Case Study: US Department of Transportation - Cloud Security

Document Sample
Case Study: US Department of Transportation - Cloud Security Powered By Docstoc
					  U.S. Department of Transportation
  Cash for Clunkers and the Cloud

                                    The United States Department of Transportation (DOT) was established by an act of
  DOT by the Numbers                Congress and signed into law by President Johnson in 1966. Since then, the mission of
• 12 agencies                       the DOT has been to serve the United States by ensuring a fast, safe, efficient,
                                    accessible and convenient transportation system that meets the nation’s vital
• 60,000 employees
                                    interests and enhances quality of life for the American people.
• 100’s of citizen, business and
  government services managed       The Department of Transportation is composed of a number of different agencies,
CARS:                               including the Office of the Secretary of Transportation (OST) and the National
• 18,000+ car dealers enrolled
                                    Highway Traffic and Safety Administration (NHTSA), but also encompasses aviation,
                                    rail, maritime and even pipeline administrations.
• 680,000 older vehicles traded
  in for new, fuel-efficient cars   On June 24, 2009, President Obama signed the Consumer Assistance to Recycle and
• Billions of dollars in rebates    Save (CARS) Act, which directed the Secretary of Transportation (acting through
  awarded                           NHTSA) to establish and administer what would come to be popularly known as the
                                    “cash for clunkers” program.

      The Challenge
      NHTSA was called on to lead the CARS program at the implementation level. Given the sheer size and scope – and
      just a 30 day timeline – everyone who could be spared within the DOT was pulled onto the project. That meant
      leveraging as many existing resources and services as possible, as well as working closely with DOT partners,
      systems and networks to make this mandate happen.

      Cloud computing was one obvious way to realize the kind of scale and speed that was required. However, at the
      time, cloud computing seemed to offer more problems than it solved, presenting security challenges that
      appeared to be incompatible with the government’s certification and accreditation process. To allow for efficient
      schedule execution, NHTSA broke the project into multiple stages, forging ahead with the cloud computing effort
      while planning to tackle the process to handle destruction and re-cycling of trade-ins post launch.

      On July 24, NHTSA opened the CARS system for car dealer registration, meeting the project deadline. This was the
      opportune time to address the security issues of cloud computing.

      While each of the cloud vendors NHTSA contacted offered security services (either as part of a standard offering or
      as a value add), they were all implemented, managed and controlled by the cloud providers themselves.
      Customers are given access to a console-based reporting system that offered them a way to track key performance
      indicators. Following the time honored tradition of “trust, but verify,” NHTSA was uncomfortable with the fact that
      there was no way to independently validate the console’s metrics. And without the ability to accurately assess risk,
      the government’s Authorizing Official would not be able to sign off on a comprehensive cloud-based deployment.

      What NHTSA required was the ability to install Government Furnished Equipment (GFE) in the cloud provider’s
      data center, thereby gaining a measure of control over their deployment and effectively creating a verifiable trust
      model. However, all of the larger cloud providers NHTSA contacted at the time were unwilling to install GFE in
      their datacenters with the sole exception of Terremark.

      NHTSA co-located a number of security controls, including the Layer 7 CloudSpan Gateway, at their local Terremark
      datacenter in order to monitor, measure and ensure that security controls were being properly implemented. With
      GFE-based continuous monitoring in place, NHTSA was able to proceed with certifying and accrediting Terremark
      as a third-party network – something almost unheard of in the US government.
Department of Transportation Case Study

The Solution
On July 27, dealers across all 50 states, as well as the District of Columbia, the Virgin Islands, Puerto Rico, the
Northern Mariana Islands, and Guam logged into the CARS application over the internet via a local point of
presence and entered the details for each clunker to be traded in. Akamai, one of the world’s largest Web-based,
content distribution providers established multiple points of presence for the Oracle on Demand-based CARS
application, providing failover and enhancing performance. Public data releases are processed centrally in an
Oracle database routed through the Terremark cloud, which could scale up on demand to handle the workload.

Layer 7, located within the Terremark datacenter, provided access control, validated the XML data stream coming
from the CARS applications and ensured consistency, an also provided message-level threat protection. All
interactions were logged to facilitate follow-up for forensic auditing, as required by the government.

The Results
With three billion dollars rebated in just over three weeks, and nearly 680,000 clunkers traded in for more fuel-
efficient vehicles, CARS is considered one of the biggest successes of the Obama administration. Taking place as it
did during the middle of the 2009 recession, CARS had a large impact on the economic recovery by saving or
creating tens of thousands of jobs, as well as by increasing GDP by an estimated $3.8 to $6.8 billion. Going forward,
the program will also result in a reduction of fuel consumption (~33M gallons annually) and CO2 emissions (~360K
metric tons annually) over the lifetime of the newly purchased vehicles .

CARS marked a significant step forward for the U.S. government into public cloud computing, just in time to
support a new Obama administration initiative: the Open Government Directive (OGD). OGD is designed to open
up vast amounts of U.S. government information stores to the general public, allowing developers to create
applications, mashups, and visualizations of the machine readable data to benefit their local communities. Every
federal agency is mandated to participate in OGD and publish information to, which will leverage NHTSA’s
experience with public clouds (and Layer 7) in order to accommodate the scale of the initiative.

    Consumer Assistance to Recycle and Save Act of 2009; Report to Congress, December 2009

            Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
            trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.

Shared By:
Description: Realizing a major public service initiative through a secure Cloud application The United States Department of Transportation (DoT) was established by an act of Congress and signed into law by President Johnson in 1966. Since then, its mission has been to ensure a fast, safe, efficient, accessible and convenient transportation system that meets the nation’s vital needs and enhances quality of life for the American people.