Collaboration Can Boost Government Cloud Security, VA and Army Leaders Say

Securing government cloud systems is necessary to prevent future attacks, emphasized cyber policy experts from the Cloud Safe Task Force, a group working to assess and enhance the security of government cloud infrastructure, on July 1.

Cloud systems are the next targets for adversaries who recently attacked the country’s critical infrastructure, said Cyber Warfare Office for the United States Cyber Command Maj. Julian Petty.

Collaboration and improving partnerships can boost national security, he said.

“It’s a unified data approach with same data tagging, logging, length and duration,” said Petty. “The adversaries are spending upwards of 365 days in our terrain. Why are we keeping only 90 days of retained data?”

The Cloud Safe Task Force consists of four non-profit corporations: MITRE, the Cloud Security Alliance, the Advanced Technology Academic Research Center, and the IT Acquisition Advisory Council. The task force holds semi-regular events and meetings with government and industry leaders examining cloud security.

Officials can feel safer by defining what they are sharing, said Google’s Director for Continuous Assurance Engineering Vikram Khare.

“I think it’s probably the ability to anonymize certain parts of the data sets,” he said. “It’s also going to be on nomenclature and schema. I think that’s really going to be driven by a consensus on what do we actually need to be sharing in addition to what we’re currently sharing.”

Considerations should be made when disclosing information, especially about vulnerabilities, using cloud technology provided by communications service providers (CSP).

“CSPs have a proprietary interest in their competitive advantages and also in protecting their processes and procedures,” said Dave Catanoso, director of Application Hosting, Cloud, and Edge Solutions for the U.S. Department of Veterans Affairs. “Other federal agencies, for example, also protect their internal processes and want to share vulnerabilities to their particular system. So, I think it’s a balancing act of how much information you share, and how you summarize it in a way that doesn’t disclose anything that will give an adversary a chance to act on it or a competitor an opportunity to exploit that against another competitor.”

According to Catanoso, accessing CSPs’ data could lead to improvements across government cloud systems.

“How can they feed us telemetry that would be standardized so that we can consume it and whatever tools we are using for each of our missions, and then get it in a way that is summarized by some form of AI,” he said. “We want to find a way to get telemetry we don’t normally get in a summarized way, telling us what’s happening outside of our space and what’s happening at the layer below our space that we typically don’t operate.”

Catanoso said he believes that one way the CSPs can work with agencies is by providing activity data.

“CSPs can provide a weather map of how much activity is out there in the world,” he said. “What is the source of it, what types of traffic is flowing, and what are the targets? Where are they surging and where are they not active?”