Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Cloud Government Security The Internet United States

Department of Defense May Give Private Cloud Vendors Access To Top Secret Data 60

An anonymous reader sends news that the U.S. Department of Defense is pondering methods to store its most sensitive data in the cloud. The DoD issued an information request (PDF) to see whether the commercial marketplace can provide remote computing services for Level 5 and Level 6 workloads, which include restricted military data. "The DoD anticipates that the infrastructure will range from configurations featuring between 10,000 and 200,000 virtual machines. Any vendors selected to the scheme would be subject to an accreditation process and to security screening, and the DoD is employing the Federal Risk and Authorization Management Program to establish screening procedures for authorized cloud vendors, and to generate procedures for continuous monitoring and auditing."
This discussion has been archived. No new comments can be posted.

Department of Defense May Give Private Cloud Vendors Access To Top Secret Data

Comments Filter:
  • Not "The Cloud" (Score:5, Informative)

    by Eevee ( 535658 ) on Wednesday October 08, 2014 @01:25AM (#48089319)
    They're looking for cleared contractors to set up private clouds in their facilities.
  • Nothing like setting oneself up for failure.
  • Outrage (Score:3, Insightful)

    by hammeraxe ( 1635169 ) on Wednesday October 08, 2014 @01:35AM (#48089355)

    I expect there to be outrage here on slashdot. But think about it. How is this really different from, lets say, Lockheed Martin designing the F-35 and storing all the design data associated with it. Sure, they're not a "private cloud vendor", but they're probably running a bunch of servers for this purpose. So "top secret cloud" is already happening.

    • It has been for years. Pretty much every business in the world that deals with defence contracts will store restricted material on their own site and computer systems at some point. In the UK there's even a designation for it List-X Site [wikipedia.org]. Other countries have their own designation.

      • Yes, contractors do maintain sensitive data, but it is usually (I say usually because some people get lazy, and then dinged by audits, quite often) stored in a SCIF, or a secured section of the datacenter that is secured in the same way as a SCIF.
    • Lockheed Martin storing F-35 design data make sense. They build it which would be quite hard without access to the design data. Company XYZ storing DoD data that they have not created, do not contribute to or work with is poor security and will increase the possibiliy of another Snowden scenario happening which is plainly idiotic from a security perspective.
    • Re:Outrage (Score:5, Insightful)

      by BitZtream ( 692029 ) on Wednesday October 08, 2014 @06:57AM (#48090205)

      Except that 'cloud' at Lockheed is entirely 'in house' and not accessible from the outside world at all. Its certainly not available on the Internet. Us old folks call it 'a file server on the internal network'. Of course, us old folks don't call things 'the cloud' either unless talking to people who don't understand networks, so for your case I'll use 'cloud'. Lets not forget that Lockheed is also the one who actually designed and built the thing, so they already have the data by definition.

      Lockheed also doesn't want the data getting stolen, they are VERY motivated to protect it. They can't sell F-35s for a ridiculous price if anyone can make them for a lot less. The government doesn't want China getting F-35s, so they are both motivated to work together to make sure that doesn't happen.

      Someone else, like Box, Dropbox, Google or Sharefile only have the interest of not getting some bad publicity. If the designs for the F-35 are stolen from one of those systems, at most they are out a single customer, Lockheed, but not enough of the rest of the world is going to give a shit and move as well ... ASSUMING Lockheed would. The sharing services don't care if China gets the plans to the F-35. Worst case, some rogue nation gets the plans, makes a bunch of military assets and then invades the US (I did say WORST case), the execs at the sharing service will have already sold some assets well in advance and moved somewhere they can watch the thing play out from relative safety.

      There is practically no real motivation for file sharing services to put more than a basic effort into security other than small amounts of pride. Greed trumps pride.

      You don't understand the outrage because you don't understand the pattern and you're simplifying it into something its not.

      Of course, you're also just reading the slashdot headline and summary and not the actual article, which states that they are looking for ways to certify contractors to create and work on a DoD private cloud ... NOT outsourcing their data storage to someone else like Box or Sharefile. It'll be in a DoD owned and managed data center at some military installation.

      So basically, not only do you not understand why slashdotters with a clue would be outraged, you don't understand what is actually being discussed, partially due to the ignorance of slashdot editors but mostly because you couldn't be bothered to read the story you're commenting on.

      • Re:Outrage (Score:4, Insightful)

        by AmiMoJo ( 196126 ) * on Wednesday October 08, 2014 @07:16AM (#48090283) Homepage Journal

        Except that 'cloud' at Lockheed is entirely 'in house' and not accessible from the outside world at all. Its certainly not available on the Internet.

        I seriously doubt that, as do many Chinese/Russian hackers. Even if the fileserver itself isn't on the internet, you can bet that client machines which connect to it are. I bet they allow VPN access to their internal network too, since they have more than one location.

        China and Russia already have the F-35 plans.

        • by Mr 44 ( 180750 )

          You have no idea how this stuff works. There's not a grey area - classified material is stored on air-gapped networks, and no, any machine which has ever been on the internet is not connecting to that network.

          • You have no idea how this stuff works. There's not a grey area - classified material is stored on air-gapped networks, and no, any machine which has ever been on the internet is not connecting to that network.

            It is slashdot. Everyone here is an expert at bashing crap they don't know :/

        • China and Russia already have the F-35 plans.

          I certainly hope so! Just wait for them to try to *build* the F-35 and watch their budgets explode just as wildly as the intra-USA budget has.

        • Nonsense (Score:4, Informative)

          by luis_a_espinal ( 1810296 ) on Wednesday October 08, 2014 @12:00PM (#48093519)

          Except that 'cloud' at Lockheed is entirely 'in house' and not accessible from the outside world at all. Its certainly not available on the Internet.

          I seriously doubt that, as do many Chinese/Russian hackers. Even if the fileserver itself isn't on the internet, you can bet that client machines which connect to it are. I bet they allow VPN access to their internal network too, since they have more than one location.

          China and Russia already have the F-35 plans.

          As a former engineer at a defense contractor, I can say this: you cannot VPN to internal networks vetted for cleared work (aka "secured labs". In fact, you cannot even connected to secured labs from within an internal network. You have to physically walk in into a secured lab from where to connect to a secured network (where you have to sign in, sign out, and leave all electronic gadgets behind.) You cannot VPN nor work from home when you work on classified stuff. You need to be on-site on a partitioned network infrastructure.

          And once there, that secured network has only access to resources specific to designated projects on a 'need-to-know' basis, and only for work at or below a given security level.

          Meaning, a secret-level lab cannot access resources from a top-secret project, and/or top-secret lab A designated to work on project X cannot access resources allocated on secret lab B designated for project Y if projects A and Y are unrelated or firewalled even though lab A has greater clearance than lab B.

          You cannot even print in many of these labs. Any information that must be transmitted from one lab to another is permitted only by a IA officer that is not assigned to any project and whose only work is to enforce the firewalls. And when that information is permitted is via encrypted devices carried by hand (sometimes we refer to those as sneaker nets.) These labs are physically separated down to the wire (and sometimes backup power generators.)

          Nothing of the above can 100% prevent leakage due to stupidity or ulterior motives. But to assume that clients machine simply connect to a fileserver on a sec lab, that is just nonsense. It can happen due to malice or stupidity (I mean, anything not forbidden by physics or mathematics is possible). But that is not the general case, and as a result, you cannot simply presume it as a matter of fact.

      • ... Us old folks call it 'a file server on the internal network'. Of course, us old folks don't call things 'the cloud' either unless talking to people who don't understand networks, so for your case I'll use 'cloud'...

        I've lost count of the times I have told people the "The Cloud" is just using someone else's computer for storage. They are always shocked. I am not sure what that actually thought "the cloud" was.

        Same folks that are shocked to learn that Google is reading their Gmail.

      • by Anonymous Coward

        Boy, I learned this the hard way. I was researching starting a cloud provider that would be designed around handling government SBU stuff, where it had to be FISMA compliant with SCAP testing, random and scheduled audits, proper encryption [1] implemented everywhere so that a tape falling off the back of the Iron Maiden truck doesn't result in election year press scandals.

        I went to a VC with this, and he looked at my proposal, gutted anything security related to token levels [2]. The staff which were to b

    • I expect there to be outrage here on slashdot. But think about it. How is this really different from, lets say, Lockheed Martin designing the F-35 and storing all the design data associated with it. Sure, they're not a "private cloud vendor", but they're probably running a bunch of servers for this purpose. So "top secret cloud" is already happening.

      Bingo. Amazon has been hiring people with sec. clearance for quite some time. These DoD clouds are not stuff deployed on typical heroku or AWS, but cloud infrastructure deployed on secured facilities.

      I blame the term "the cloud", too amorphous of a term to mean just about anything.

      • I expect there to be outrage here on slashdot. But think about it. How is this really different from, lets say, Lockheed Martin designing the F-35 and storing all the design data associated with it. Sure, they're not a "private cloud vendor", but they're probably running a bunch of servers for this purpose. So "top secret cloud" is already happening.

        Bingo. Amazon has been hiring people with sec. clearance for quite some time. These DoD clouds are not stuff deployed on typical heroku or AWS, but cloud infrastructure deployed on secured facilities.

        I blame the term "the cloud", too amorphous of a term to mean just about anything.

        Reality is that they're only replacing existing DoD contractors that are already providing theses services but at a much higher cost. This just opens the playing field up a bit more. That's all this is about - helping reduce costs on existing services.

    • AFAIK DoD contractors are required to keep classified data on a separate network from unclassified data. Classified network should have no internet access. "Closed areas" are used to keep the networked machines physically separate. Set procedures are in place for moving data between the two networks. This sounds like Top Secret data would be travelling across the internet (likely there will be strict standards on VPNs to use and encryption and whatever).
  • How about a nice game of chess?

  • by Greyfox ( 87712 ) on Wednesday October 08, 2014 @03:00AM (#48089567) Homepage Journal
    Yeah I could see that working. You'd just want your cloud air-gapped from any public network, and to not provide any remote access. If you did that, I think it'd work great!
  • Use iCloud (Score:2, Funny)

    by Anonymous Coward

    Apple has proven itself over and over being both trustworthy and highly skilled at security.

  • Can you imagine the selfie porn leaks then? Ewwwww, I just threw up in my mouth a 'lil.

  • Government got pissed with the Snowden leaks, and this is their reaction?

    Let's put it in a "secure" cloud?

    Wow. So it wasn't just a rumor. They actually have a medal awarded for Ignorance.

  • We keep this stupid term "cloud" as if we're all idiots. "The Cloud" is a term made up for simple people that are using it as a place to store their pics and stuff. It's a marketing term.

    Re-read this article and replace "cloud" with "isolated remote server" and all of the worries just slip away.
    • Actually no. It involves a whole stack of services including self provisioning, scaling and resource allocation that can include long or short term utilization. It can also include software licensing as part of the deal. The remote server is one piece of the puzzle. It's commoditization of compute resources which can help to drive down costs and you can keep it long term or dispose of it as soon as you use it. It appears that the DoD is looking to reduce costs in one particular area, storage. Anybody

      • Of course. But it's simply a remote place or places that data sits, and is "served" accordingly. The rest is just bells and whistles. In a scenario where we call rent-a-car, "cars in the cloud", we would be just as silly.
        • rent-a-car or zipcar or lyft or uber are similar paradigms. Cloud is just a term but the concepts go beyond a remove server. What IT doesn't like is the fact that now the business side of the house can go get this themselves, when they want and how they want it. Oh and your data doesn't have to "sit there" unless you want it to. From a pure data service perspective yes you can let it sit there but I wouldn't unless it's encrypted.

          • zipcar or lyft or uber are similar paradigms

            Ok, I didn't think of it in that way. I was thinking in terms of:
            user-device-->interface-->computers-owned-by-service-->calculations(maybe)-->interface-->user-device etc...

            If what you're saying relates, then the data is not owned by "service", but by the "user", and the "user" can freely move that data to whatever "service" they wish. Is that correct? Because honestly, every time I hear "the cloud", I only think "Utah Data Center".

            • Oh yeah you own the data. Any public cloud service provider will tell you that. You're also responsible for backup/duplication unless then bundle that in as part of the offering. You still have the same data management requirements you'd have in your own data center. The difference being now you can spread that information across multiple AZs cheaply to provide data resiliency in case of outage or disaster.

              • Very interesting, thanks. It's very cool when people, as you just did, respond with knowledge in a way that isn't offensively propping themselves up on a pedestal. Makes me glad to still visit slashdot.
  • How stupid can you get? Oh, it's the Department of Defense, Never mind...
  • Surely no one would try to hack, much less succeed at hacking, this data. Would they?
  • Which won't stop actual morons from trying it. These are the guys who are buying server hardware with components made in China. How could anything go wrong?

  • Yeah, right.

    They can't keep foreign nationals from working inside the same contractors' facilities as their DoD projects are being worked. Sure, its in the next cubicle over.

  • The DoD has put the most thought into the subject of co-locating equipment, but the entire Federal government is embracing this model as well. The company I work for provides legal technology solutions to the DoJ and the SEC. Over the last year, every single RFP has had at least some question about our willingness to co-locate hardware in their facilities.

    The same thing is happening in the private sector, especially the financial industry. People are so paranoid about data breaches that they are unwillin

  • DOD should move some data to the cloud if it makes sense. However, DOD's top priority should be to stop the rampant overclassification of data. This problem costs taxpayers enormous sums. It costs money to classify data and then store it as classified data. Later, if ever, it costs money to decide to declassify the data and do so. Meanwhile, too many people have access. Too often, information is classified to prevent political embarrassment of powerful players, prevent public debate on important questions,

IOT trap -- core dumped

Working...