Cloud Maturity for Defence Forces: Amazon Launches “Secret Region”

 By Col. Debashish Bose
0
118

November 2017 cloud oriented news feeds were abuzz with news reports of Amazon Web Services (AWS) providing secure cloud services to the US intelligence community. For the risk-averse intelligence community, this shows a huge rise in the level of confidence on commercial cloud offerings and at thesame time a very high level of maturity on the part of the commercial Cloud Service Providers (CSP). All this did not happen overnight; lets us roll back to mid 2012. It was at this time that the CIA first gave out its Request For Proposals (RFP) for commercial cloud services. After a lot of legal wrangling’s from competing tech companies, CIA and Amazon finally went to work together towards the end of 2013. The CIA awarded a contract worth $600 million to AWS for a period of ten years. Primarily what the CIA was doing was to allow AWS to own and run the cloud for use by them. From July 2014, CIA opened access to the cloud for all of the 17 agencies that constitute the Intelligence Community (IC) in America.

Present

Now let’s come back to the present. After gaining three years of experience of working with the IC, on 20 Nov 2017, Amazon declared that it had launched a secret cloud service for the US intelligence agencies, called the AWS Secret Region. This cloud can operate data up to the US security classification of “Secret”. As a result of this AWS is now the only commercial CSP to operate government workloads across the full range of US data classifications, to include Unclassified, Sensitive, Secret and Top Secret. The users will be given protected virtual private clouds or “Bubbles”, as John Edwards, Chief Information Officer of CIA, calls them.

The cloud would be run behind the CIA owned firewall. Essentially an air gapped private cloud running in CIA premises. The cloud data centre complies with security standards which will be monitored by the Office of the DNI and NIST. Experts feel that the Amazon cloud will be more secure than a traditional data centre because there will be fewer points of access than traditional data centres. Administrators will be able to restrict access to information based on the identity of the individual seeking it. Another benefit of the cloud would be a standardized working environment for all the constituent organizations of the IC and all activities within the cloud will be logged and analysed with context in near real time. They will have stringent security overlays, controls and audits as per federal government requirements. Engineers on the payroll of Amazon will be responsible to maintain the hardware because AWS owns the hardware and it is their responsibility to maintain the same just as they do in the company’s public data centres.

Though the technical parameters of the AWS cloud for the IC arenot available, it should be comparable to existing AWS capabilities implemented for other government departments. Suggested capabilities are more than a Tera byte of new data every day and billions and trillions of pieces of metadata, phone and internet records on an annual basis. Compare this with the NSA data centre which can handle yotta (1024) bytesto zeta bytes of data at Bluffdale, Utah.

Benefits

  • The manner in which the requirements of the IC was increasing, cloud computing was the only way out for the IC to discover, access and share critical information in an era of infinite data – data from sensors, satellites, surveillance systems, human intelligence and open data repositories.
  • Since all the compute resources will be provided by AWS on demand, the IC expects to have time to mission of a few hours if not minutes.
  • Whenever Amazon makes an innovation or introduces an advancement in technology, the same will be immediately introduced in the IC cloud. On an average AWS makes around 200 such innovations / advancements in a year. As a result of this the IC cloud will always be at the cutting edge of technology. “How to keep up”, with cutting edge technology has always been a bane for defence forces with tedious procurement procedures.
  • Instead of in-house maintaining huge IT infrastructure, the IC would now only be paying per use.
  • The quality and speed of intelligence analysis is expected to increase manifold as they are directly proportional to the computational power that is available. What better arrangement can the IC have than to leverage the on demand availability of computational power that the cloud provides. For compute intensive applications like feeding and analysing geospatial data, on demand computing power could have a dramatic impact on the speed and quality of the analysed output. The cloud also could improve the way the IC shares its large data sets.
  • Allows multi agency cooperation, since the entire IC is now connected to the same cloud. As a result it helps to get critical information to decision makers faster.
  • High degree of availability as the data centres hosting this cloud is distributed in three geographically displaced locations. This will give fault isolation, issues at any one location will not bring down the cloud. This is all in addition to standard cloud features like automated load balancing, instant provisioning, etc.

Critique

These announcements have come at a time when Amazon’s business and government customers are under intense scrutiny, as to whether the data is being stored securely in the cloud. Amazon stores the users data in cloud based folders, referred to as buckets. These have been in the centre of reports of breaches in the recent past. However, in almost all these cases it was found that unencrypted sensitive information was left lying around because of customer negligence / error. Though the responsibility of protecting ones data using the various protection mechanisms is that of the user,it is stillfelt that AWS can do more unilaterally to protect the user’s data.

Many still have apprehensions that it will now become easy for Russian hackers (who already have access to NSA’s hacking tools) to penetrate the Amazon cloud and pilfer sensitive, secret and top secret information. Many analysts also feel that this deal will further strengthen the rumours that the Amazon “Alexa” is the CIA’s favourite spying tool, with its always on microphone (present in all homes).

Conclusion

One of the biggest benefits of the decision by CIA to move to the commercial cloud is to give a degree of self-confidence to the fence sitters, that the technology is safe and can be adopted. If the biggest and the smartest cloak and dagger organization has adopted it, this is really going to be disruptive.