Amazon Web Services Creates a New “Secret Region” for the Feds

Amazon announced a major expansion of its Amazon Web Services offerings in late November 2017 with the creation of the new Secret Region for secure cloud services and storage for government agencies. The Secret Region will join the 14 public AWS regions and at least 2 existing government-specific regions as an option for secure cloud computing services.

Increasingly, cybersecurity professionals have to deal with the reality of economics, which is driving the adoption of multi-tenant architectures and off-the-shelf utility computing services. With AWS Secret Region, Amazon is sending a signal that cloud computing is ready for the security mainstream.

Is Keeping Secrets In The Cloud a Good Idea?

Something that most cybersecurity professionals recognize that laypersons, or even non-security IT staff, don’t is that cloud storage can be considerably more secure than many conventional storage mechanisms. To them, it seems counterintuitive that data that can only be accessed across the internet and that is co-mingled with information from other organizations could be as safe as storing something on a dedicated server in a corporate office.

The idea that any storage today can be offline in a meaningful way and still be useful is quaint, however—all servers can be accessed across the internet.

The major advantage of cloud services from the cybersecurity perspective is that security at the platform and transport layers can effectively be outsourced to the host company. Application layer security responsibilities are still in the hands of the companies that use these services, but it allows business to focus their security efforts and reduce expenses, while counting on similar specialization at the cloud provider to offer improved security beyond what the company could accomplish on their own at the same cost.

With an estimated shortfall of 1.8 million jobs predicted in cybersecurity by 2021 according to a June 2017 study from (ISC)2, there simply aren’t enough security professionals to go around. Not every agency that needs to secure data will have the ability to do so independently.

Particularly in this scenario, shared services make a lot of sense. But are they adequate to keep national security secrets safe?

The Secret Region Is Not Amazon’s First Trip To the National Security Rodeo

But Amazon, and other cloud providers, are already deep in the secrets business with the government.

It’s not immediately clear how the Secret Region will differ from existing secure cloud services. Microsoft’s Azure cloud platform has offered a Government service since at least 2016 that complies with the Federal Risk and Authorization Management Program (FedRAMP) High Impact Level and Department of Defense (DoD) Level 4 data security standards. AWS already has a GovCloud region that also matches those standards as well.

FedRAMP High is the level of government security typically required for law enforcement or other sensitive, but civilian, applications. DoD Level 4 is defined as unclassified, but sensitive data.

Amazon claims that the new Secret Region will comply with the full range of government data classifications, including:

  • Unclassified
  • Sensitive
  • Secret
  • Top Secret

The announcement comes on the heels of several government-related security breaches in AWS instances, including an incident in May 2017 where a government contractor with Booz Allen Hamilton left sensitive data in an AWS bucket with no protections whatsoever.

Although such incidents reflect faults at the level of the subscriber, rather than Amazon itself, the company inevitably suffers from the bad press that follows. The Secret Region may be an effort to help government and government contractors from stepping on their own toes when using cloud computing services by making it easier to secure from public penetration.

Security Joins Usability in Secure Cloud Computing Services

Even the most sensitive information, code word classified data known as Sensitive Compartmentalized Information (SCI), may be eligible for storage even in the Secret Region. Current guidelines mandate that it be physically stored in a SCIF, or Sensitive Compartmentalized Information Facility, which has been specially hardened against all forms of penetration. Computers in such facilities are required to comply with Intelligence Community Directive 503 (ICD 503), which limits connectivity only to other systems that have been hardened to similar levels—a difficult bar to hurdle for any cloud system, but one that Amazon claims to comply with.

John Edwards, the current Chief Information Officer for the CIA, spoke at the AWS Public Sector Summit in 2017 and emphasized the degree to which the agency is committed to cloud systems. The agency worked directly with Amazon to put a region on the premises to reduce the speed of allocation and development. Previously, certifying compliance and jumping through acquisition hoops could result in a 180-day wait to provision a single new server instance.

The partnership, which the CIA calls C2S (Commercial Cloud Services) has dropped that to 60 days… nothing to cheer about when you consider that commercial services can provision such instances in a matter of minutes. But it’s a significant improvement for government, and the ability of agency developers to develop and publish applications internally can also reduce the time it takes to distribute them to internal customers. A virtual marketplace inside C2S allows CIA users to procure secure applications for cloud use without going through the laborious process of getting security certification.

C2S has been servicing the intelligence community with cloud capabilities at the Top Secret level, but the Secret Region will offer the same capabilities at the entire range of classification levels, and to agencies outside the 17 agencies that make up the U.S. Intelligence Community (IC).

C2S ostensibly operates as a “private cloud,” a contradiction in terms that nonetheless has found traction in the computing press. Since it operates entirely behind the IC’s firewall, however, it does not qualify as a cloud in the traditional sense, with a multi-tenant, general-purpose architecture available on-demand.

The Secret Region, however, does meet that definition, just as other AWS regions do, and should therefore be able to offer services at a lower cost than C2S, just as traditional cloud services do.