The Veterans Affairs Department is reconsidering how it can use cloud computing services. Three years after deciding this new approach to technology delivery wasn’t for the agency, VA is having second thoughts specifically around the use of public or commercial cloud services.
Earlier this month, VA’s chief information officer’s office held an offsite meeting to develop a new strategy. Paul Tibbits, VA’s deputy CIO for architecture, strategy and design, pulled together stakeholders from across the VA, including the general counsel, the inspector general and program folks as well as experts from the Homeland Security Department, the General Services Administration, Gartner and Mitre to discuss how the cloud has changed and where VA can take advantage of those improvements.
Steph Warren, the VA CIO, said the agency hasn’t been out of the cloud per se, but it hasn’t taken advantage of the commercial or public cloud like many other agencies.
“The point of this meeting was to identify, given that there is a White House desire to move folks more to the cloud, we wanted to walk through what do we need to do. We do have internal clouds to the VA. We have several applications that are running in a virtualized world, which is effectively a cloud. We also have a couple of private clouds at other vendors, and that isn’t necessarily getting the best economic return for some of these large scale systems,” Warren said recently during his monthly briefing with reporters. “The point of this meeting is: What are the standards? What is it that we can do? What are the blockers? Are there policy blockers? Are there knowledge blockers?”
He said the strategy is trying to best determine how VA can take advantage of public clouds, and where do they need to go with the private clouds.
Warren said he expects the strategy to detail the best path they can take to cloud as part of their architectural strategy. He said the end goal is to release new capabilities more quickly for veterans and their other stakeholders.
“I’m expecting probably within 30 days that Dr. Tibbits will wrap up what the recommendation is coming out of it,” he said. “I was very specific when I kicked off the meeting. I am not looking for a consensus solution where we go to lowest common denominator. I want to hear [about] what are the things we need to do, and allow for minority opinion so we can work through those. Too often when we have something like cloud, there’s about 14 or 15 different contextual things that need to be resolved and folks bury them and make decisions at such a level that the answer is so generic and bland it doesn’t mean anything. So I said tease out the bright lines, tease out the critical factors, tease out the assumptions and contextual things that limit what we are doing and why, and let us take those on one at a time so we can make sure the strategy we use is one where we know what the underlining assumptions are and we fully support them.”
Opted out for several reasons
Warren said his office would work through the recommendations and figure out how to work through them both in the short and long terms, and solve any roadblocks.
Up until now going to the public could was not an option for VA. So now VA is taking a look at both the technology and policy issues it would have to overcome to use a commercial or public cloud.
In 2012, VA awarded a contract for cloud email but ended up cancelling it in mid-2013 after the agency decided its requirements changed.
In the end, VA stuck to internal or more secure clouds for several reasons, Warren said.
“We had an opportunity about three or four years ago to move out into the cloud and it was blocked because there were some concerns about records retention,” he said.
“What we are taking on in this meeting is if this is a concern, lay it out and let’s work it through. It’s a desire to make sure we are as nimble as we can be. We are as responsive to our customers as we can be, while making sure we protect the data. One of the sub-conversations that’s taking place there is how do we make sure any public cloud or any contractor cloud is compliant with the presidential directive on the Trusted Internet Connection (TICs), which is how you run through control gateways.”
Additionally, Warren says VA is interested in the Federal Risk Authorization Management Program (FedRAMP) high baseline. The three lead agencies, the General Services Administration, the Defense Department and the Homeland Security Department, are developing the standard for systems that need more security under unclassified networks.
Warren said VA also is looking at the medium baseline standard too.
He said any move to the cloud is about making the right decisions based on cost, responsiveness and reliability.
Cyber attacks growing exponentially
The security piece is especially important for VA as its come under intense pressure from Congress over the last 18 months for what some say are a lack cyber rigor.
The cloud could offer some help to deal with an ever-growing cyber threat that VA and most other agencies are facing.
Over the last four months, VA has seen the number of attempted intrusions and attacks grow exponentially. For example, Warren said the agency saw almost 1.2 billion attempted malware infections in March, which is up from 300 million attempted malware infections in November.
He also said the number of intrusion attempts increased to 350 million in March from 15 million in November.
Warren said the VA security operations center is beginning to get overwhelmed by the volume and rate of attacks.
“We are continuing to the depth. We are continuing to add to the capability. We are continuing to bring tools on,” Warren said. “Whether it’s at 5 billion a month or above 5 billion a month, we just don’t know. I think it was Stalin who once said there is a quality to quantity. At a certain point, it doesn’t matter how bad they are, there are just so many you will get through. I’m not sure where the break point is. The team is pretty much saying, ‘Steph, you’ve been saying if, we are telling you that you have to be more sensitive to the fact that the volume is growing at a rate that is just unbelievable and unexpected.”
And the numbers VA released don’t include those attempted hacks that DHS’ Einstein program stopped, meaning there probably are more attempts than what VA is reporting.
While Warren didn’t yet address how the cloud could impact VA’s security posture, he says his office is taking several steps to deal with the huge number of threats.
“We’ve gone through all of our government furnished equipment. We’ve validated those and have an ongoing process checking the security configuration of those GFEs when it hooks up to the network. So we are very active on that and shutting down any other mechanisms to come in,” he said. “We also are continuing to work on all our external networks, interconnections so monitoring those networks, monitoring the data that’s on it. We are continuing to build on role-based training in terms of folks understanding the difference from just a general consumer of IT services to someone who has specific responsibilities with our system administrators — we have two-factor plus so they all require [HSPD- 12] cards to log in and then we use tokens on top of that for them to do their system administration functions. We also are doing ongoing scans on our Web-facing applications. We’ve got our continuous cycle circulating through all of the packages and as we find things we remediate and then we continue our way through to make sure we are keeping up with changes and keeping up with new threats that are identified.”
Warren added VA continues to work with DHS to turn on more protections and get help to protect their networks whether it’s through Einstein or the Continuous Diagnostics and Mitigation (CDM) program.