CIA building secure cloud-based system

Computerworld - One of the U.S. government's strongest advocates for cloud computing is also one of its most secretive operations: the Central Intelligence Agency.

Jill Tummler Singer, the CIA's deputy CIO, said that the spy agency is adopting cloud computing in a big way based on its belief that cloud technology makes IT environments more flexible and secure when kept within a firewall.

While the CIA has been steadily building a cloud-friendly infrastructure -- it has long used virtualization technology, for example -- its decision to widely adopt cloud computing is a relatively recent one, Singer said.

"Cloud computing as a term really didn't hit our vocabulary until a year ago," she told an audience at Sys-Con Media's GovITExpo in Washington this month.

However, the agency's widely deployed virtualization technology, which abstracts the operating system and software from the hardware, "is the foundation of the cloud," Singer said. "We were headed to an enterprise cloud all along" without using the term.

Today, the CIA also uses mostly Web-based applications and thin clients, reducing the need to administer and secure individual workstations, she said.

Singer said that security is bolstered by the CIA cloud's use of standards-based technology that reduces complexity and allows for faster deployment of patches. "By keeping the cloud inside your firewalls, you can focus your strongest intrusion-detection and -prevention sensors on your perimeter, thus gaining significant advantage over the most common attack vector -- the Internet," said Singer.

Moreover, everything in a cloud environment is built on common processes. When it comes to security, for example, there is a "consistent approach to assuring the identity, the access and the audit of individuals and systems," she said.

Singer did note that there are limits to the CIA's use of cloud computing. For instance, the agency isn't using a Google model of spreading data across all its servers; instead, data is kept in private enclaves protected by encryption, security and audits, she said.

Cloud computing as a term really didn't hit our vocabulary until a year ago.

Jill Tummler Singer, deputy CIO, CIA

Singer discussed the CIA's cloud plans less than a month after White House CIO Vivek Kundra unveiled the first service in the U.S. government's new cloud computing initiative: a Web site where federal IT managers can buy online applications and basic computing services from Google Inc., Salesforce.com Inc. and other vendors.

Run by the U.S. General Services Administration, the new Apps.gov site is initially focusing on the sale of online applications. It will eventually add IT services such as storage, Web hosting and virtual machines.

The CIA won't be using Apps.gov as part of its cloud computing program; its classified and secret data will remain within the agency's firewalls, said Singer.

At the Sept. 15 unveiling of Apps.gov at NASA's Ames Research Center in San Jose, Kundra said he hopes that Apps.gov and future cloud-based offerings can help streamline the government's annual $75 billion IT budget through the use of cheaper commercial hosting services, and virtualization technologies that can load more applications onto its servers.

Input, a government market researcher, expects that government cloud expenditures will grow from $363 million this year to $1.2 billion in 2014. "I think this is probably a conservative estimate, considering the push from the administration," said Deniece Peterson, an analyst at Reston, Va.-based Input.

Obstacles to the adoption of cloud computing, including concerns about security and loss of control over data, may slow momentum, but Peterson said she expects to see "broader adoption and higher spending after the administration makes progress in some of the pilot programs it has planned."

Robert McMillan of the IDG News Service contributed to this story.

Read more about IT in Government in Computerworld's IT in Government Topic Center.