronics,andsomeofthelarger
datacenterstodayconsumemuchmore.Acommunicationsinfrastructureislikelyto
support tens to hundreds of gigabytes per second of network ingress and egress;
storagerequirementsdictatemanythousandsofdisks.
3.2.1 Benefitsandchallengesofscale
One of the most attractivenew capabilities of cloud computing is elasticitythe
abilitytorapidlyanddramaticallyincreasethecomputingresourcesassignedtosolvea
problem. Elasticity is achieved mainly by designing resilient infrastructure and
applicationsandbydeployinguniformhardwareandstandardizedoperationssothat
taskscanberedistributedandrelocatedwithinthecomputingsubstrate.
7.About Google. Available at time of press at http://www.google.com/about/company/
7/29/2019 Cyber Security and Reliability in a Digital Cloud
34/95
3 ARCHITECTURE AND IMPLEMENTATION
17
Theability to scale seamlessly canalso enable rapidprocessingandanalysis of
very large datasets through using highly parallel operations. This is an important
capabilityforDoD.
Usingscaletoachievereliabilityaswellasperformanceleadstoprofoundchangesin
applicationdesignandapplicationmanagement.Manycloudcomputingapplicationsare
longrunning and have thousands of software components that cooperatively and
continuously execute acrossmultiple data centers. In a typical cloud computing data
center, evenwith highqualityparts, hundredsofdisksand electronic components fail
everyday.Homogeneityofhardware,infrastructure,service,deployment,andoperation
ofapplicationsiscrucialforachievingtheefficienciesofacloud.
Assembling a large facilityat anenormouscapitalexpensedictatesthat different
partieswithdifferentgoalsandobjectivesmustbeabletousethefacilityefficientlyand
securely,despitenonehavingphysicalaccesstothefacility.Thisstyleofsharingcouldbeaccomplishedthroughstrictphysical isolationbetween tenants, or throughstrong
butflexibleaccesscontrolstosupportcollaborativeaccesstoshareddata.
Anotherpotentialbenefitofscaleiscostsavings.Applicationsthatmayexperience
themostcostbenefitfromcloudcomputingarchitecturesarethoseusedinthesame
Figure7.Cloudcomputingdatacentercharacteristicsandexamples
7/29/2019 Cyber Security and Reliability in a Digital Cloud
35/95
3 ARCHITECTURE AND IMPLEMENTATION
18
way by largenumbers ofpeople, suchasemail.Many, ifnotmost,DoD applications,
however,arenotstandardized.
Designingmorespecialized applicationstooperateefficiently inacloudcomputing
environment canrequire largeupfrontdevelopment costs.Evenslight customizations,
suchastheabilitytofindanderaseanyunintentionallytransmittedclassifiedmaterial,
could quickly and dramatically reduce potential savings of using an existing email
application. However, even addressing all of the technical challenges, large cloud data
centershavebeenshowntoachieveafactoroftencostsavingsoversmallerinstallations.
CostsavingsarediscussedinmoredetailinChapter6.
3.3 SpecificCloudCharacteristicsAffectingArchitectureand
Implementation
Each of the following characteristics informs cloud architecture design tradeoffsthatmateriallyaffectperformanceandsecurity.Thesetradeoffswillbeexploredfurther
inthediscussiononsecurityinChapter5.
3.3.1 Automaticprovisioningandinfrastructuremanagement
Commercial cloud computing data centers have developed an operationalmodel
that requires fewvisits byhumanoperatorsto individual computers ornodes.Many
operationscanbe automated andthe physicalconfiguration forall themachines ina
data center is generally homogeneous. Noapplication can rely on special setup of a
particularmachineorcontinuityofexecutiononthesamecomputer.Someinstallations
simplydisablenodesasindividualcomponentsfail,butmanyprovidershaveexcellentdiagnosticsoftwarethatcanhelptoforecastandavoidhardwarefailuresproactively.
Applications must be packaged to support automated data center operations.
Typicallythisinvolvesexpresslyspecifyingprovisioningrequirementswhatresources
arerequiredtoruntheapplicationanddesigningsoftwaretotoleratethefullrangeof
resource assignment within the scope of the specified requirements. Data center
personnelgenerallydonotknowapplicationbehavioralpatterns;hencetheoperations
staff cannot detect or fix anomalous behaviors except when problems are expressly
registeredwithdatacenter operations software.Whensuchareport ismade,apre
specifiedautomaticprocedureisperformedwithouthumanintervention.
3.3.2 Applicationdevelopment
and
scale
out
Existing application software sometimes does not perform efficiently when it is
simply deployed on a cloud computing system. Wellarchitected cloud computing
applications must detect failures, incorporate failover alternatives, and provide
sufficiently robust diagnostic support to allow remote analysis and debugging of
problems as well as implementing automated contingency planning and
7/29/2019 Cyber Security and Reliability in a Digital Cloud
36/95
3 ARCHITECTURE AND IMPLEMENTATION
19
reconfiguration.Conventionalcomputing,conversely,generallydealswithcomponent
failureusing lowerlevelmechanisms,suchas redundanthardware,mirroredstorage,
andautomaticfailover.Thesearemorecostlyandmoretimeconsuming.
Many cloud applications are accessed through Internet browsers, which can be
challengingtosecure.Fortheseapplications,thereisaperformancepremiumonreducing
data exchanged between the browser frontend and the cloud deployed backend.
Network roundtripsmust also be reduced, and ifdisconnected operation is required,
provisionsmaybedesignedtocachedataatclients.
Whenapplicationsdeployedincloudcomputingsharedataandinfrastructure,they
must use standard protocols, which can limit flexibility and can make application
development,debugging,andtestingexpensive.Asaresult,theexpenseofcustomizing
somelegacyapplicationsforclouddeploymentcanbesubstantial.
Redesigning a legacy application so that it benefits from scaling can sometimes
require significant effort. An application developer must carefully consider sharedvolatilestatemanagementandfullsystemeffectssuchaslatency,networkandstorage
failures,andcorrelatedhardwarefailures.
3.3.3 Applicationcentralization
Becauseclouddatacentersinvolvereplicationofhardware,systemssoftware,and
application software elements, care must be exercised to avoid the risks that
monoculturesbring.Fortunately, theuniformityalsomeansthatchangesandsecurity
updates can be installed very quickly. Moreover, one impediment to installing
updatesbackward compatibilityis less of a problem in cloud computing because
datacanbemigratedatthesametimeasthesoftwareupdateisdeployed.Becausecloudbasedapplicationstypicallyarepartitionedbetweena client front
endandacloudbackendserver,securityissuesarisethatdonotoccurwhenclientand
serveraredeployedwithinthesameenclave.Inparticular,inclouddeployments,strong
clientandserverauthenticationmustbeused.
3.3.4 Datacollectionandcentralization
Cloudcomputingisanaturalrepositoryforlargeandcomplexdatasetsthatcannot
beeasilymanagedor accessedusing traditional databasemanagement tools. Indeed,
cloud computing services, such as Facebook, Google, and Amazon, rely on such
centralizeddatarepositories.Centralrepositoriesareattractiveattacktargetsbothbyinsiders and outsiders. For this reason, special attention must be paid to data
provenancefordamagecontrol,forensics,accountability,anddataqualitycontrol.
7/29/2019 Cyber Security and Reliability in a Digital Cloud
37/95
3 ARCHITECTURE AND IMPLEMENTATION
20
3.3.5 Clients
Almostallcloudcomputingservicesareaccessedthrougha clientanapplication
or system that accesses a service made available remotely. Client design is thus anintegralpartofanycloudapplication.Manyreportedcloudsecurityfailureshavebeen
attributedtobadorcompromisedclientmachines.
3.4 ArchitectureofaModernCloudDataCenter
Whenbuildingaclouddatacenter,aprospectivedesignermustspecifythemachine
andclusterconfigurations,storagearchitecture,networkconnectivityandmanagement,
andphysicalinfrastructure,suchaspowerandcooling.Oftendatacentersarebuiltnear
hydroelectricfacilitiestoexploitthecheappowerandnearmajorfiberlinkstofacilitate
highbandwidthremoteaccesstothecloud.Sitecharacteristicsconducivetocooling,as
well as access to a trained support staff, are important. The expected frequency ofnatural disasters (i.e., earthquakes, floods, or hurricanes) and proximity to
transportation are also key factors in site selection. In addition, the buildings and
campusthemselvesmustbebuilttoensurephysicalsecurity.
Designingdatacentersoftwaretomanageandmonitormachinesandthenetwork,as
wellasprovidingsoftwareforcommontasks,isjustascriticalasphysicalconstruction
detailsandhardwareprocurementchoices.Infact,howDoDobtains,develops,maintains,
and evaluates software will have a big impact on cloud security, economy, and
performance.Keysoftwareelementsinclude:
storagesystemssoftware,includingaccesscontrol
networkmanagementsoftware
softwaretohelpdetectandcorrectmalfunctionsormaliciousactivity
resourceallocationsoftwaretoassigntaskstohardwareelements
systemsoftwaretoisolatetenants,betheyclientsorclouds,sothatamalicious
tenantcannotaffectanyothertenant
plantsoftwaretomanagepowerandcoolinginthedatacenter
softwareforloadbalancingwithinandbetweendatacenters
AnotionaldesignofsuchadatacenterisdepictedinFigure8.Thisdatacenteruses
virtualization technology,which is common indata centers, but isnot required. KeyelementsinFigure8are:
Networkheadnode:Thesecomponentsprovideexternaldatacenternetwork
access.
Networkforensicsanalytics:Thesecomponentsmonitornetworkbehaviorto
detectattacksandfailures.
7/29/2019 Cyber Security and Reliability in a Digital Cloud
38/95
3 ARCHITECTURE AND IMPLEMENTATION
21
Datacenternetwork:Thisisahighperformancenetworkconnectingallmachines
withinadatacenter.
Portal:Thiscomponentregistersnewdatacenterusers,obtainingbillingand
authenticationinformation.Tenantsaccesstheportaltotransfersoftwareanddata
tothecloud,negotiateresourceassignments(e.g.,howmanymachinesareneeded,
when,howmuchstoragecapacity,networkingcharacteristics,andspecial
requirements).
Storage:Ahighspeed,faulttolerantstoragesystemforthedatacenter.
InfrastructureController:Thiscomponentallowsdatacenteroperatorstoassign
physicalresources,monitorhardwareandsoftwarehealthandoperations,and
detectandremedyattacksandfailuresastheyarise.Alldatacentersoftwareis
deployedandmanagedthroughtheinfrastructurecontroller.
Nodeinstances:Thesemachinesruntheapplicationsfortenants.Tensor
hundredsofthousandsofnodesareinatypicalclouddatacenter.Eachnodehasa
hypervisortomanagemachineresourcesandtoisolateandprotectusersoftware
fromothersoftwaresharingthenode.Amanagementpartitionobtains,
configures,andstartsusersoftwareonthemachine,andmonitoringsoftware
monitorsnodeheathandoperations.
Figure8.Exampleofacloudcomputingdatacenterarchitecture
7/29/2019 Cyber Security and Reliability in a Digital Cloud
39/95
3 ARCHITECTURE AND IMPLEMENTATION
22
Eachoftheseelementsrepresentsdesignchoicesthataffectcostandperformance.For
example,thenetworkmightallowoneclusterwithinadatacentertobecomepartitioned
from another but will not allow a partitionwithin a cluster.Management software, in
conjunction with usersupplied information, would then be knowledgeable about this
clusteringandallocate toeach applicationonlythoseelements locatedwithinthesame
cluster.Similarly,adatacentermayprovidesomeheterogeneouscomputingelements
powerfulprocessors that can performcomputations such as fast Fourier transforms
muchmorequicklythannormalcomputingunits.Thisheterogeneitywillalsobevisibleto
themanagementsoftwaresothatappropriateresourceallocationswillbemade.
3.4.1 Modulardatacenters
Oneinnovationinthedesignofdatacentersistousepreassembledmodularunits
thattogethercreateadatacenterofvaryingsize,dependinguponthenumberofunits
used.Earlyversionsusedstandardizedshippingcontainersandcontainedracksofcomputers
and allthe associatedpowerdistribution and coolingunits required. Thesecontainers
were simply hooked up topower, chilledwater, andnetworking cables tomake them
readytobeused.AsimpleconceptforsuchamodulardatacenterisshowninFigure9.
Today,newvariantsofmodulardatacentersincludethosethatusecustomracksfor
greaterdensities,separatecontainersfortheassociatedcooling,andcustomcontainers
thatareeasiertomaintain.Newdesignsmayalsoassemblemodularunitsofdifferent
configurations that, as an aggregate, provided all the required computing, power
distributionand coolingrequired.Asanexample,a singlemodulardatacentermight
contain44rackswith7,000serversandrequire1.3megawattsofpower.
Although it would be less expensive to build a fullsize data center rather than
construct itentirely frommodular units, in practice,modular data centers aremuch
faster to install.Theycan alsomake itmuch easier to add incrementalor refreshed
Figure9.ConceptforamodularDoDdatacenter
7/29/2019 Cyber Security and Reliability in a Digital Cloud
40/95
3 ARCHITECTURE AND IMPLEMENTATION
23
computingcapacitybybuildingthemacontaineratatime.Modulardatacenterscan
alsobeeasilytransportedtowheretheyareneeded.Forthesereasons,modulardata
centersareoftenusedincloudcomputing.
Alternatives tomodular data centers includedata center designs inwhichentire
rowsofpreconfiguredrackscanbequicklysnappedintoplacebysimplyconnectingthe
appropriateelectricalcablesandcoolinghoses.
3.4.2 Criticalcloudcomputingdesignchoices
Awelldesigned cloud computing data center will reflect its projected uses. The
degreeofautomationandflexibilityinthemanagementsoftwareofacloudcomputing
datacenterwilldependontheapplicationsthatarerunthere.
Forexample,asingle,largeSaaSapplication(suchassearch)maybeoperatedand
usedbyasingleorganization,andassuchwillrequireonlymodestdatasecurity.The
needforahypervisor toprovide isolation betweentenantsbecomes lesscompelling,becauseonlyasingleapplicationisbeingrunwithnoneedtocolocatewithdifferent
andpotentially adversarialapplications.By contrast, when anapplication involving
highlysensitivedataisdeployedinacloudcomputingdatacenterrunningmanyother
programs, the system design will include a hypervisor on each processor to assure
isolation.Ifmultipletenantssharea facility,itbecomesimportanttomanageresource
usagequitestrictlytoassureresponsivenessforall.
Socialnetworkingorsearchapplicationswillinteractalmostexclusivelywithclient
machines through internet browsers. Data center and application design in this case
wouldfocusonprotectingdataleaksfromoneusertoanother,whichmaybeachievedat
theexpenseofavailability.
Insomespecialcases,aclouddatacentermaybeusedforsoftwaredevelopment.
The design will need to allow access and control of running programs to facilitate
debugging,with theunderstanding that speedmaysuffer.Otherdata centersmaybe
designedtominimizelatency,supporthighinteractivity,ormaximizephysicalsecurity.
Thesemay benefit most from locatinga small cloudcomputingdata center near the
user,eitherasthesolesourceofcomputingcapabilitiesorasanintermediary.
Finding
Finding1:Althoughcloudcomputingisanoverloadedterm,cloudcomputingproviders
areofferingservicesthatarefundamentallynewanduseful,typicallyencompassingthe: abilityformassivescaleupofstorageandcomputing
rapid,agileelasticitywiththeabilitytoincreaseanddecreasestorageand
computingcapacityondemand,whenthecommunityoftenantsdontallrequire
thatcapacityatthesametime
meteredserviceswheretheuserpaysonlyforwhatisused
7/29/2019 Cyber Security and Reliability in a Digital Cloud
41/95
3 ARCHITECTURE AND IMPLEMENTATION
24
selfservicestartupandcontrol
Finding2:Modulardatacentersofferanapproachtoquicklysetupcloudcomputing
capacity,addadditionalcapabilitytoexistingcloudcomputingdatacenters,andeasilyrefreshorupdateexistingcapability.
7/29/2019 Cyber Security and Reliability in a Digital Cloud
42/95
4 BENEFITS TO THE DOD MISSION
25
4.CloudComputingBenefitstotheDoDMission
CloudcomputingofferstheDoDnewwaystoprovidecomputationalcapabilitiesfor
missions.DoDmissionsmostlikelytobenefitfromcloudcomputingserviceswillsatisfy
oneormoreofthefollowing:
Scalable,ondemandcomputing.Theelasticityandresourcepoolingprovidedby
cloudcomputingisusefultoapplicationsthatinvolvevaryingorunpredictable
computingcapacity.Thismodelworkswellforapplicationsthatdonotrequire
highlycorrelatedcomputingcapacity,soitmaynotbeusefulforactivemissionsor
intensiveexercises.
Integrationofmany,highcapacitydatafeeds.TheDoDcollectshighcapacitydata
fromsensornetworksandothersources,anddatacloudshaveproveneffectivefor
thelargescaleingestionandintegrationofthiskindofdata.Ifcloudcomputingdata
centersarenotused,customdesignedlargescalecomputerswouldberequiredto
supporttheseapplications,andtheconstructionofsuchmachinesisfarmorecostly.
Analysisofverylargedatasets.TheDoDhastherequirementtoanalyzelarge
datasets.Overthepastseveralyears,anumberofcloudcomputingapplications
havebeendeveloped,includingHadoop,Accumulo,Cassandra,andHive,thatscale
tomanythousandsofprocessorsandsupporteasytoprogramparallelcomputing
frameworks.Thesemakebigdataanalysisapracticalenterprise.
Connectionstocommonservices.Suchapplicationsasemail,sharedcalendars,
unclassifiedtraining,ordocumentpreparationcanbenefitfromSaaS,PaaS,orIaaS.
Accessingtheseapplicationsthroughcloudcomputingresultsinlowercomputationcost,lowersoftwaremanagementcosts,andenforceduniformityandinteroperability.
DoDhasalreadybeguntomovesomecommonservicesintoprivateandpubliccloud
computingarchitectures.
Inthischapter,fiveexamplesofdefenseapplicationsarediscussedthathaveproven
tobewellsuitedforcloudcomputingdatacenters.
4.1 Example:CommunicationandNetworking
Email, calendars, and contact lists are applications found in many of todays
commercial cloudbased computing services with millions of regular users. Theseapplicationsrelyonredundantstoragetoenablewidespreadavailability,manyidentical
processorsforinteractiveperformance,andasimpleanduniformuserinterfaceacross
differentinternetbrowsers.Therequiredbandwidthfromclientmachinestothecloud
computingdatacenterisrelativelow,sotheinternetsuffices.Theseservicesarealso
easilyaccessedfromhighlyportabledevicescellphonesandtabletsthatareuseful
inmanyDoDscenarios.
7/29/2019 Cyber Security and Reliability in a Digital Cloud
43/95
4 BENEFITS TO THE DOD MISSION
26
Technologiesforelearningwillalsobeincreasinglyimportanttothewarfighter.As
applications such as YouTube and Netflix have demonstrated, commercial cloud
computingisareliable,economical,andhighlyscalablewaytoprovidevideotousers.The
abilitytoaccessaYouTubelikesyste