Amazon Launches a Cloud Service For US Intelligence Agencies

Amazon Web Services on Monday introduced cloud service for the CIA and other members of the U.S. intelligence community. From a report: The launch of the so-called AWS Secret Region comes six years after AWS introduced GovCloud, its first data center region for public sector customers. AWS has since announced plans to expand GovCloud. The new Secret Region signals interest in using AWS from specific parts of the U.S. government. In 2013 news outlets reported on a $600 million contract between AWS and the CIA. That event singlehandledly helped Amazon in its effort to sign up large companies to use its cloud, whose core services have been available since 2006.

Worst idea EVER

[Rick Schumann]

Why not just post all our Top Secret documents on Twitter where all enemies of the U.S. can find them easily? Would be cheaper and about as secure as any gods-be-damned 'cloud service'! Since when do U.S. Intelligence agencies, or ANY government agency for that matter, not hosting their own data!?

Re:

[oh_my_080980980]

You mean Barack Obama, his administration approved the deal.

Re:

[oh_my_080980980]

Technically it's on on-site hosting. The data is not stored in Amazon's cloud. The CIA is using Amazon's servers on-site.

Re:

[omnichad]

"Cloud" is just the picture you use in network diagram to represent Internet/Server. It doesn't exactly have a formal definition that's set in stone.

Re:

[networkBoy]

how is it not a cloud?
If it follows the same architecture, layout, and usage model, then it's a cloud. A self hosted one, sure (and I would expect nothing less than self hosted from these agencies!)

Re:

[mikael]

A "Cloud" is when you don't know the routing paths, servers or interconnects used. ISDN was built on the X.25 packet switching system. As a customer all you had was that little socket in the wall, which plugged into your PC. There was no way of finding out the traffic route taken for data as every packet could conceivably follow a different route based on congestion.

Modern day "cloud services" would just dynamically allocate you a virtual machine on a virtual server, suck up the data from your systems and r

Re:

[networkBoy]

So, it is a cloud then.
The system delegates the compute resources and harvests them when free. It's dynamic and elastic based on demand (and total install size).

Re:Worst idea EVER

[EndlessNameless]

People have started using terms like "own cloud" or "on-site cloud" to describe infrastructure services that are provisioned internally. Yes, this is stupid and pointless. Yet here we are.

Your typical internal cloud will have hardware, hypervisor, and management stack all provided and supported by a single vendor. Sometimes they will certify hardware and provide support for whatever you build.

They basically took the old mainframe business model, broke it out onto gobs of x86 servers, and repackaged it as something new. Now you run your applications on a VM or in a Docker container instead of an LPAR.

So, yes, local cloud is pure marketing bullshit. But it does refer to something different (and more secure) than regular cloud services.

Re:

[rtb61]

I thought it was like, Amazon has created Google, a cloud that rains your information on various three letter agencies, packaged and filtered for demand. It is pretty obvious that the cloud is just your information, with every corrupt arse hole squeezing that cloud for all they are worth. The delusion, they control your information, they control you, not if you treat your online information like a joke, then they have nothing on you but a clown car. The more seriously you take you online interactions, the f

Re:

[kriston]

This is the correct response.

Government entities including CIA own and run the data center facilities. AWS runs the software and systems therein.

It's not really "cloud" but it looks and feels that way. It's better described as an "On-Premises AWS."

Re:

[Anonymous Coward]

I'd rather have the whole damn government in the private could where the fixers can't destroy hard drives, delete pst files [thehill.com] and wipe servers with no trace as easily as they have. Whatever supposed risk to national security that you're so worried about is less damaging than the actual criminality we've seen.

Re: Worst idea EVER

[dougdonovan]

so much for US intelligence having to rely on amazon.

Re:

[sysrammer]

Interestingly enough, back in the Cold War I remember reading that the Soviets did not really trust the information that they found in our public domain. They couldn't believe that we would purposely be so open.

So, this is really just the first step in the brillant plan to release *all* of our data, to foil our adversaries.

Re:

[luis_a_espinal]

Why not just post all our Top Secret documents on Twitter where all enemies of the U.S. can find them easily? Would be cheaper and about as secure as any gods-be-damned 'cloud service'! Since when do U.S. Intelligence agencies, or ANY government agency for that matter, not hosting their own data!?

For a while. How the hell do you thing DoD contractors do secret/top-secret work? They have their own SEC/TS rated facilities.

Very bad idea

[WillAffleckUW]

Look, we've been using your secure cloud services to get intel on US "secure" communications for years, now you want to encourage it even more?

Oh, and lock down those cloud backups, they let us triangulate your physical access points. It's like 360 degree 24/7/365 at Mar-a-Lago with only a 0.5 second delay.

Re:

[WillAffleckUW]

Sufficient for acquisition lock. They don't tend to move around that much, so you can predict.

Honeypot, anyone?

[TexasDiaz]

And thus the biggest honeypot for security professionals was born...

Re:

[AHuxley]

In the past spies, cults, faith groups has to risk walking around a base, port and try making friends with gov workers, mil, contractors, staff.
It was a risk and the FBI was always looking for spies, creating fake workers to lure in spies.
Years of making friends, working out who needed a friend, who could be blackmailed, who would just give secrets, who would sell US secrets.
Years of trying to get a cult member, spy, dual citizen a job on base and have them improve their clearances over decades.

Now s

Yeah..... What could possibly go wrong?

[WolfgangVL]

Got to read between the lines on this one.

US GOVERNMENT, Looking completely inept, while at the same time being incredibly clever just out of sight.

Competes with Azure Stack

[ErichTheRed]

Right now, Amazon doesn't have an equivalent to Azure Stack (the cloud in a box from Microsoft.) The closest thing they have is VMware stretching existing on-site cluster management into AWS, where you basically build out ESXi hosts in AWS and manage both on-site and cloud hosts from the same tools. That's not going to fly at an intelligence agency, no matter how many rounds of golf, free trips and strip club visits you buy the CIO, so the logical thing to do is to bring the whole thing in house.

My assumpti

Re:

[Facekhan]

Yes, I would imagine the idea is to make the administrative/orchestration interface look just like AWS while actually being on the classified network. That way they can hire engineers who have AWS experience and just have them spin up servers the same way. They can also take their orchestration tools and ansible script.

This could potentially increase security by limiting the obnoxious roadblocks that provide the frustration incentive to break the rules on these systems in the first place. If everything on t

Re:

[kriston]

You're right. It's on-premises AWS operated by AWS and the facility is owned by the government. It has a subset of the services in the AWS GovCloud, which, itself, is a rather small fraction of the services in the AWS commercial cloud.

Amazon Launches a Big Fat Target

[StickyWidget]

Amazon Launches a Big Fat Target for Intelligence Agencies

"The AWS Secret Region is a key component of ensuring the Intel Community's ability to get owned and leaked in multi-dimensional ways via a cloud strategy. It will have the same material impact, wholly negative, on the IC at the Secret level that C2S has had at Top Secret."

There, fixed it for ya.

//Sticky

Re:

[hyades1]

They'll probably wind up saving a bit of money by hosting it on Russian servers.

Re:

[AHuxley]

All contractors will now get very deep polygraph investigations. Their internet use will be watched, any contact with journalists, internet sites found to be supportive of whistleblowing, changes in spending habits, searching for holidays.
Any downloads of cryptography that could be used to contact journalists by contractors will be reported.

Two random strangers with strong accents will approach random contractors offering them cash for US/NATO secrets. That will be the local FBI. The contractor will

how long?

[AndyKron]

How long until a ten year old hacks it?

Secret vs Top Secret

[Stax]

This region is only Secret - Top Secret workloads have been running in C2S for years.

Read the CIA Press Release [cia.gov] here

Re:

[BlueStrat]

This region is only Secret - Top Secret workloads have been running in C2S for years.

Read the CIA Press Release here

Yeah, Putin can read presidential intelligence briefing docs before the POTUS does since at least Obama.

The US government isn't so much worried about other nations learning US secrets, it's the US' citizens they are most worried about learning how they and their nation have been sold down the river by those in power on both sides of the political aisle.

Strat

AWS to the rescue...

[VeryFluffyBunny]

Are AWS promising to prevent the CIA from publicly soiling themselves again? They obviously can't look after sensitive data for themselves.