Why Israel's Ministry of Defense is moving to the public cloud
Israel is known globally as being one of the savviest, most conservative nations when it comes to security of all types -- especially cybersecurity involving the military and government. So when the office of the country's Ministry of Defense (MoD) revealed 10 months ago that the government is moving its data stores to the public cloud from extremely secure physical data centers and a connecting private cloud, some security experts shook their heads in disbelief. But others realized what was really happening.
"Five years ago, I would have been surprised, but I am not now," Patrick Moorhead, president and principal analyst at Moor Insight & Strategy, told ZDNet. "(But) once hackers received access to nation state-size budgets, everything changed. Only the budgets of the largest governments eclipsed the budgets of the hackers, and for everybody else, there was the public cloud."
It took about a decade (2006 to roughly 2016) for most mainstream businesses to completely trust their crown-jewel business and financial data to cloud data stores. It took Israel's government a lot longer than that, but here in 2022, the office of the Minister of Defense now believes it has the right technology to make the transformation.
Dubbing its use case Project Nimbus, Israel selected a proposal from AWS and Google that edged out IBM, Microsoft, and Oracle in the bidding for the cloud infrastructure contract and are developing cloud data center sites within Israel under an initial 4 billion-shekel investment -- the equivalent of $1.22 billion, Reuters reported. The report said that the cloud sites would keep the government and military data within Israel's borders to adhere to strict data security regulations.
This is a multi-year cloud services project that includes four phases and four tenders. AWS and Google won the cloud infrastructure construction contract. According to Haaretz, an Israeli newspaper, consulting firm KPMG won the bid to help set up a Cloud Center of Excellence and establish a government cloud migration strategy, beating Ernst & Young, McKinsey and HPE.
Israel is moving its security apparatus to public cloud-based confidential computing, an emerging approach to encrypting data while it is running in memory. The phrase "confidential computing" describes services and solutions that fully protect information across the entire scope of its use in business, from the build process to management functions to data-driven services and functions.
In August 2019, vendors Alibaba, Arm, Huawei, IBM, Intel, Google Cloud, Microsoft and Red Hat became the original members of the Confidential Computing Consortium, a project of the Linux Foundation. Later others -- including AMD, Amazon Web Services, Anjuna, Baidu, ByteDance, Decentriq, Facebook, Fortanix, Kindite, Nvidia, Oasis Labs, Swisscom, Tencent and VMware -- became general members. With the foundation's help, members plan to substantially improve security for data in use.
Also: Cloud security: A business guide to essential tools and best practices
Israel's MoD announced on February 16 that it had selected Palo Alto, Calif.-based Anjuna Security to provide the platform that will secure its data in the public cloud for the first time. With the company's Confidential Cloud software, the MoD can use confidential computing features available in hybrid cloud servers that eliminate exposure of data in use to insiders, malicious software, and bad actors. Sensitive data and applications remain fully encrypted without the need for software modifications and stay isolated, and in full control of the MoD, Anjuna CEO and co-founder Ayal Yogev told ZDNet.
The decision from the Israeli MoD represents a milestone for far greater adoption of the public cloud by organizations in regulated industries or those with highly sensitive data, Yogev said. To date, many companies and government organizations have held back from the public cloud because of security concerns and control issues. The stringent testing and subsequent selection by the MoD signals that with the widely available confidential computing technology already in cloud infrastructure and software from companies such as Anjuna, the public cloud is now secure enough for organizations with the strictest level of security and regulation, he said.
Why the Israeli MOD is making the change
The Tel Aviv-based engineering head of the MOD's cloud initiative, who asked that his name not be published for his own security purposes, explained the reasoning behind the changeover.
"So, we are a very conservative organization, as to say, we have sensitive information, various sensitivity and classifications, and most of the data processing we do on an on-premise network," the MoD Infrastructure Cloud Group Leader told ZDNet. "But the data grows, and we (now) can just grow with it. So when we go to a public cloud, we want to address our ever-growing compute needs. And the second level is the (distribution) of services -- hundreds and even thousands of software services. So for us, it is in essence, a digital transformation. We can't achieve what we need by staying at home on our on-premise networks."
Using the Anjuna Confidential Cloud software, the MoD is now able to achieve public cloud scale, agility, and maximum data security immediately, without having to recode or refactor applications, the MoD project head said. "This will allow us to quickly move important workloads across public clouds without compromising the high level of security necessary to achieve our mission," he said.
The MoD project manager said that the move to the cloud is expected to take a decade or more. Israel will continue to utilize data centers for as long as they are needed; while there's no particular hurry, the preponderance of data is getting worrisome, he said.
Also: Cloud security: More critical than ever
"We only started this journey this past year; I think it will take tens of years," the MoD source told ZDNet. "But I think that what we have now is something revolutionary. We understand what other ministries in the western world do, and they say (what we are doing) is nowhere near what they are thinking. So it's pretty revolutionary. They're not even thinking about taking sensitive data and putting it somewhere which is not in your full control."
An op-ed point of view
Not everybody believes that a nation-state moving to the cloud is the best idea. Rob Enderle, longtime IT observer and principal analyst with Enderle Group, told ZDNet that "if there is a breach, and there will be a breach, this decision (to move to the cloud) will look foolish in hindsight, even if the breach has nothing to do with the cloud vendor they chose. The cloud vendor should refuse this business because it will make whoever is focused on other intelligence organizations, both friendly and hostile, put penetrating that vendor as a top priority.
"Cloud companies lack the protections common with security-focused government agencies. This move will likely force governments to compromise or place agents in the cloud vendor, turning them into admins or executives. With the likely exception of IBM's cloud, which has security as its highest priority, the other cloud vendors aren't secured against government-level threats. This move will clearly open them to that level of threat, putting all of their customers potentially at risk of disruption or breach. So, I expect this will end badly for many folks and not just Israel."
Major cloud providers already use confidential computing
Public cloud providers, including Amazon AWS, Microsoft Azure, and Google Cloud, have added confidential computing functionality in recent years to their servers to enable customers to secure data at runtime when it would otherwise be exposed. Protecting data and applications during execution closes a gap that effectively shuts out unauthorized personnel and creates a trusted environment within the public cloud that is under the control of the customer.
Israel's MoD, which oversees most of the Israeli security forces, is responsible for the overall security of the Israeli nation, including the Israeli Defense Forces (IDF). The ministry assigned a red team to conduct a thorough evaluation of the Anjuna software, using compute-intensive AI workloads as the initial application. Test considerations included the ability to secure against rogue or accidental insiders, third parties, criminal hackers, and nation-states. The solution also had to be commercially available now, run across multiple cloud platforms, and make both migrating applications and administration simple, Yogev said.
In addition to fully securing workloads in public clouds without modification, the Anjuna SaaS package was attractive to the MOD because it provides a single, uniform encryption platform that protects all three states of data: storage, transit, and execution. Thus, organizations do not need to rely on the many different encryption schemes for each application and system, which causes undue confusion and complexity. Yogev said that the Confidential Cloud software provides a consistent data perimeter that eliminates the risk of exposing encryption keys during runtime.
"Israel's Ministry of Defense is among the most advanced and stringent security organizations in the world, so it is a tremendous advantage for them to now be able to turn public clouds into fully trusted environments capable of securely processing sensitive data," Yogev said.