A Wealy Secret Cloud: AWS Is Certified to Secret and Top Secret Levels

We all know and have heard about the secret networks that governments use that are disconnected from the Internet and carry their deepest and darkest secrets—networks where only James Bond and Felix Leiter have access, that are connected to nothing and separated by physical air gaps the size of the Grand Caynon. Yep, those. They will never be in the public cloud; the cloud will never be certified to secret or higher. To be fair, that would appear to be a fairly safe position to take. Hell would freeze over before the spooks would connect to the cloud to do seriously spooky work, let alone a public cloud from a tier-one provider like AWS.

Hell has just frozen over: the spooks are using AWS

Well, guess what. It appears that hell has indeed frozen over, and Old Nick is snowboarding down Mount Hades as I type. AWS has released a new Secret Region. As such, it has become the first and only commercial provider to offer regions to service government workloads across the entire range of data classification, including secret and top secret.

According to the press release statement made by Teresa Carlson, VP AWS Worldwide Public Sector, November 20 “mark[s] an important milestone as we launch the AWS Secret Region…AWS now provides the U.S. Intelligence Community a commercial cloud capability across all classification levels: Unclassified, Sensitive, Secret, and Top Secret. The U.S. Intelligence Community can now execute their missions with a common set of tools, a constant flow of the latest technology and the flexibility to rapidly scale with the mission. The AWS Top Secret Region was launched three years ago as the first air-gapped commercial cloud and customers across the U.S. Intelligence Community have made it a resounding success. Ultimately, this capability allows more agency collaboration, helps get critical information to decision makers faster, and enables an increase in our Nation’s Security.”

This makes for interesting reading, but I have doubts. According to AWS, cloud security is its highest priority. If it can truly provide this level of classification, then it is fair to say it must be pretty secure. AWS will have had to climb through hoops to get this certified, although their press release states that the secret region “will” be assessed, not “has” been “assessed and accredited for security compliance under the Director of National Intelligence (DNI) Intelligence Community Directive (ICD 503) and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 4.”

Then again, AWS already provides a Top Secret Region, and all it is effectively doing is providing the same tooling sets that are utilised in that higher classification to a lower classification. In fact, John Edwards, the CIO of the CIA (now that would be a cool job, up there with being Tony Stark) states that “The AWS Secret Region is a key component of the Intel Community’s multi-fabric cloud strategy. It will have the same material impact on the IC at the Secret level that C2S has had at Top Secret.”

Let’s get some potential misconceptions out of the way. A commercial public cloud provider this may be, but public cloud it is not. You and I are not going to be able to check our available regions and find AWS Secret and Top Secret: these are discrete and separate resource environments that just happen to be running on AWS hardware and utilizing AWS cloud services and processes. Beyond that, we are unlikely to find out any in-depth details on architectural design. If fact, John Edwards stated in this video taken during his session at AWS Public Sector 2017 Summit that C2S (its AWS public cloud instance on its own premises—is this really reverse hybrid?) that this is an AWS cloud on steroids.

There are three sites based on CIA localities that effectively provide three regions and full resiliency based on AWS best practices. Yes, purists are going to say this is not public cloud, and they will be correct; it is private cloud, but private cloud done with public cloud technology. This is AWS but isolated from the Internet and protected by layers and layers of the standard protections.

It has allowed the CIA and its ecosystem to become reactive at speed of need. In this session, he stated that systems can be run up in minutes, rather than in weeks or days. This is the power of cloud. It has taken a successful commercial tool, enhanced it, and managed to keep its flexibility. This is due to the CIA’s IT department acting more like a commercial entity rather than trying to make the commercial entity act like the government.

I don’t care that it is not a pure public cloud. I am interested; it makes sense.

Posted in IT as a Service, SDDC & Hybrid CloudTagged , ,