A secure cloud requires a secure network

I architected and designed, the first secure cloud for the U.S. DoD, late 2008. Check the dates, it precedes Amazon’s amazing cloud win. In fact, the project I did for the Air Force is where the budget came from for the DoD/Intelligence Community secure cloud. I can tell you who was present and the day that the determination was made to go forward and fund the project based on the pilot I designed. We were in a General’s billet at Andrews Air Force base. I have the tic-tok if you will. I don’t tell the story often, but it seems necessary to establish some credibility these days. So those are my bona fides to discuss secure cloud computing.

My concern is this article, All IT Jobs Are Cybersecurity Jobs Now, May 21, 2017 from the Wall Street Journal, a place where executives go to learn what they need to run their business. A respectable publication. The article explains the corporate level concerns of major enterprises from the most recent cyberattack. It gives expert advice. The second point the expert makes is this: 

"2. Push everything to the cloud. It used to be the job of IT personnel was to build and maintain the tools employees need. Now, pretty much anything can be done better with a cloud-based service. “I mean, even the CIA uses Amazon’s web services,” says Dr. Bronk. “If there’s a best of breed, why not use it? If you want a safe car, go buy a Volvo.”"

As an expert in this exact situation I say Dr. Bronk gave an incomplete and dangerous answer. I have been a strong advocate of cloud computing for 20 years, specifically for its security benefits when designed well. However, it must be pointed out that much of what makes a cloud secure is the network it utilizes. In fact, you can have a cloud environment that embodies every security measure you can think of, it if didn’t reside on the CIA’s secure network, the CIA would not use it. That’s true for the NSA, DIA and DISA. The CIA nor the rest of the DOD or Intelligence Community use IBM’s, Microsoft’s, Google’s or Amazon’s public cloud. Why not? They all reside on the public internet, a porous, security riddled, downright dangerous network for any transaction or data that is important to safeguard.

The key difference between the Amazon or any public cloud offering and the CIA cloud or other Community Clouds, is the network. A network designed, regulated, and verified by the Intelligence Community, not Amazon. Amazon did not construct the network for the CIA. The CIA inserted the Amazon Cloud into the CIA’s existing network. Therefore, to suggest that a corporation should move their compute to Amazon AWS because the CIA uses it and it’s therefore safe, is inaccurate.

The accurate answer is this. Most of a cloud computing platform’s security comes from the network it resides on and the network through which it is accessed. Therefore, your security evaluation should focus on the ability to have global, private, secure access to and from the cloud computing environment for yourself and all your potential customers. The problem is, none of the public cloud vendors can provide this to you. If they did, the CIA would use the public cloud, it would be easier.

I work with many colleagues to assist with this precise problem. We are busy making a global network more secure than the public internet so that it’s safe for our private data, transactions, and our children to traverse. We are also helping the government make their networks more secure with improved authentication and attribution techniques. But for experts to say that a cloud is secure without acknowledging that the network it resides in is the most important aspect of that security is incomplete. And when it appears in the Wall Street Journal as expert advice, I fear it is dangerous. It sets corporations back when we need to move forward.

We need a global, secure, attributed internet to resolve the systemic cyber security risks we face today. Can we save some space and oxygen for the experts to say that? Can our experts provide their bona fides so that corporate executives can select whose advice they wish to heed? I’ve provided mine.