Cloud-based e-mail and archives for agencies sparks security concerns

Agencies that are routing e-mail through cloud-based data centers face a potential petri dish of security hazards, according to some computer specialists. But government officials say they are achieving better system integrity, and inexpensively, by using such services.

Following in the footsteps of the private sector, government agencies are outsourcing e-mail security and archiving to the cloud, or online environments managed by third-parties. Agencies pay for such services on a subscription basis rather than buying the software or hardware and maintaining it in-house.

"You're mixing different people's data in a cloudlike system. How do you prevent another organization's data that has been trojanized -- that has been poisoned -- from getting into your data?" said Tom Kellermann, vice president of security awareness at Core Security. The company sells security testing software to guard IT systems against threats.

"The data, much like a chemical gas leak, could pollute other environments," he added. "It's a petri dish really. If the cloud environment becomes polluted -- by one of the other entities that's storing data there -- how do you manage that risk?"

The Obama administration's fiscal 2010 budget recommends agencies begin shifting their computing environments to the cloud to rein in the $75 billion that the government spends annually on IT. The 2011 budget will require agencies to move toward cloud computing. Some agencies already are relying on hosted services to augment their IT divisions.

For example, the U.S. Institute of Peace is using a Google e-mail service to filter viruses, validate e-mails and comply with records management requirements. The service routes inbound and outbound e-mail through Google's data centers instead of the agency's servers. The city of Seattle and a Cabinet-level department that Google does not have permission to name also use such services.

Still, Peter Neumann, a principal scientist at the nonprofit research institute SRI International who studies network security, said, "E-mail is a problem because of forgery -- because people can do character assassinations anonymously ... you've got a disaster."

He added, "Given the very weak existing state of the art of computer-communication trustworthiness, including security, integrity, system survivability, privacy and related issues, much greater thought needs to be devoted to determining the extent to which outsourcing, off-shoring and abdicating responsibility for trustworthiness is sensible. E-mail and data repositories are just the tip of an enormous iceberg here."

But Doug Leins, chief information officer at the Institute of Peace, said, "We've never had a virus get through" the cloud. His 270-person agency is an independent institution Congress established to help prevent and resolve violent international conflicts. E-mail is essential to peace-building activities, such as educating the public through videos and disseminating research to policymakers. A recent effort was the 2006 Iraq Study Group, an assessment of the war situation on the ground, led by James A. Baker III and Lee H. Hamilton.

Malicious e-mails "can be pretty smart," Leins said. The body of a message will state, " 'Here's that information on Korea you requested' ... and meanwhile we're having a seminar on Korea that day."

The Internet-based service "filters everything going in and going out -- so that we don't send people spam" if an employee accidentally inserts an infiltrated jump drive after returning from overseas, he said. The security and archiving is powered by Postini, an anti-spam firm Google purchased in 2007.

Leins had positive experiences with the product at a law firm where he worked before joining the agency in February 2008. When he moved to the federal sector, he found that the tool also simplifies the task of preserving an agency's historical record. Instead of manually reviewing which e-mails are worth saving, employees can perform a Google search of the e-mails that are archived automatically. The institute began using the service for security purposes in December 2008 and added the archiving component in late March.

This particular service is for sale on Apps.gov, a newly launched online shopping site that offers federally approved cloud computing tools to agencies.

A data request from the National Archives and Records Administration, for example, typically would take hundreds of hours to complete, but probably now can be handled in just a couple of hours, Leins said. Say NARA wants certain e-mails associated with the Iraq Study Report, he said, then the institute can instantly generate a long list of all study-related e-mails, successively refine the hits with keywords and then export the pertinent results to the Archives in a file format that meets records management requirements.

"That's a gigantic time saver," Leins said. "Or if we ever got a FOIA request, with this, it's cake."

When an agency moves its e-mails into the Web-based archive, the data is no longer hogging space on its servers, noted Dan Israel, a product marketing manager for Google's federal group.

But Kellermann said many government chief information officers are myopically focused on flexibility rather than integrity. "The cloud will enhance resiliency efforts. However, the enemies of our government desire to infiltrate our systems via cyber and remain clandestine and persistent," he said. "Anyone familiar with IT security can also recognize that distributed, interconnected clouds also create as many potential risks as they may eliminate."

According to Leins, the rationale behind using Web-based systems is that they provide increased security and optimal methods for blocking malware, which agency security teams are often too understaffed and underfunded to deploy themselves.

Google's security experts become an extension of the agency's IT team, providing reinforcement that otherwise would be cost-prohibitive, Israel added.

Leins noted that most government agencies share physical data warehouses located throughout the country to backup their own data. "There are fundamental similarities between this approach and storing information in the cloud," he said.

"Yes, the different customers that we are working with will have data stored within the same data center," Israel said. "But there are ways that we virtually partition the data.... There is no chance that your data is going to be put in another Postini customer's archive."

Adam Swidler, product marketing manager at Google Enterprise, said the same is true of security services. "There is no possibility of somebody else's messages being quarantined with yours," he said.

Some security specialists agreed that Google's cloud environment, and those of other big providers such as Microsoft, likely is safer than an agency's security fortress. But the effect of a breach to any cloud service could be more dramatic.

"By consolidating [IT services], you raise the security profiles of many of them," said Jose Nazario, manager of security research with Arbor Networks, a security company.

The petri dish phenomenon is a low risk, he added. Nazario has yet to see an attempt to muddy the cloud succeed, although hackers are trying. "The impact of any such breach would be just truly catastrophic," he said.