Can sensitive data for tactical military environments be protected in the cloud?

Story

April 19, 2012

When storing, accessing, and disseminating military data in the cloud, top concerns include security, data reliability and redundancy, and data location. The good news is that these can be delivered when secure virtualization pairs with a distributed cloud computing scenario.

While the promise of cloud computing, with its lower costs and improved access through utility computing and storage, is very attractive, it is currently difficult to achieve for users with highly sensitive data.

Consider the case of a warfighter who has identified a threat that must be reported. The warfighter sends the data directly back to his command where others can use it to take action and prevent casualties. Shortly after the data is sent, the warfighter is injured. A medic scans the warfighter’s dog tag and accesses his medical history. The medic stabilizes him and inputs answers to several key medical questions that enable prompt, effective treatment after transport. While the warfighter is being treated, the data he sent earlier has been analyzed and tactical plans have been developed. On a carrier hundreds of miles away, pilots are being briefed about their target.

Key to the success of the aforementioned scenario is not only the way that military personnel access and input data but how easily that information can be stored and communicated to interested parties, without compromising the security of the information. Today’s military is striving to enable warfighters with useful, actionable data and also equip them with the tools to capture and report critical data. In essence, there are efforts to push data access to the front, where data can be most effectively used. Data capture is also being enabled at the front, from the warfighter and from sensors, in order to obtain the most recent and useful data.

A natural way to further this approach is through some form of non-public cloud. A cloud approach – whether private, community, or a hybrid – would provide a host of benefits, including significant cost savings and increased agility for military organizations. Yet there are multiple challenges to deploying these kinds of tactical solutions today using current cloud technologies. However, a distributed computing approach to secure virtualization provides a viable solution to concerns surrounding data’s security, reliability, and location within a cloud computing environment for the military.

Gathering storm: Security in the cloud

Security remains the greatest concern about using the cloud, even for private and community clouds. Questions being raised include:

• If all our key data is in the cloud, won’t it be a more tempting, target-rich environment for hackers?
• With key data in the cloud, what happens if the cloud environment is impacted by a natural or manmade disaster?
• How can we take advantage of the cost savings of the cloud while still maintaining the separation needed between data classifications: unclassified, secret, and top secret?

The good news is that through a creative combination of highly secure virtualization and distributed computing, technologies are already available to address these concerns.

While all data may be “in the cloud,” it doesn’t mean it needs to be kept in one location, either physical or virtual. One way to lower the attack footprint of a private cloud is to use a distributed computing approach. With a distributed approach, multiple physical data centers make up the cloud and data is spread among the servers at various locations. Data isn’t replicated on each server, but rather shards, or pieces of each database, are spread across the servers as designated by redundancy and location policies created by the administrator. Because the data is not all in one location, it’s more difficult for an unauthorized person to acquire meaningful data. For example, a database of key targets might be sharded so that the ID of a target is on a server at site A, the location of the target is on a server at site B, and the people associated with a target are on a server at site C.

Because each shard of data is in multiple locations as defined by the redundancy policy, if a site experiences a catastrophic failure, no data will be lost and users will be able to access data from nodes at other sites. With a distributed data approach, even if a cloud data center is attacked and all data is lost at that location, the system knows where all the replicas of each shard of data are located and the system continues to operate without that data center. The system also recognizes that additional replicas of the shards that were stored at that data center must be created to adhere to the redundancy policy. As an example, the target data entered by the warfighter may have been stored in a nearby cloud server, or node. If that node was destroyed shortly thereafter, the target data would not be lost, as replicas were created and stored on multiple servers immediately after the data were entered.

While distributed computing improves security for cloud-based data, an extra- secure virtualization technology is required to fully realize the cost savings of cloud computing and the ability to host multiple networks on a single system. Secure software virtualization was created to address the needs of tactical military systems that require information and applications operating at different security levels to securely coexist on a single hardware platform. This removes the need for the costly deployment of multiple computer systems to facilitate communications and information from different forces or different intelligence levels in the battlefield.

Virtualization has become a major enabling technology for moving to the cloud by allowing multiple applications to co-reside on a single server platform and efficiently serve different types of data and applications to clients that connect to it. Size, Weight, Power, and Cost (SWaP-C) are usually improved with virtualized systems, which can be critical in field deployments. However, in a typical virtualized system, much of the virtualization of memory and devices is held in the same hypervisor code; hence, any breach of that code gives access to all of the memory and devices on that physical system.

Sidebar 1: Secure virtualization has two primary must-haves: a separation kernel and secure hypervisor.

(Click graphic to zoom by 3.8x)

Clearly this approach is not secure enough to allow different types or levels of sensitive information to reside on a single system. By using secure virtualization (see sidebar), true separation of memory and devices is key, and allows for different applications to securely coexist. In our example, the aircraft carrier has space constraints for computing systems and this favors the ability to have applications with multiple security classifications on the same system (Figure 1). The top-secret target information can be securely stored on the same system as the warfighter’s medical data because they are completely compartmentalized.

 

Figure 1: Tactical military clouds can be used to store and share data at multiple classification levels using secure virtualization and distributed data management to maintain data security and resilience.

(Click graphic to zoom by 1.9x)

 

A closer look: Resilient data through distributed clouds

Right behind security, the next major concern for military organizations considering a move to the cloud is resilience. Cloud computing offers the potential of greater application and data availability yet also involves new risks as seen in the frequent outages in the commercial sector. Several multiday outages affecting large numbers of users have been well publicized in the past couple of years. Clearly, tactical military clouds need very high availability. In our example, the inability to get target information or warfighter medical data when needed would be unacceptable.

When it comes to system reliability, a distributed approach for applications and data enables high availability and resilience in the cloud. In place of the typical centralized application infrastructure stack – storage, relational database, application runtimes, and load balancing – these capabilities are instead cooperatively provided by identical nodes that may be deployed in a cloud, whether private or community.

With this design, the application infrastructure can be placed wherever needed around the globe, enabling mobile deployments, such as ships or vehicles, and locations near the front, to reap the benefits of the cloud. Scaling the system is as simple as adding nodes where they are needed.

The “brain” of such a system, the geographically distributed relational database, resides in multiple locations and provides like-local application performance, yet functions as one entity. The database that contains the warfighter’s medical history could benefit from this approach. The information appears and acts as though it is being processed from a centralized database even though it is geographically distributed. The processing is real time and satisfies Atomicity, Consistency, Isolation, Durability (ACID) guarantees. There is no active-passive concept for the nodes; all nodes are equal, and there is no “master node.”

Because the data is stored redundantly across nodes based on policy, the system can continue processing if a node or site fails, while automatically rebuilding redundancy. The self-healing architecture recognizes possible problems and automatically adjusts to prevent a disruption in service. For instance, if the node usually accessed by the warfighter failed, he would be automatically redirected to another node in the system.

Moreover, because all nodes provide the required application services in a resilient fashion, organizations no longer need to set up and maintain dedicated failover sites. No resources are dedicated purely to disaster recovery; instead, surplus resources are used to satisfy increases in application demand and improve performance for application users. When resources are deployed redundantly, failures don’t result in outages and five-nines availability is achieved. The result is that a well designed military cloud can be incredibly resilient and highly available.

Location, location, location for cloud data

Another hurdle for military organizations considering cloud solutions is the currently limited ability to control the location of data in the cloud. Some DoD organizations might require the ability to restrict the data’s location. For instance, data shared by coalition forces may be of the same classification, yet each of the coalition partners may have data that should not exit their facilities.

Data governance must be an integral part of a distributed database and application system in order to reduce the cost and risk associated with compliance management. Data location policies allow administrators to establish rules for where data can or cannot be stored.

For example, by establishing location policy rules, administrators can specify that certain tables or portions of tables must or must not be stored in various locations. If critical data must be stored only in a particular region, or may not be stored at locations with inferior physical security, administrators can pinpoint these restrictions. Policies can also be designed so that data rules are enforced as data is created and updated, ensuring that systems are always in compliance with established policies.

Deployment options

If both private and community clouds are planned, data may be initially deployed on private clouds. As community members become comfortable with the security and policy measures, data can be moved to community clouds where it can be shared. An even more conservative approach would be to begin with a mix of on-premises nodes and private cloud nodes, migrating data to private clouds as confidence in the cloud infrastructure grows, and finally to community clouds as appropriate.

Secure virtualization enables cloud-based systems

When the resilience and data jurisdiction offered by distributed data technology are coupled with secure virtualization, the true economies of scale of a cloud-based approach can be realized. Virtualization is critical to successful cloud deployments, especially those in field-hosted environments, because of SWaP-C reduction for each deployment. However, secure virtualization is needed to enable cloud-based systems to handle sensitive data. The additional compartmentalization provided by a secure virtualization platform allows data processing and storage at different security classifications on a single hardware platform.

Secure virtualization along with data location control and very high availability are key to mission-critical military deployments that support multiple data classifications. Cloud solutions designed to protect sensitive data for these kinds of tactical military environments are now attainable using secure virtualization in a distributed computing environment.

Louise Funke is VP of Marketing at TransLattice and has extensive experience in the marketing and delivery of technology solutions. Prior to TransLattice, she served as VP of Marketing for BlackHog, a supply chain software developer. Previously, at  Sun Microsystems, Louise managed product introduction teams for the federal market. She holds an MBA from the Stanford Graduate School of Business and a BS in Industrial Engineering from U.C. Berkeley. She can be contacted at [email protected].

TransLattice 408-749-8478 www.translattice.com

Robert Day is Vice President of Marketing for LynuxWorks. With more than 20 years in the embedded industry, his most recent position prior to joining LynuxWorks was heading marketing for Mentor Graphics’ embedded software division. Based in San José, California, Robert is a graduate of The University of Brighton, England, where he earned a Bachelor of Science degree in Computer Science. He can be contacted at [email protected].

LynuxWorks 408-979-3900 www.lnxw.com