When spies use the cloud for sharing, storing and using their secrets, you better believe security is going to be of paramount importance.
That’s why a reported deal between the Central Intelligence Agency (CIA) and Amazon and its Amazon Web Services for cloud services is a major indicator of not only the cost savings by using the cloud, but of the levels of security that can and will be applied to data stored there.
The deal, which has an estimated $600 million price tag attached to it, has the cloud industry a buzz with how the creation of a “private cloud” for the CIA is a broadside salvo fired at concerns that the cloud is inherently insecure, and could even be considered a major endorsement of the cloud by the spy agency.
Certainly it appears to be an indicator that even the most security conscious and conservative organizations are moving to the cloud, and there is a firm belief that the cloud can be made secure.
The CIA, as spy agencies are want to do, is remaining tight lipped about its efforts, but considering the far flung and multifaceted information needs of the CIA and its operatives, it’s not surprising that the Agency would be extremely interested in adopting cloud computing. After all, the CIA conducts massive amounts of information gathering and analysis, which creates not only a tremendous amount of storage requirements, but also the difficulty of distributing the right information to the right asset in a timely manner, and potentially anywhere in around the globe.
In a speech in New York recently, the CIA’s chief technical officer, Gus Hunt, made clear the importance of distributed data collection can be to his agency.
“The value of any piece of information is only known when you can connect it with something else that arrives at a future point in time,” Hunt said. “Since you can’t connect dots you don’t have, it drives us into a mode of, we fundamentally try to collect everything and hang on to it forever.”
It’s likely that the Agency and Amazon’s project will segregate some big chunk of AWS capacity, but it’s still the cloud, and by their very nature data centers must be interconnected. Moreover, currently Amazon does its most secure backups (S3) in Singapore, far outside U.S. jurisdiction and protection, which may require a reworking of Amazon’s security strategy.
And of course, with any deployment like this – the key question is who holds the encryption keys. If the CIA maintains exclusive control, which is likely, then security can be held to a higher standard. But if anyone, for any reason, on the Amazon side has access to these keys, than there are significant security risks.