Slashdot Mirror

← Back to Stories (view on slashdot.org)

Department of Defense May Give Private Cloud Vendors Access To Top Secret Data

Posted by Soulskill on from the what-could-possibly-go-wrong dept.

An anonymous reader sends news that the U.S. Department of Defense is pondering methods to store its most sensitive data in the cloud. The DoD issued an information request (PDF) to see whether the commercial marketplace can provide remote computing services for Level 5 and Level 6 workloads, which include restricted military data. "The DoD anticipates that the infrastructure will range from configurations featuring between 10,000 and 200,000 virtual machines. Any vendors selected to the scheme would be subject to an accreditation process and to security screening, and the DoD is employing the Federal Risk and Authorization Management Program to establish screening procedures for authorized cloud vendors, and to generate procedures for continuous monitoring and auditing."

2 of 60 comments (clear)

  1. Not "The Cloud" by Eevee · · Score: 5, Informative

    They're looking for cleared contractors to set up private clouds in their facilities.

  2. Nonsense by luis_a_espinal · · Score: 3, Informative

    Except that 'cloud' at Lockheed is entirely 'in house' and not accessible from the outside world at all. Its certainly not available on the Internet.

    I seriously doubt that, as do many Chinese/Russian hackers. Even if the fileserver itself isn't on the internet, you can bet that client machines which connect to it are. I bet they allow VPN access to their internal network too, since they have more than one location.

    China and Russia already have the F-35 plans.

    As a former engineer at a defense contractor, I can say this: you cannot VPN to internal networks vetted for cleared work (aka "secured labs". In fact, you cannot even connected to secured labs from within an internal network. You have to physically walk in into a secured lab from where to connect to a secured network (where you have to sign in, sign out, and leave all electronic gadgets behind.) You cannot VPN nor work from home when you work on classified stuff. You need to be on-site on a partitioned network infrastructure.

    And once there, that secured network has only access to resources specific to designated projects on a 'need-to-know' basis, and only for work at or below a given security level.

    Meaning, a secret-level lab cannot access resources from a top-secret project, and/or top-secret lab A designated to work on project X cannot access resources allocated on secret lab B designated for project Y if projects A and Y are unrelated or firewalled even though lab A has greater clearance than lab B.

    You cannot even print in many of these labs. Any information that must be transmitted from one lab to another is permitted only by a IA officer that is not assigned to any project and whose only work is to enforce the firewalls. And when that information is permitted is via encrypted devices carried by hand (sometimes we refer to those as sneaker nets.) These labs are physically separated down to the wire (and sometimes backup power generators.)

    Nothing of the above can 100% prevent leakage due to stupidity or ulterior motives. But to assume that clients machine simply connect to a fileserver on a sec lab, that is just nonsense. It can happen due to malice or stupidity (I mean, anything not forbidden by physics or mathematics is possible). But that is not the general case, and as a result, you cannot simply presume it as a matter of fact.