Department of Defense May Give Private Cloud Vendors Access To Top Secret Data 60
An anonymous reader sends news that the U.S. Department of Defense is pondering methods to store its most sensitive data in the cloud. The DoD issued an information request (PDF) to see whether the commercial marketplace can provide remote computing services for Level 5 and Level 6 workloads, which include restricted military data. "The DoD anticipates that the infrastructure will range from configurations featuring between 10,000 and 200,000 virtual machines. Any vendors selected to the scheme would be subject to an accreditation process and to security screening, and the DoD is employing the Federal Risk and Authorization Management Program to establish screening procedures for authorized cloud vendors, and to generate procedures for continuous monitoring and auditing."
Not "The Cloud" (Score:5, Informative)
Re: (Score:3)
Nothing like setting oneself up for failure.
Exactly. Secrets need to be kept in house, and even then they're not totally secure. Give it to a contractor and even the most idiot person in the world will understand that there is a 99% chance you'll find that info spilled on the internet. I guess nothing stands in the way of cost reductions to zero eh ? Stupidity all around.
That is stupid. The same can be said for disgruntled employees. When we are talking contractors in a DoD setting, we are not talking about Infosys handing over work to someone overseas, but:
Nothing on that list will prevent someone from leaking stu
Re: (Score:2)
Nothing like setting oneself up for failure.
Exactly. Secrets need to be kept in house, and even then they're not totally secure. Give it to a contractor and even the most idiot person in the world will understand that there is a 99% chance you'll find that info spilled on the internet. I guess nothing stands in the way of cost reductions to zero eh ? Stupidity all around.
That is stupid. The same can be said for disgruntled employees. When we are talking contractors in a DoD setting, we are not talking about Infosys handing over work to someone overseas, but:
Nothing on that list will prevent someone from leaking stuff out to the interweeds, but to presume that under those conditions there is a 99% change of that (as you said), that is just nonsense.
Not all cleared personnel are US citizens; but the higher the clearance the more likely that is the case.
Re: (Score:1)
Re: (Score:1)
it's a ploy.
store the massive surveillance of cloud systems on cloud systems so you need to buy more cloud systems to keep the surveillance data of the cloud systems that you stored the surveillance data of the cloud systems on..
Obligatory (Score:1)
Department of Defense May Give Private Cloud Vendors Access To Top Secret Data
In Soviet Russia, private cloud vendors give government access to top secret data. Wait...
That should work out well...NOT! (Score:1)
Outrage (Score:3, Insightful)
I expect there to be outrage here on slashdot. But think about it. How is this really different from, lets say, Lockheed Martin designing the F-35 and storing all the design data associated with it. Sure, they're not a "private cloud vendor", but they're probably running a bunch of servers for this purpose. So "top secret cloud" is already happening.
Re: (Score:3)
It has been for years. Pretty much every business in the world that deals with defence contracts will store restricted material on their own site and computer systems at some point. In the UK there's even a designation for it List-X Site [wikipedia.org]. Other countries have their own designation.
Re: (Score:2)
Re: (Score:2)
Re:Outrage (Score:5, Insightful)
Except that 'cloud' at Lockheed is entirely 'in house' and not accessible from the outside world at all. Its certainly not available on the Internet. Us old folks call it 'a file server on the internal network'. Of course, us old folks don't call things 'the cloud' either unless talking to people who don't understand networks, so for your case I'll use 'cloud'. Lets not forget that Lockheed is also the one who actually designed and built the thing, so they already have the data by definition.
Lockheed also doesn't want the data getting stolen, they are VERY motivated to protect it. They can't sell F-35s for a ridiculous price if anyone can make them for a lot less. The government doesn't want China getting F-35s, so they are both motivated to work together to make sure that doesn't happen.
Someone else, like Box, Dropbox, Google or Sharefile only have the interest of not getting some bad publicity. If the designs for the F-35 are stolen from one of those systems, at most they are out a single customer, Lockheed, but not enough of the rest of the world is going to give a shit and move as well ... ASSUMING Lockheed would. The sharing services don't care if China gets the plans to the F-35. Worst case, some rogue nation gets the plans, makes a bunch of military assets and then invades the US (I did say WORST case), the execs at the sharing service will have already sold some assets well in advance and moved somewhere they can watch the thing play out from relative safety.
There is practically no real motivation for file sharing services to put more than a basic effort into security other than small amounts of pride. Greed trumps pride.
You don't understand the outrage because you don't understand the pattern and you're simplifying it into something its not.
Of course, you're also just reading the slashdot headline and summary and not the actual article, which states that they are looking for ways to certify contractors to create and work on a DoD private cloud ... NOT outsourcing their data storage to someone else like Box or Sharefile. It'll be in a DoD owned and managed data center at some military installation.
So basically, not only do you not understand why slashdotters with a clue would be outraged, you don't understand what is actually being discussed, partially due to the ignorance of slashdot editors but mostly because you couldn't be bothered to read the story you're commenting on.
Re:Outrage (Score:4, Insightful)
Except that 'cloud' at Lockheed is entirely 'in house' and not accessible from the outside world at all. Its certainly not available on the Internet.
I seriously doubt that, as do many Chinese/Russian hackers. Even if the fileserver itself isn't on the internet, you can bet that client machines which connect to it are. I bet they allow VPN access to their internal network too, since they have more than one location.
China and Russia already have the F-35 plans.
Re: (Score:3)
You have no idea how this stuff works. There's not a grey area - classified material is stored on air-gapped networks, and no, any machine which has ever been on the internet is not connecting to that network.
Re: (Score:3)
You have no idea how this stuff works. There's not a grey area - classified material is stored on air-gapped networks, and no, any machine which has ever been on the internet is not connecting to that network.
It is slashdot. Everyone here is an expert at bashing crap they don't know :/
Re: (Score:2)
China and Russia already have the F-35 plans.
I certainly hope so! Just wait for them to try to *build* the F-35 and watch their budgets explode just as wildly as the intra-USA budget has.
Nonsense (Score:4, Informative)
Except that 'cloud' at Lockheed is entirely 'in house' and not accessible from the outside world at all. Its certainly not available on the Internet.
I seriously doubt that, as do many Chinese/Russian hackers. Even if the fileserver itself isn't on the internet, you can bet that client machines which connect to it are. I bet they allow VPN access to their internal network too, since they have more than one location.
China and Russia already have the F-35 plans.
As a former engineer at a defense contractor, I can say this: you cannot VPN to internal networks vetted for cleared work (aka "secured labs". In fact, you cannot even connected to secured labs from within an internal network. You have to physically walk in into a secured lab from where to connect to a secured network (where you have to sign in, sign out, and leave all electronic gadgets behind.) You cannot VPN nor work from home when you work on classified stuff. You need to be on-site on a partitioned network infrastructure.
And once there, that secured network has only access to resources specific to designated projects on a 'need-to-know' basis, and only for work at or below a given security level.
Meaning, a secret-level lab cannot access resources from a top-secret project, and/or top-secret lab A designated to work on project X cannot access resources allocated on secret lab B designated for project Y if projects A and Y are unrelated or firewalled even though lab A has greater clearance than lab B.
You cannot even print in many of these labs. Any information that must be transmitted from one lab to another is permitted only by a IA officer that is not assigned to any project and whose only work is to enforce the firewalls. And when that information is permitted is via encrypted devices carried by hand (sometimes we refer to those as sneaker nets.) These labs are physically separated down to the wire (and sometimes backup power generators.)
Nothing of the above can 100% prevent leakage due to stupidity or ulterior motives. But to assume that clients machine simply connect to a fileserver on a sec lab, that is just nonsense. It can happen due to malice or stupidity (I mean, anything not forbidden by physics or mathematics is possible). But that is not the general case, and as a result, you cannot simply presume it as a matter of fact.
Re: (Score:2)
... Us old folks call it 'a file server on the internal network'. Of course, us old folks don't call things 'the cloud' either unless talking to people who don't understand networks, so for your case I'll use 'cloud'...
I've lost count of the times I have told people the "The Cloud" is just using someone else's computer for storage. They are always shocked. I am not sure what that actually thought "the cloud" was.
Same folks that are shocked to learn that Google is reading their Gmail.
Re: (Score:1)
Boy, I learned this the hard way. I was researching starting a cloud provider that would be designed around handling government SBU stuff, where it had to be FISMA compliant with SCAP testing, random and scheduled audits, proper encryption [1] implemented everywhere so that a tape falling off the back of the Iron Maiden truck doesn't result in election year press scandals.
I went to a VC with this, and he looked at my proposal, gutted anything security related to token levels [2]. The staff which were to b
Re: (Score:2)
I expect there to be outrage here on slashdot. But think about it. How is this really different from, lets say, Lockheed Martin designing the F-35 and storing all the design data associated with it. Sure, they're not a "private cloud vendor", but they're probably running a bunch of servers for this purpose. So "top secret cloud" is already happening.
Bingo. Amazon has been hiring people with sec. clearance for quite some time. These DoD clouds are not stuff deployed on typical heroku or AWS, but cloud infrastructure deployed on secured facilities.
I blame the term "the cloud", too amorphous of a term to mean just about anything.
Re: (Score:2)
I expect there to be outrage here on slashdot. But think about it. How is this really different from, lets say, Lockheed Martin designing the F-35 and storing all the design data associated with it. Sure, they're not a "private cloud vendor", but they're probably running a bunch of servers for this purpose. So "top secret cloud" is already happening.
Bingo. Amazon has been hiring people with sec. clearance for quite some time. These DoD clouds are not stuff deployed on typical heroku or AWS, but cloud infrastructure deployed on secured facilities.
I blame the term "the cloud", too amorphous of a term to mean just about anything.
Reality is that they're only replacing existing DoD contractors that are already providing theses services but at a much higher cost. This just opens the playing field up a bit more. That's all this is about - helping reduce costs on existing services.
Re: (Score:2)
Ob (Score:2)
How about a nice game of chess?
Oh. Sure! (Score:3)
Use iCloud (Score:2, Funny)
Apple has proven itself over and over being both trustworthy and highly skilled at security.
Can't Wait for the Political Porn Leaks (Score:2)
Can you imagine the selfie porn leaks then? Ewwwww, I just threw up in my mouth a 'lil.
The reaction to Snowden (Score:2, Troll)
Government got pissed with the Snowden leaks, and this is their reaction?
Let's put it in a "secure" cloud?
Wow. So it wasn't just a rumor. They actually have a medal awarded for Ignorance.
"cloud" vs "remote server" (Score:2)
Re-read this article and replace "cloud" with "isolated remote server" and all of the worries just slip away.
Re: (Score:2)
Actually no. It involves a whole stack of services including self provisioning, scaling and resource allocation that can include long or short term utilization. It can also include software licensing as part of the deal. The remote server is one piece of the puzzle. It's commoditization of compute resources which can help to drive down costs and you can keep it long term or dispose of it as soon as you use it. It appears that the DoD is looking to reduce costs in one particular area, storage. Anybody
Re: (Score:2)
Re: (Score:2)
rent-a-car or zipcar or lyft or uber are similar paradigms. Cloud is just a term but the concepts go beyond a remove server. What IT doesn't like is the fact that now the business side of the house can go get this themselves, when they want and how they want it. Oh and your data doesn't have to "sit there" unless you want it to. From a pure data service perspective yes you can let it sit there but I wouldn't unless it's encrypted.
Re: (Score:2)
zipcar or lyft or uber are similar paradigms
Ok, I didn't think of it in that way. I was thinking in terms of:
user-device-->interface-->computers-owned-by-service-->calculations(maybe)-->interface-->user-device etc...
If what you're saying relates, then the data is not owned by "service", but by the "user", and the "user" can freely move that data to whatever "service" they wish. Is that correct? Because honestly, every time I hear "the cloud", I only think "Utah Data Center".
Re: (Score:2)
Oh yeah you own the data. Any public cloud service provider will tell you that. You're also responsible for backup/duplication unless then bundle that in as part of the offering. You still have the same data management requirements you'd have in your own data center. The difference being now you can spread that information across multiple AZs cheaply to provide data resiliency in case of outage or disaster.
Re: (Score:2)
How stupid can you get? (Score:2)
What could possibly go wrong? (Score:1)
"In the cloud" and "Top Secret" oxymorons (Score:2)
Which won't stop actual morons from trying it. These are the guys who are buying server hardware with components made in China. How could anything go wrong?
Monitoring and Auditing (Score:2)
Yeah, right.
They can't keep foreign nationals from working inside the same contractors' facilities as their DoD projects are being worked. Sure, its in the next cubicle over.
Not just the DoD (Score:2)
The DoD has put the most thought into the subject of co-locating equipment, but the entire Federal government is embracing this model as well. The company I work for provides legal technology solutions to the DoJ and the SEC. Over the last year, every single RFP has had at least some question about our willingness to co-locate hardware in their facilities.
The same thing is happening in the private sector, especially the financial industry. People are so paranoid about data breaches that they are unwillin
DOD joke: "authority to classify a ham sandwich" (Score:1)