CIA endorses cloud computing approach to bolster security

The CIA is building an internal cloud -- still a relatively new idea among federal agencies -- but won't be outsourcing data to Google or Amazon

WASHINGTON -- One of the U.S. government's strongest advocates of cloud computing is also one of its most secretive operations: the Central Intelligence Agency. But the CIA has adopted cloud computing in a big way, and the agency believes that the cloud approach makes IT environments more flexible and secure.

Jill Tummler Singer, the CIA's deputy CIO, says that she sees enormous benefits to a cloud approach. And while the CIA has been moving steadily to build a cloud-friendly infrastructure -- it has adopted virtualization, among other things -- cloud computing is still a relatively new idea among federal agencies.

[ Get the no-nonsense explanations and advice you need to take real advantage of cloud computing in InfoWorld editors' 21-page Cloud Computing Deep Dive PDF special report. | Stay up on the cloud with InfoWorld's Cloud Computing Report newsletter. ]

"Cloud computing as a term really didn't hit our vocabulary until a year ago," said Singer.

But now that the CIA is building an internal cloud, Singer sees numerous benefits. For example, a cloud approach could bolster security , in part, because it entails the use of a standards-based environment that reduces complexity and allows faster deployment of patches.

"By keeping the cloud inside your firewalls, you can focus your strongest intrusion-detection and -prevention sensors on your perimeter, thus gaining significant advantage over the most common attack vector, the Internet," said Singer.

Moreover, everything in a cloud environment is built on common approaches. That includes security, meaning there's a "consistent approach to assuring the identity, the access and the audit of individuals and systems," said Singer. But there are limits. The agency isn't using a Google model and "striking" data across all its servers; instead, data is kept in private enclaves protected by encryption, security and audits.

The CIA uses mostly Web-based applications and thin clients , reducing the need to administer and secure individual workstations. And it has virtualized storage, protecting itself "against a physical intruder that might be intent on taking your server or your equipment out of the data center," said Singer.

Speaking at Sys-Con Media's GovIT Expo conference today, Singer not only provided a rare glimpse into the IT approaches used by the agency, but also talked about one of its greatest challenges: the cultural change cloud environments bring to IT. A move to cloud environments "does engender and produce very real human fear that 'I'm going to lose my job,'" she said.

In practice, highly virtualized environments reduce the need for hardware administration and, consequently, for system administrators. Barry Lynn, the chairman and CEO of cloud computing provider 3tera Inc. in Aliso Viejo, Calif., said a typical environment may have one systems administrator for every 75 physical servers. In contrast, a cloud-based environment may have just one administrator for every 500 servers or more.

The CIA has "seen a significant amount of pushback, slow-rolling [and] big-process engineering efforts to try to build another human-intensive process on top of enterprise cloud computing," said Singer. "It will take us a good long while to break that."