Testimony of Richard A. Spires, Chief Information Officer, before the House Committee on Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technology: "Cloud Computing: What are the Security Implications?"

Cannon House Office Building

Chairmen Lungren, Ranking Member Clarke, and Members of the subcommittee, thank you and good morning. Today, I will discuss the changes Cloud Computing is having within the government and industry and how the Department of Homeland Security (DHS) is pursuing this capability to enhance mission performance and gain efficiencies in Information Technology (IT). This testimony also will provide an overview of the current state of cloud computing at the Department of Homeland Security, outlining the department's initiatives to move data to the cloud in order to implement the White House's "Cloud First" policy as specified in the "Federal Cloud Computing Strategy" issued February 8, 2011, and the "25 Point Implementation Plan to Reform Federal Information Technology Management" issued December 9, 2010. Finally, I will address the IT security challenges associated with cloud computing and how DHS is addressing such challenges.

Moving to the Cloud

First, allow me to explain what cloud computing is and why it is so vital. The legacy IT model of separate IT infrastructures for each system—both within the federal government and industry—must evolve to meet the growing customer demands within a budget-constrained environment. The traditional model is not well positioned to reduce time to market for new services or provide transparency for operational expenses. It also introduces higher risk due to up-front capital expenditures. Additionally, customized applications hosted in traditional data center environments cannot scale fast enough to support urgent demand in real-time. These challenges, in addition to potential security vulnerabilities, present a call to action for the federal government and industry.

Fortunately, we are experiencing an exciting change within the IT industry—the rise of cloud computing. This evolutionary transformation is fast replacing the legacy IT model not only within private industry but also within the federal government.

The National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, provides the following definition of cloud computing in NIST Special Publication 800-145 (NIST SP 800-145):

Cloud computing provides the rapid delivery of computing resources inexpensively to multiple users from a centralized source of related and unique service offerings that is shared by many customers. To provide further context, this model is similar to business models deployed in the electric power, cable, or telecommunications markets. That is, within this model, customers do not fund upfront costs to fully stand up environments, or fund ongoing operations and maintenance costs. Instead these capital costs are borne by industry, while the customer only pays for services received in the consumption-based model.

NIST prescribes the following five primary characteristics of cloud computing:

1. On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service's provider.
    
2. Broad network access. Capabilities are available over the network and accessed through standard mechanisms.
    
3. Resource pooling. The provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand.
    
4. Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out, and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.
    
5. Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service. Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.

NIST also identifies three discrete service offerings, each of a unique value to the customer. As customers move up this offering chain, they gain greater efficiencies, yet more standardization is required:

1. Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). This model provides the most flexibility for the customer, however will not provide all the potential efficiencies gained at the Software as a Service model.
    
2. Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.
    
3. Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider's applications running on a cloud infrastructure. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Finally, NIST identifies four primary deployment models, which are generally accepted across government. These deployment models range from models that are more secure to those that are more available. Federal agencies will employ models based on risk-based decisions that address their financial, operational, and security needs. The four models include:

1. Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.
    
2. Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.
    
3. Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
    
4. Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).

DHS is currently focused on two of the four deployment models, private cloud and public cloud. DHS will house our private cloud computing capabilities within our two enterprise data centers, while our public cloud will be hosted by organizations selling cloud services. I will provide more detail on these momentarily, but first allow me to briefly address the differences between the cloud and the traditional IT business model.

The Benefits and Risks of Cloud Computing

Cloud computing is truly transforming the IT business. It is difficult to say which is more compelling—the cloud's significant scalability and rapid deployment, or full transparency for managing operational costs. For many, controlling and reducing capital expense (the expenditures used to acquire physical assets, including both equipment and office space) is uppermost, while others argue meeting demand is the foremost concern. The cloud addresses both and is clearly becoming vital to how we align IT to support mission and business requirements.

For example, the deployment of private cloud services at DHS enables the Department's many components to outsource hosting and other services capabilities to DHS's two Enterprise Data Centers (EDCs). This model enables components to pay on a per-use basis, rather than standing up isolated capabilities throughout the organization that duplicate efforts and costs. In fact, early projections for these services look to yield cost avoidance savings of 8 to 10 percent once we fully transition to private cloud infrastructure services.

As DHS moves more of its operations to cloud computing models, it will simplify the overall administration and oversight of its IT infrastructure. DHS will move from having to manage operations of its infrastructure at the server level, to one in which DHS ensures that cloud-based service level agreements (SLAs) are being met by the service provider. Such simplification will enable discretionary resources to be moved to better understanding and fulfilling customer needs, so that IT organizations can focus more of their efforts on addressing core business and mission needs.

Migration to the cloud, however, is not without information security risks. The Federal Cloud Computing Strategy specifies:

It is important to recognize that many federal departments and agencies are targeted by Advanced Persistent Threat (APT) campaigns by adversaries that attempt to compromise government information systems to further their own objectives. These APT campaigns are aggressive, well financed, and difficult to detect and prevent. APTs target the systems necessary to achieve their goals, regardless of the cloud or traditional computing environments in use by the federal department or agency. Some cloud environments have capabilities necessary to defend against and provide recovery from these threats, such as advanced monitoring capabilities and cleared information security professionals, while other cloud environments may not, because the increased costs to provide these security capabilities may price their cloud offering outside of the competitive marketplace for their customers. Thus, the security capabilities of the cloud offering must be considered to determine cloud readiness before use by a federal department or agency, and why DHS considers use of both public and private cloud computing important, as I will discuss later.

Building the Cloud at DHS

At DHS, we are pursuing private and public cloud offerings. Specifically, we are establishing private cloud services to manage sensitive but unclassified information, while using the public cloud for non-sensitive information. We have already made significant strides through nine DHS cloud service offerings that are either in the planning, acquisition, or sustainment phase.

DHS has committed to nine current and planned private cloud services:

• Email as a Service (EaaS): DHS is in the process of rolling out our messaging capability across Headquarters and Federal Emergency Management Agency (FEMA). We expect to have more than 100,000 users DHS-wide on this service offering by the end of Fiscal Year 2012 (FY12).
   
• SharePoint as a Service (SHPTaaS): We are currently migrating Headquarters and United States Citizenship and Immigration Services (USCIS) users to our secure collaboration program. We expect to have nearly 90,000 users DHS-wide on this service by the end of the 2011 calendar year. This migration will significantly improve information sharing capabilities across DHS.
   
• Development and Test as a Service (DTaaS): Establishing development and test offerings in the cloud will have tremendous positive impact on DHS. Currently, DHS has multiple development environments spread across the department and industry locations. Because all environments are different, moving new releases to production or changes to existing environments presents high risk and multiple challenges and new releases or changes may not always work in production, leading to significant inefficiencies. Moving and hosting development and test services to our enterprise data centers provides not only a simple path to transition from project creation to implementation, but also accelerated delivery. In fact, we expect to provision new servers within one business day with this new capability, while the legacy model averaged up to six months to provision one server. Additionally, this service will provide on-demand testing and application management tools, which will significantly improve the quality of our new offerings. DHS plans to roll out DTaaS over the next 60 days.
   
• Infrastructure as a Service (IaaS): Complementary to the Development and Test as a Service (DTaaS) offering is our Infrastructure as a Service (IaaS) offering to provide virtualized production services, including operating systems, network, and storage, that is consistent with new industry standards. These services will provide a logical destination for code developed in the development and test environment. We aim to stand up new services in the cloud in less than one week, while the legacy model typically averaged up to 12 to 18 months. DHS expects to have initial IaaS capabilities by the end of the 2011 calendar year.
   
• WorkPlace as a Service (WPaaS): Enabling a mobile workforce is a priority within the department. We are working closely with the Department's other line-of-business chiefs to modernize how DHS employees work. This offering will provide robust virtual desktop, remote access, and other mobile services over the next 24 months. This capability enables telework and Continuity of Operations (COOP), not only in the National Capital Region (NCR), but for DHS personnel nationwide. Additionally, we expect to reduce our out-year expenditures on traditional desktop and laptops as we consume more mobile enabling technologies.
   
• Project Server as a Service (PSaaS): This offering will provide a robust project management platform to publish project schedules that can more easily be shared across offices, divisions, and components. We expect this service to better enable standardization of project management disciplines and directly support our efforts to improve the management of both IT and non-IT programs. DHS plans to make available PSaaS service within the next 30 days.
   
• Authentication as a Service (AuthaaS): We have already established a core fundamental offering that provides robust authentication services across 250,000 federal and contractor employees. This service eliminated the need for duplicative authentication services, while significantly enhancing the department's information sharing needs. Nearly 70 DHS applications are using this service today.
   
• Case and Relationship Management as a Service (CRMaaS): Over the next six months, we will rollout our Case and Relationship Management offering. This offering, leveraging Enterprise License Agreements (ELAs), will better enable CRM and case workflows across DHS. Utilizing these services, the department will be piloting a litigation case management capability for ICE, partnering with TSA on modernizing the redress service, improving customer relationship capabilities within USCIS, and deploying a regulations tracking service for DHS.
   
• Business Intelligence as a Service (BIaaS): The department is already piloting an early version of a Business Intelligence capability which started in March 2011 and will run through FY12. The department will leverage this current offering to enhance transparency into departmental programming and expenditures. By the end of FY12, we expect the department will have visibility to information sources across the investment lifecycle, including IT, financial, human resources, asset management, and other information sources. Based on the successful pilot and maturing offerings in service, the department will look to move to a full Business Intelligence as a Service offering in FY13.

Establishing these private cloud services is critical to our success. Our private cloud offerings will provide real value to the organization. As mentioned previously, private cloud services will enable components to outsource secure, commodity IT services to DHS's two enterprise data centers to eliminate redundancy and reduce costs, while ensuring information security. Each service will be rolled out with a minimum ‘Federal Information Security Management Act of 2002" (FISMA) rating of Moderate or High. Clearly, our private cloud services will streamline our time to market and enhance our security posture, better enabling DHS to accomplish its mission.

But DHS is not wedded to only establishing private cloud services at its two enterprise data centers. We are embarking on a public cloud strategy as well. The department will leverage public cloud capabilities to enhance government-to-citizen-services and gain operational and financial efficiencies. In addition, the FedRAMP initiative will address critical security concerns of agency Chief Information Officers (CIOs) over the next few years by having cloud services receive provisional security authorities to operate.

The Department has three public cloud initiatives underway. Two are already deployed, and the third will be piloting in Quarter 1 of FY12.

• Identity Proofing as a Service (IDPaaS): We successfully deployed an innovative identity proofing service in the cloud in March 2011. This offering met USCIS's E-Verify Self Check requirement to allow individuals in the United States to check their employment eligibility status before formally seeking employment and is the first online E-Verify program offered directly to workers and job seekers. This service is now available in more than 20 states, including the District of Columbia. This voluntary, free, fast, and secure service was developed through a partnership between the DHS and the Social Security Administration (SSA).
   
• Enterprise Content Delivery as a Service ECDaaS: For the past several years, DHS has used cloud service for Enterprise Content Delivery (ECD) to ensure our public-facing Web sites are always available. The private sector uses this capability extensively, and DHS adopted EDC for protection against denial of service attacks, to help manage surge requirements, and to significantly reduce hosting costs. This service proved invaluable during the July 4, 2009, denial of service attack on multiple federal Web sites. DHS.gov experienced a nearly 100 fold increase in traffic, and no services were lost to the public. The Department has 70% of its externally-facing Web sites using this service today.
   
• Web Content Management as a Service (WCMaaS): Finally, building off our success with our "RestoretheGulf.gov" implementation in the public cloud in late FY10, the Department awarded a public cloud hosting contract off the General Services Administration's (GSA) Infrastructure as a Service (IaaS) Blanket Purchase Agreement (BPA). Within this offering, the Department will leverage open source software hosted in the public cloud and consolidate all public facing DHS Web sites. We expect to complete this consolidation over the next two years. During the next six months, the Department will pilot multiple Web sites in the cloud, including websites from U.S. Immigration and Customs Enforcement (ICE), United States Citizenship and Immigration Services (USCIS), and Federal the Emergency Management Agency (FEMA).

DHS has taken an aggressive stance regarding the use of both private and public cloud computing services. The Department continues to evaluate its enterprise needs, and we certainly expect to deploy additional cloud services. Further, as the FedRamp model is deployed across the federal government, we anticipate that there will be a number of public cloud offerings that have been provisionally certified at the FISMA Low and Moderate levels within the next two years. Given DHS's mission, we believe a robust private cloud solution will always be needed for DHS's most sensitive applications and data. Further leverage of public cloud services will enable the government to ensure there is robust competition for such services, driving down costs and improving overall service levels.

Securing the Cloud at DHS

As stated earlier, at DHS, we are pursuing private and public cloud offerings, and the DHS cloud security strategy employs both public and private cloud services as a risk mitigation tool.

The move to DHS's private cloud model bolsters information security through the DHS IT security Defense-in-Depth (DiD) strategy. DiD is built upon a robust security architecture and enterprise architecture, and adopts the NIST definition of private cloud computing. Hosting in the enterprise data centers is a primary feature of the DHS private cloud and provides multiple subordinated services, allowing components and systems to inherit the inherent enterprise security controls for system security. The DHS private cloud includes the full DHS enterprise security capabilities outlined in the DiD, including security operations, OneNet, Trusted Internet Connections (TICs), and Policy Enforcement Points (PEPs). The technologies are from the various programs within the layers of the DiD and aids in combating advanced threats, providing enterprise security controls to all users in DHS, regardless of their component and mission function.

For the DHS private cloud, we are leveraging continuous monitoring and migration to common controls at the DHS data centers. Embracing information security controls through an inherited approach allows large, complex organizations like DHS to build on economies of scale in a private cloud infrastructure to reduce the workload for individual system owners. As common controls are defined and vetted by the DHS enterprise and provided as a service to system owners, only the system-specific controls need to be defined and implemented by system owners. By centrally managing the development, implementation, and assessment of enterprise common security controls at the DHS enterprise data centers and through the DHS private cloud, security responsibility can be shared across multiple information systems.

While private clouds incorporate new technologies that may be challenging to secure, public clouds introduce additional risks that must be addressed through controls and contract provisions that ensure appropriate accountability and visibility. Though many distinctions can be drawn between public and private cloud computing, a fundamental measure of readiness is their ability to meet security requirements. By design, FedRAMP provides a common security risk model that supplies a consistent baseline for cloud-based services, including security accreditation designed to vet providers and services for reuse across government. Reducing risk and bolstering the security of clouds, while ensuring the delivery of the promised benefits, FedRAMP not only applies to public cloud services, but private, too. Ultimately the consumption of cloud services requires acknowledgement of a shared responsibility and governance. From the fact that accountability can never be outsourced from the Authorizing Official (AO) to the need to continue to meet government requirements, all require acknowledgement of a shared responsibility between the cloud service provider and customer. For public clouds, there is a "visibility gap" between the provider and customer, in which they cannot see into each other's management, operational, and technical infrastructure, and procedures. As such, the visibility gap must be reduced through a series of requirements for contractual reporting and technical auditing and continuous monitoring data feeds. The key to secure use of cloud computing is the shared understanding of the division of security responsibilities between provider and client, and the ability to verify that both are meeting their responsibilities. As DHS advances in the use of public cloud computing, we will be ensuring we have the proper visibility based on a determination of risk given the cloud service and underlying data in order to ensure the security of our information.

New Challenges for CIOs

While cloud computing is fundamentally changing federal government IT, it is not without its challenges. The decision to embrace cloud computing is a risk-based management decision, supported by inputs from stakeholders, including the CIO, Chief Information Security Officer (CISO), Office of General Counsel (OGC), privacy official, and the program owners. From a security perspective, agency CIOs face a number of issues in delivering both private and public cloud capabilities. These issues range from determining different levels of security visibility and responsibilities, ensuring strong authentication, adopting and implementing standards for cloud portability and interoperability, to establishing contingency planning that recognizes cloud computing is a shared capability and identifying new opportunities for real time continuous monitoring capabilities but require new audit technologies implemented within the cloud environment.

Cloud computing also leads to significant management and governance shifts for a department or agency. CIOs must work closely with acquisition, procurement, and finance communities to address the new business paradigm represented by cloud computing. While cloud computing requires some technological change, the most significant changes will be to the business and contracting models. Such models will need to ensure that agencies can move forward effectively with cloud solutions while maintaining necessary federal control and oversight, complying with federal procurement and competition laws and requirements, and managing funding limitations. CIOs must also address changes to the workforce based on this changing paradigm. As the cloud transforms the way CIOs deliver IT service, the traditional roles of IT specialists change, too. CIOs must provide leadership to update skills for existing personnel and recruit new staff in an environment under significant change.

These challenges are already inherent in the CIO's role. And, they have one thing in common—change. Perhaps above all, the cloud challenges CIOs to lead cultural change within their organization.

The Future of the Cloud

Looking forward, as FedRAMP and federal acquisition models mature, the options for federal agencies to leverage public and community clouds clearly provide real value to citizens. Continued work on information security challenges will increase the defensive capabilities of cloud offerings, increasing the assurance level and the ability for federal agencies to use cloud computing for more sensitive information.

For example, community clouds could provide agencies with a suite of specialized cloud hosting services that include the standard IaaS, PaaS, and SaaS offerings with a more robust security, business and mission portfolio offerings such as financials, law enforcement, intelligence, medical/health, and the increased security and privacy controls necessary to process more sensitive information. The value of a community of cloud offerings across a broad suite of verticals for customers may be realized as the true evolution of the cloud in the years to come.

Looking five years into the future, the cloud service commodity market appears poised to grow exponentially, creating significant innovation as a result of intense competition. Federal CIOs must focus on preparing departments and agencies to help foster and welcome innovation that changes the way we do business. By embracing the opportunities of cloud computing, we will redefine the role and capabilities of IT in the federal government.

While we in the federal government face challenges to successfully implementing cloud capabilities to enhance mission performance and realize cost efficiencies, the benefits far outweigh the challenges. Already at DHS we are seeing reduced time to market for new capabilities, and soon, we will begin to reduce our capital expenditures while gaining transparency into our operational expenditures in ways we have never been able to before. In conclusion, we should not think of the cloud as simply a technology opportunity. It is a far more interesting discourse—and a significant change to the fundamental business model for how IT is delivered in the federal government.

Thank you.