Trump Administration Calls For Government IT To Adopt Cloud Services

According to Reuters, The White House said Wednesday the U.S. government needs a major overhaul of information technology systems and should take steps to better protect data and accelerate efforts to use cloud-based technology. The report outlined a timeline over the next year for IT reforms and a detailed implementation plan. One unnamed cloud-based email provider has agreed to assist in keeping track of government spending on cloud-based email migration. From the report: The report said the federal government must eliminate barriers to using commercial cloud-based technology. "Federal agencies must consolidate their IT investments and place more trust in services and infrastructure operated by others," the report found. Government agencies often pay dramatically different prices for the same IT item, the report said, sometimes three or four times as much. A 2016 U.S. Government Accountability Office report estimated the U.S. government spends more than $80 billion on IT annually but said spending has fallen by $7.3 billion since 2010. In 2015, there were at least 7,000 separate IT investments by the U.S. government. The $80 billion figure does not include Defense Department classified IT systems and 58 independent executive branch agencies, including the Central Intelligence Agency. The GAO report found some agencies are using systems that have components that are at least 50 years old.

Not a surprise.

[Gravis+Zero]

I'm not surprised that this administration has fallen for the shiny veneer of cloud services. However, the idea that this will improve security is laughable. I agree that we need to a technological overhaul using the latest protection but cloud services are not the solution and far from the panacea they claim to be.

Re:Not a surprise.

[greenwow]

I think you're being too cynical. AWS GovCloud is pretty damn nice:

http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/whatis.html

Helped a friend move two web apps used by the state of Washington from their Windows 2000 servers with firewalls that hadn't been touched in over a decade to it. It's most certainly more secure now with revisited firewall (Security Groups in AWS-speak) and ELB (elastic load balancer) in front of the server with no direct access to the Windows servers.

Re:Not a surprise.

[Dutch+Gun]

Forgive me for slightly playing Devil's Advocate here. I'm also a bit wary of the rush to cloud services, but...

Haven't most of the worst security disasters we've heard of in the past few years come from companies or government departments losing control of their own in-house systems and data? So, what do you think is more risky... apparently incompetent IT management / staff who don't know how to keep things patched (e.g. Equifax, previous government SNAFUs), or the risk of turning over sensitive information to someone else, who one presumes has more expertise in keeping stuff secure.

For all the potential risks of cloud services, I haven't heard of too many major breaches of Amazon, Google, Intel, or Microsoft services, even though those have got to be very significant targets. Most "breaches" I've heard of involving AWS, for instance, are due to misconfiguration, not necessarily the fault of the platform.

If you read the article, you see a lot of compelling reasons for at least modernizing and consolidating many of those very expensive and often obsolete systems. Naturally, each federal agency has their own completely unique-as-a-snowflake system, and often pays many times what a more modern commercial system should typically cost. This is apparently an effort to get some runaway costs under control, and if it can be done safely, that's a big win. Whether this should be done with commercial cloud services rather than trying to consolidate internally is certainly a valid point of debate.

The worst of both worlds, of course, would be contracting with a cloud vendor who ALSO has incompetent management / IT staff. If the "unnamed cloud-based e-mail vendor" mentioned in the article turns out to be Yahoo, I'm going to sit in a corner and cry.

Re:Not a surprise.

[Salgak1]

The breaches on AWS have been, for the most part, the failure of users to actually configure the security correctly, if at all. Plenty of stories of failure to secure S3 buckets full of sensitive documents. More troubling, was the hazard of using systems that you don't control, as evidenced by the AWS East-1 outage in March of this year. . . .

Re:Not a surprise.

[MeNeXT]

I have mod points but I prefer to post on this.

I understand your point but you haven't shown how not patching on bare metal is less secure than not patching on the cloud. Unless you are saying to completely outsource all your IT to the cloud service providers including your business logic and getting rid of your IT department.

The other thing you haven't mentioned is why it would be more secure to host an OS which is hosted on a OS which is hosted on bare metal. The added layer of complexity adds potential avenues of attack.

The assumption that someone else can better manage your needs perplexes me. I use cloud services and bare metal. What I found is that cloud services tend to be less expensive as a point of entry but 3 to 4 times more expensive than bare metal when considering the whole investment. There is an assumption that the cloud service provider will take the same care as you would in preparing the network. While I can't vouch for every provider or judge them all. I found that in most cases, if you care about your business, you will take the time to ensure that all is in place but there is no way you can ensure that the cloud provider did.

With all that being said my last 5 outages were due to my cloud provider while my bare metal problems didn't result in any outages. Now I am not sure what caused their outages. Is it equipment failure? Was it a miss-configuration? Was it a security breach? I was told that it was always equipment failures but I thought and was sold the solution that the cloud can mitigate such issues better than bare metal.

My point in all this is that when you pass control to someone who you can't completely evaluate, it may come to bite you in the ass if you don't have a backup up plan. The other thing is, I am sure that Apple, Microsoft, Google, Amazon et al don't disclose all their security breaches that affect their clients and that is speaking from past experiences.

But your mileage may vary. I am just speaking from my anecdotal experience.

Hmmmm....

[twistedcubic]

Sounds like a bad idea. I wonder which cloud provider wrote this directive?

Goverment System = Secure Stable Durable

[rtb61]

The government should never use cloud services. They should by law be mandated to maintain, quite expensive hardened electronic data systems, backed up by manual, actual dead tree and pen and pencil systems. So that in the event of catastrophic failure which is inevitable, (major solar flare, impacts, extreme storm events, major geologic events et al). They can rebuild systems, this versus the idiotic lowest tenders, maximise this quarters profits, who gives a fuck what happens in a years time, so what if society suffers I have a bunker, moronic thinking. Oh look the orange orangutan likes cloud and his idiots council has been paid big time bribes so contract out to private for profit clouds. That way private corporations will control and access all government data for total control, well, right up until catastrophic failure and than a whole bunch of Americans die over years as the country slowly rebuilds. Stupid is as stupid does.

Re:Goverment System = Secure Stable Durable

[Tailhook]

As a result of working for DOD contractors at various times my identity information — extremely detailed identity stuff, like who I went to grade school with and every place I've ever lived and every foreign country I've ever visited — has been stolen from Federal government systems three times now. We see no end of criminality in the handling of the Federal government's electronic documents and no end to the incompetence and deliberate neglect in maintaining recoverable backups.

This Federal government you imagine of competent, conscientious and moral people that don't neglect things and don't destroy incriminating things is a fiction inside your head, and no amount of billions of dollars can ever make it real; it's broken by design. I can't see how moving the bulk of it to efficiently run and competently maintained cloud environments could do any harm, and it may well improve things in a number of ways. At the very least it may stop being trivially simple for the next Paul Combetta to doctor and erase the record.

Re:Goverment System = Secure Stable Durable

[Actually,+I+do+RTFA]

has been stolen from Federal government systems three times now.

It's worth pointing out that the OPM breaches were on servers maintained by contractors and other breaches were from other companies that the government outsourced background checks to.

Time-sharing

[vinn01]

You say "cloud services", I say "time-sharing".

Big system with segmented processes and storage. They were a security nightmare. The first international conference on computer security in London in 1971 was primarily driven by the time-sharing concerns. /get off my lawn

This is a really really horrible idea.

[jafac]

Recently a former co-worker told me about how his employer had migrated to cloud-based email, and federated login (and some other services). It was true that their IT infrastructure was horribly outdated, and in serious need of a complete overhaul, in order to continue meeting contractual requirements with customers.

But the way this migration was performed, was a complete failure. Over 6 months, they met NONE of their goals. Software license costs ended up being more than double what was estimated. During the migration, the login servers were compromised by a new exploit. There were several complete re-installs, and on every re-install, they found the system was infected or compromised again within minutes. They went through two "big-bang" replacements, where all systems were shut down over an extended weekend, and physical servers were replaced with the spares. As operations were halted, this costs them a huge amount of money. And the extra hours of IT and vendor service were costly. (law enforcement was also involved, and, my former co-worker tells me, there will be a lawsuit by the employees whose personal information was exfiltrated). The only real gain here, was the IT staff got good experience at disaster recovery practice.

In the end, the company's yearly numbers were completely blown. They lost customers, their reputation was damaged. They ended up cutting staff. (some of us already had a feeling that things were heading in a bad direction years ago, and left).

I really really wish that I could name names here. Not just the company but the vendors. This migration plan was announced ahead of time, and so many people drank the marketing cool aid - people who should have known better. But privately, the criticisms were flying, and exactly everything that sound reasonably thinking people said would happen, did happen.

I could go further - to the beginning of the whole "Cloud Services" craze. We've all had our doubts, and pointed out the obvious flaws. And even where a service like Amazon's QuickStart setups can supposedly configure everything to be fully secure and compliant. . . this service is deceptively over-simplified, and there are so many details that are left unspoken. Moving your IT out of your own data center to the cloud may look cheaper on paper, but shipping it to some one-size-fits-all cookie-cutter cloud service is not the answer. You're still going to need a shit ton of very skilled expertise to architect and configure it, and then you're still at risk. Because your data is not in your building under your physical control. Which is really your last line of defense when shit gets real. If you need to, you can unplug.