The intelligence community is building its cloud around the concept of integration — integration as a vehicle for data sharing, as a means for improving efficiency and effectiveness, and as an opportunity to standardize and optimize information security protocols.
One of the main concepts behind the Intelligence Community IT Enterprise, or ICITE, is that data is an asset to the entire community, not just the agency that collected it.
“This is really a revolutionary idea for the IC, where the data doesn’t belong to the organization that collected it,” said Jennifer Kron, deputy chief information officer for the IC, during an Aug. 24 webinar. “It belongs to everyone in the IC who has a need to know and the appropriate clearances.”
Before ICITE, each intelligence agency had its own heavily siloed system, and they weren’t interoperable. They also didn’t have standardized security measures. Kron said this led to substandard sharing, safeguarding and efficiency. Fixing these became the three goals to improve with ICITE.
ICITE is beginning to take shape as a composite of two different cloud systems: NSA’s government provided cloud, aka GovCloud, and CIA’s C2S, a commercially operated cloud from Amazon’s Web Services.
The two systems play different roles to create one comprehensive system. C2S is a utility and compute cloud, providing infrastructure as a service. Meanwhile, GovCloud is a warehouse for big data storage and analytics.
Both systems are strictly classified at the top secret/sensitive compartmented information, although the IC understands that it will have to work with other classification levels eventually.
ICITE will never be publicly accessible, however. The IC community is using new safeguarding measures to ensure the security of the cloud and the data.
“Cloud can be an enabler to security,” Kron said. “We’ve long said the cloud environment can be seen as secure as/or more secure than the traditional environment if it’s properly managed and designed.”
Kron described securing the data in the cloud as more precise, like the difference between using a hammer or a chisel. The common language of security used in the cloud also creates trust between data stewards and security professionals who rely on that data.
One way this common language is taking shape is through the appointment of chief data officers throughout the various agencies of the IC, all of whom report to an overall CDO for the intelligence community. Whereas the varied, siloed systems used before didn’t facilitate communication or trust, this approach can standardize data policies.
Creating trust is another new concept the IC is using in this program to facilitate the adoption of cloud services.
Kron said that starts with effective policy.
“We recognize that a risk to one in this system is a risk to all,” she said. “Therefore we’ve established community governance forms that specifically address technical security aspects of ICITE, as well as the overall security risks.“
She said the security challenges are largely the same as any other agency or commercial business. Security integration, establishing responsibilities and accountability, performing effective audits, dealing with insider threats, and managing privileged users.
The main difference is building the trust in the cloud services in order to get agencies to adopt them.
“Security as an enabler of adoption is a powerful tool and allows us to see security in a different light,” Kron said. “Cloud security requires a multifaceted approach. … The IC is committed to bringing all weapons to bear on this challenge.”