Upload
layer7tech
View
218
Download
0
Embed Size (px)
Citation preview
8/2/2019 US Department of Transportation - Cloud Security
1/2
The United States Department of Transportation (DOT) was established by an act of
Congress and signed into law by President Johnson in 1966. Since then, the mission of
the DOT has been to serve the United States by ensuring a fast, safe, efficient,
accessible and convenient transportation system that meets the nations vital
interests and enhances quality of life for the American people.
The Department of Transportation is composed of a number of different agencies,
including the Office of the Secretary of Transportation (OST) and the National
Highway Traffic and Safety Administration (NHTSA), but also encompasses aviation,
rail, maritime and even pipeline administrations.
On June 24, 2009, President Obama signed the Consumer Assistance to Recycle and
Save (CARS) Act, which directed the Secretary of Transportation (acting through
NHTSA) to establish and administer what would come to be popularly known as the
cash for clunkers program.
The Challenge
NHTSA was called on to lead the CARS program at the implementation level. Given the sheer size and scope and
just a 30 day timeline everyone who could be spared within the DOT was pulled onto the project. That meant
leveraging as many existing resources and services as possible, as well as working closely with DOT partners,
systems and networks to make this mandate happen.
Cloud computing was one obvious way to realize the kind of scale and speed that was required. However, at the
time, cloud computing seemed to offer more problems than it solved, presenting security challenges that
appeared to be incompatible with the governments certification and accreditation process. To allow for efficient
schedule execution, NHTSA broke the project into multiple stages, forging ahead with the cloud computing effort
while planning to tackle the process to handle destruction and re-cycling of trade-ins post launch.
On July 24, NHTSA opened the CARS system for car dealer registration, meeting the project deadline. This was the
opportune time to address the security issues of cloud computing.
While each of the cloud vendors NHTSA contacted offered security services (either as part of a standard offering or
as a value add), they were all implemented, managed and controlled by the cloud providers themselves.
Customers are given access to a console-based reporting system that offered them a way to track key performance
indicators. Following the time honored tradition of trust, but verify, NHTSA was uncomfortable with the fact that
there was no way to independently validate the consoles metrics. And without the ability to accurately assess risk,
the governments Authorizing Official would not be able to sign off on a comprehensive cloud-based deployment.
What NHTSA required was the ability to install Government Furnished Equipment (GFE) in the cloud providers
data center, thereby gaining a measure of control over their deployment and effectively creating a verifiable trust
model. However, all of the larger cloud providers NHTSA contacted at the time were unwilling to install GFE in
their datacenters with the sole exception of Terremark.
NHTSA co-located a number of security controls, including the Layer 7 CloudSpan Gateway, at their local Terremark
datacenter in order to monitor, measure and ensure that security controls were being properly implemented. With
GFE-based continuous monitoring in place, NHTSA was able to proceed with certifying and accrediting Terremark
as a third-party network something almost unheard of in the US government.
DOT by the Numbers
12 agencies
60,000 employees
100s of citizen, business and
government services managed
CARS:
18,000+ car dealers enrolled
680,000 older vehicles traded
in for new, fuel-efficient cars
Billions of dollars in rebates
awarded
U.S. Department of TransportationCash for Clunkers and the Cloud
8/2/2019 US Department of Transportation - Cloud Security
2/2