Cloud computing for large entities such as the army, benefits, risks and concerns.

sram

[H]ard|Gawd
Joined
Jul 30, 2007
Messages
1,699
Hi to all,

There is a high chance that I give a presentation on cloud computing and how it could benefit large entities such as the army, and I've got some questions. I see how cloud computing can benefit individuals and small companies. For example, it is better for me to pay for the usage of a certain software which happens only twice a year instead of buying the full software and paying the full price for only limited usage. This also applies for platform and infrastructure. Now, with big entities such as the army, why would they opt for the public cloud if they can build their own private cloud? Or is it just too expensive to build a private cloud and it is easier to go for the public cloud for accessibility and availability? And what services are they exactly looking for? Storage? If it is storage, why would I trust the cloud to keep my confidential data? I mean yes you can secure it and encrypt it, but does that mean I have dealt with all security concerns and I'm ready to sign a humongous contract with a cloud provider?

https://www.nextgov.com/cio-briefin...-needs-more-time-fixing-jedi-contract/166292/

I mean loss of confidentiality and leakage of information is the last thing that an army or a big business company want, right?

I'm not very knowledgeable, but the way I look at it is that cloud computing is just too beneficial to be skipped and such entities have to deal with the security concerns and develop policies to counter them and minimize the risks. Am I kinda of in the right track?

That's one thing,

The other thing is that I want to demonstrate something related to the audience so that my presentation is more interactive and enjoyable. I have some experience in using kali linux and kali nethunter (on smart phones), so what would be a good attack to demonstrate to show the risks of the cloud..........if anybody has done something similar.

Sorry if this isn't the place for such questions but I need some directions.

Thanks.
 
This is a bad idea for the military at least, especially the part about "all classification" levels... but that aside, I see the appeal. One of which is A.I, A.I 'learns' through feeding it massive amounts of data, where better to get that data than scraping the internet? Connecting to a cloud infrastructure makes that much more feasible. The flip side of that, is you're trusting your security to a third party, sure it the company may say it's encrypted, and it may be. But it wouldn't prevent them from duplicating, or copying traffic to another machine locally....an attack that you'd never even know was happening. It's possible for Microsoft or AWS themselves to keep multiple 'backups' that you could potentially be unaware of. The cloud literally is just housing your data on someone else's computer/server. Now could it secure? yes, they could be encrypting it, not doing any sneaky backups/cloning etc, and it could offer some amazing benefits....but do you trust the company you're working with not to be sneaky?, especially with such high-value systems such as the U.S army?
 
This is a bad idea for the military at least, especially the part about "all classification" levels... but that aside, I see the appeal. One of which is A.I, A.I 'learns' through feeding it massive amounts of data, where better to get that data than scraping the internet? Connecting to a cloud infrastructure makes that much more feasible. The flip side of that, is you're trusting your security to a third party, sure it the company may say it's encrypted, and it may be. But it wouldn't prevent them from duplicating, or copying traffic to another machine locally....an attack that you'd never even know was happening. It's possible for Microsoft or AWS themselves to keep multiple 'backups' that you could potentially be unaware of. The cloud literally is just housing your data on someone else's computer/server. Now could it secure? yes, they could be encrypting it, not doing any sneaky backups/cloning etc, and it could offer some amazing benefits....but do you trust the company you're working with not to be sneaky?, especially with such high-value systems such as the U.S army?

Thanks for your input. It is NOT executed yet, but the fact that they are considering it tells us something. It is a 10 billion contract. I was going to mention classification levels and say they will only put certain levels in the cloud but I was like : what good would it be if I can't access my top secret data? And No, I don't trust the company. It is controversial.
 
Thanks for your input. It is NOT executed yet, but the fact that they are considering it tells us something. It is a 10 billion contract. I was going to mention classification levels and say they will only put certain levels in the cloud but I was like : what good would it be if I can't access my top secret data? And No, I don't trust the company. It is controversial.
Well at least someone is thinking somewhere as it should be controversial, The government, especially the military is slow to act, especially with changing technologies. I mean I think they have just now starting migrating off of Windows XP on certain bases....which is insane. So they keep getting breached. Now in the cloud, theoretically they could actually become more secure, that is if the contract requires the vendor to keep up-to-date OS's and patches throughout the life of the contract, but those will frequently break custom applications, which the government loves to run. So than the question becomes, does the cloud include a test environment before these updates are made? what is the process for testing these? What is the time frame in order to patch critical vulnerabilities? Who's responsible for detecting and fixing those? The Vendor? the Military? Or are they only providing the physical infrastructure? If so what is the physical security like at those locations? so many questions, it honestly seems like the risks would outweigh the rewards...but that is IMHO

And slow to act is an understatement.....Unemployment is still running on Cobol...a 60yr old programming language.
 
AWS' Shared Responsibility Model is a good answer to this question. Azure and other providers probably have a very similar policy, I'd wager.

Some services leave almost everything to you, some manage near everything. For instance, say you use AWS' RDS service to bring up a SQL Server instance. You cannot RDP to the machine or otherwise ever directly touch it. AWS will patch and maintain the underlying instance - it's a managed service. Of course, it being managed doesn't mean it's invincible... like if you fuck up and leak your IAM credentials for a user that has access to it, that's on you and not AWS.

Basically if you use one of their IaaS products, you are responsible for maintaining the instance, patching, OS updates, etc. For products where Amazon "owns" the infrastructure layer, the customer is still responsible for their handling of the data. They're not at fault if you don't encrypt the data or if you go and leak some IAM credentials that can access it.

The physical security at one of these datacenters is generally immense, probably even more so for their government focused offerings, and is covered under this policy as well.

Also a ton of data breaches just come from really trivial shit like unsecured S3 buckets and phishing attacks.
 
Relying on another companies 'policy' for security is a bit like an abused spouse holding up a restraining order to her abuser saying "you can't hit me...i have this!"....it will only help later in court....the damage will have already been done, and you'll be left to fix whatever happened
 
I have been using AWS for almost 5 years now, and the main appeal to me has always been cost reduction and ease of management. I am a software developer with extensive SQL knowledge, but I am not a DBA. However, with the aforementioned RDS service, I don't need a full time DBA to maintain the database. I don't have to worry about the SQL Server setup (which requires in depth knowledge of SQL Server). And the backup/restore of the database is as easy as point and click. I also don't need a full time network admin, because I can set up my VPC fairly easily. It is quite easy to get started on AWS, but to get an in depth understanding of how everything works together does take some time. I believe for a large business or entity, Cloud Computing can certain help with the cost cutting and management, but not everything should be moved to the cloud.
 
Well at least someone is thinking somewhere as it should be controversial, The government, especially the military is slow to act, especially with changing technologies. I mean I think they have just now starting migrating off of Windows XP on certain bases....which is insane. So they keep getting breached. Now in the cloud, theoretically they could actually become more secure, that is if the contract requires the vendor to keep up-to-date OS's and patches throughout the life of the contract, but those will frequently break custom applications, which the government loves to run. So than the question becomes, does the cloud include a test environment before these updates are made? what is the process for testing these? What is the time frame in order to patch critical vulnerabilities? Who's responsible for detecting and fixing those? The Vendor? the Military? Or are they only providing the physical infrastructure? If so what is the physical security like at those locations? so many questions, it honestly seems like the risks would outweigh the rewards...but that is IMHO

And slow to act is an understatement.....Unemployment is still running on Cobol...a 60yr old programming language.
I have been using AWS for almost 5 years now, and the main appeal to me has always been cost reduction and ease of management. I am a software developer with extensive SQL knowledge, but I am not a DBA. However, with the aforementioned RDS service, I don't need a full time DBA to maintain the database. I don't have to worry about the SQL Server setup (which requires in depth knowledge of SQL Server). And the backup/restore of the database is as easy as point and click. I also don't need a full time network admin, because I can set up my VPC fairly easily. It is quite easy to get started on AWS, but to get an in depth understanding of how everything works together does take some time. I believe for a large business or entity, Cloud Computing can certain help with the cost cutting and management, but not everything should be moved to the cloud.

If the risks outweigh the rewards, why would the DoD consider such a thing? They are putting so much money into it. What is it that cloud computing will greatly help in? From my knowledge, I know that some armies tend to use closed isolated networks across large geographical areas, just for the sake of security. They have their own infrastructure and fiber optics networks which are separated from all other civilian networks. They even refuse to use the same pipe or manhole, so why suddenly jump to the cloud?

And if they don't put everything on the cloud, wouldn't that oppose the advantage of being able to access your data from relatively everywhere? I wonder how they are implementing it.
 
I don't know how the DoD operates. If I were to venture a guess, I would say the main reason is to cut cost and ease up the management aspect. Government entities provision different government cloud and they provide the specifications, such as securities, up-time requirement, etc to the cloud providers. The government cloud is different from public cloud and basically they will utilize the cloud providers ability to take care of the management of the cloud and their ability to scale. Using the SaaS and IaaS from the cloud providers, DoD probably be able to reduce headcount or maintain the same headcount while continue to grow their infrastructure and/or data need. One advantage of the cloud is the ability to quickly scale and add server or data capacity on the fly. Moving to the cloud also helps with centralizing their data and infrastructure, not to mention now if everything is moved to the cloud, that will make security a bit easier as they don't have to worry about securing all the different sites and servers, but can focus in on the security of the cloud.

I don't know though if highly classified documents will continue to stay in their private or local cloud or moved to the government cloud.
 
If the risks outweigh the rewards, why would the DoD consider such a thing?

IMHO the risks outweigh the rewards only if you assume our government does a spectacular job of maintaining it's digital security. Unfortunately we all know that is far from the case.

It's also worth noting that all of the cloud providers will jump through hoops for contracts like this. Items that we just have to deal with like datacenter security \ location are non issues for billion dollar contracts. If the DoD says "We will host our data through you, but you need to build several data centers at strategic locations for our private use.", accommodations will be made for the right price.
 
Moving to the cloud also helps with centralizing their data and infrastructure, not to mention now if everything is moved to the cloud, that will make security a bit easier as they don't have to worry about securing all the different sites and servers, but can focus in on the security of the cloud.
One of the biggest security issues faced by all organizations is something I'll call 'open source purity'.

Open Source is something that you don't get away from. Microsoft owns Github and has moved much of their development there; everyone else was already there.

A fix being explored is for secure hosting environments that may or may not be connected to the internet to host a set of 'secured' container and VM images from which CI/CD pipelines may integrate, while also providing SaaS solution backends the same way that AWS/Azure/etc. do for their customers.
It's also worth noting that all of the cloud providers will jump through hoops for contracts like this. Items that we just have to deal with like datacenter security \ location are non issues for billion dollar contracts. If the DoD says "We will host our data through you, but you need to build several data centers at strategic locations for our private use.", accommodations will be made for the right price.
The USG in general and the DoD has on occasion already done this.

However, these solutions, while technically operating in 'secure' environments, aren't necessarily trusted for the most secure data, nor for all operational stuff. DoD components (like USN, USAF) have built their own 'private cloud' infrastructure to handle a lot of the more sensitive stuff.
 
One of the biggest security issues faced by all organizations is something I'll call 'open source purity'.

Open Source is something that you don't get away from. Microsoft owns Github and has moved much of their development there; everyone else was already there.

A fix being explored is for secure hosting environments that may or may not be connected to the internet to host a set of 'secured' container and VM images from which CI/CD pipelines may integrate, while also providing SaaS solution backends the same way that AWS/Azure/etc. do for their customers.

I have no idea what you are trying to convey here. Are you saying that Open Source is bad? What fix is being explored?
 
I have no idea what you are trying to convey here. Are you saying that Open Source is bad? What fix is being explored?
Generally, when an open-source project is built / compiled, part of that process is getting the latest compatible version or just the latest version from the public repository.

This introduces the inherent issue of malicious code injection into the repositories, something that should be caught but could also be missed if done expertly.

To combat this, one approach is to 'curate' code from public repositories and to limit applications built on government or defense clouds to only use the curated versions.

This is making a strength out of a weakness; near-edge technologies may be employed, trailing only by the time and effort needed to curate them before making them available for applications to target. By doing so, less 'custom' code is introduced into the cloud environment, standards are more broadly propogated, attack surfaces are reduced, and so on.
 
Hi to all,

There is a high chance that I give a presentation on cloud computing and how it could benefit large entities such as the army, and I've got some questions. I see how cloud computing can benefit individuals and small companies. For example, it is better for me to pay for the usage of a certain software which happens only twice a year instead of buying the full software and paying the full price for only limited usage. This also applies for platform and infrastructure. Now, with big entities such as the army, why would they opt for the public cloud if they can build their own private cloud? Or is it just too expensive to build a private cloud and it is easier to go for the public cloud for accessibility and availability? And what services are they exactly looking for? Storage? If it is storage, why would I trust the cloud to keep my confidential data? I mean yes you can secure it and encrypt it, but does that mean I have dealt with all security concerns and I'm ready to sign a humongous contract with a cloud provider?

https://www.nextgov.com/cio-briefin...-needs-more-time-fixing-jedi-contract/166292/

I mean loss of confidentiality and leakage of information is the last thing that an army or a big business company want, right?

I'm not very knowledgeable, but the way I look at it is that cloud computing is just too beneficial to be skipped and such entities have to deal with the security concerns and develop policies to counter them and minimize the risks. Am I kinda of in the right track?

That's one thing,

The other thing is that I want to demonstrate something related to the audience so that my presentation is more interactive and enjoyable. I have some experience in using kali linux and kali nethunter (on smart phones), so what would be a good attack to demonstrate to show the risks of the cloud..........if anybody has done something similar.

Sorry if this isn't the place for such questions but I need some directions.

Thanks.

For starters, the military has done a poor job of keeping secrets out of the hands of the bad guys even without public Cloud offerings like AWS and Azure. Ironically enough, AWS and Azure are extremely configurable with the security infra and would offer higher security while maintaining all the pure infra benefits of scalability, durability, and extensibility. I do AWS infra as part of my software dev job at a Fortune 25 org, and the configuration options are there - and it's all "off the shelf".

The next point of "why go public versus build it private" is simply this: maintaining an existing private cloud (or software architecture even) for current stack operations while looking forward to the "next great thing" is magnitudes weightier with time/budget/resources than simply outsourcing the infra and concentrating purely on the software side. It takes an inordinate amount of manpower to build on, maintain, and extend privatized infra stacks because that metal is yours end to end. You can't "move fast" if your org is responsible for everything.

Now, contracts and all - it seems like abstract legal lawyer mumbo jumbo but they hold the keys. The contract is the front door. All of the above is entirely useless if your public cloud offering provider has even a single line sideways in the eyes of the brass. You honestly are already wasting your time detailing any of the above until the lawyers have come together and signed stuff.
 
I didn't read the entire thread, but just something to keep in mind.

Any Gov cloud functions must be put into a FedRAMP compliant facility, of which I believe AWS has two regions that are FedRAMP compliant.
 
I'm AWS DevOps and Security Specialty certified.
I work for an Amazon Partner, so I have to be.
Mine are old, I've had to re-up them.

We have to attend a lot of events, so I've met GovCloud engineers, they're very bright.
A lot of Sec concepts have been collected into an ideal workflow that's going to hammer in IAM, networking, and explicit allow of resource accessibility given whatever inline permissions you are granted.
We used to have to author tools to fit in or glue together integrations of Cognito to Systems Manager to Parameter Store. AWS has released Control Tower so it's much easier. Anyone that tells me they can do all the same things with Chef or Ansible needs to have their heads checked bc twitching off VPC Flow love or auditing API calls for years on end isn't my idea of fun.

Someone above mentioned machine learning.
Well ml should have been key to the Ops toolbox years ago.
Sys admins, NAs, DBAs, Sec, etc, we all should have upgraded our monitoring and resolution triggering.
It really is hard to write out alarms and actions for everything when you may not have full control over an AWS Org


It's 2020, and I still have clientside teams that don't separate the groups.
You have feature Dev writing Roles and somehow dual KMS admin alongside KMS describe/encrypt/decrypt.

I met some Air Force guys 5-6 years ago at the AWS San Francisco Loft that were working with the guy that wrote the GovCloud self service portal.
I need to dig up his talk, it sets the tone of how to get a large organization in track.

The Sec talks are fine, I prefer running people thru them 3-4 times.
Conceptually ideas when to drop tables or how to ensure encryption in transit or at rest across Regions is best done in relation than studied.

Concepts are siloed by habit, not practice. It's been that way for over 20 years. A public or private cloud is just a platform. How an organization works on it often is riddled with bad assumptions and old technical debt.

If you want to make a public cloud transformation work, then think back on all the VMware, Xen, and Openstack deployments you've architected. That's what I do, and I attack the stumbling blocks from those old projects first.
 
Last edited:
Start here, define a service catalog in specific Regions you work in: https://github.com/aws-samples/aws-service-catalog-tools-workshop

Go thru the Sec workshops bc I've sat with healthcare SecOps guys that didn't know how to control access to an origin:
https://awssecworkshops.com/

Don't just let everyone have admin + poweruser:
https://github.com/aws-samples/aws-permissions-boundaries-builder-session

Scaling your Sec footprint is a topic I rarely see addressed:
https://github.com/aws-samples/aws-scaling-threat-detection-workshop

Create checks in CICD bc infrastructure specific monitoring is for nought if Dev is allowed to push a web hook that spits out all private tables or volumes to anyone that finds a link: https://github.com/aws-samples/secure-pipelines-in-aws-workshop
 
Back
Top