Comments

CallMeLateForSupper November 21, 2017 6:47 AM

Do what? Throw something together and label it “secure”, or actually do secure?

No matter; my company’s classified does not, and will never, be stored on someone-else’s-harddrive (“the cloud”). Nobody cares as much about my stuff as I do; nobody else has the proper state of mind and incentive to secure my stuff.

Cesar Branco November 21, 2017 7:21 AM

Amazon already handles secure data, a lot of their infrastructure is certified for payment card industry (PCI) requirements, to protect card data that transits AWS customer systems.

https://aws.amazon.com/compliance/pci-dss-level-1-faqs/

Plus EU is mandating that companies operating in Europe comply with GDPR rules in 2018 – protect EU citizens personal identifiable data (from phone numbers to social security numbers to credit card data). The penalty for equifax type bungles goes up to 4% of revenue.

https://www.eugdpr.org/gdpr-faqs.html

Companies are already using AWS for data protection in a lot of ways – they will now protect US government data. Probably better than anyone to whom the government outsources that to now.

Evan November 21, 2017 7:45 AM

When this gets compromised, I foresee acrimony. Government agencies, the contractors who do the actual work, and Amazon will all blame each other, especially in a case like Shadow Brokers where the source of the exfiltration is unknown. At least with leaks you can’t blame Amazon because it’s an internal job.

neill November 21, 2017 7:46 AM

IF amazon really believes this is secure for confidential data … doesn’t that mean everything else they offer is NOT secure?

wiredog November 21, 2017 7:56 AM

Amazon has been providing private cloud (inside the scif) at the SCI level for a while now. What’s different, and Microsoft is doing this with Azure, is having Amazon (or MS) managing the cloud services from outside the TS region. This requires exfiltrating telemetry and infiltrating control through the class/unclass interface. Without allowing classified data through that interface.

Michael November 21, 2017 8:31 AM

data stores are so much more than just data now, they have become an entire compliance platform. analysts and contributors want to integrate with data stores not only for content but for compliance management when the data itself is sensitive enough to require it. and that means all the interesting data.

wumpus November 21, 2017 9:22 AM

@wiredog

My take on the whole Snowden affair was that the NSA wasn’t remotely concerned about Top Secret information and was letting sysadmins manage the data along with the servers. It would make entirely too much sense to first the encrypt the data* (and never let the sysadmins see the keys) and then taking the further step to have such management outside the Top Secret world. This is pretty much the end result.

Of course this makes entirely too much sense, and will get garbled telephone/Chinese whispers style as any such proposal works its way though management levels, but it shouldn’t surprise anyone.

  • regular readers of this site should be aware of plenty of ways to pull information from the encrypted data on servers, but most of this requires plenty of data fed into mathematically advanced hostile hands with a large budget. Even if Shadow Brokers was able to make something of it, it isn’t clear they could in turn leak it in a way that Congress and the US citizenry took seriously. Since they are the only groups capable of reigning in the NSA’s budget or turf, that is the only existential threat to the NSA and their only real fear.

Clive Robinson November 21, 2017 9:25 AM

The problem I see is not just the “cloud storage platform” which is bad enough but the communications inbetween it and the end user…

How long before “homeworking” gets involved… The minute somebody connects from home or elsewhere they have “fingered themselves as mil/agency from their isp to all nodes to Amazon’s front door” unless care is taken.

Could Amazon become the new Kaspersky 😉

Andrew G November 21, 2017 9:26 AM

@neill One of the differences between classified and unclassified facilities is that classified facilities have much greater monitoring and auditing requirements. The difference in Amazon’s classified service may be mostly administrative. For example, probably everyone with physical access to the data center has to have a US security clearance.

POLAR November 21, 2017 9:33 AM

Best comments:

Do what? Throw something together and label it “secure”, or actually do secure?

IF amazon really believes this is secure for confidential data … doesn’t that mean everything else they offer is NOT secure?

How long before “homeworking” gets involved

/EOF

Bruce Schneier November 21, 2017 9:40 AM

“Amazon already handles secure data, a lot of their infrastructure is certified for payment card industry (PCI) requirements, to protect card data that transits AWS customer systems.”

Secure data is not the same as classified data. The US Government has detailed rules about classified data. And they’re different for Confidential, Secret, Top Secret, etc.

Bruce Schneier November 21, 2017 9:41 AM

“Amazon has been providing private cloud (inside the scif) at the SCI level for a while now.”

That’s interesting. I hasn’t even considered that this might be a private cloud service.

Wael November 21, 2017 9:47 AM

It’s an acceptable solution in the industry as long as the provider meets needed regulatory requirements that may include random auditing.

tim November 21, 2017 10:12 AM

I’m not surprised by this. Traditional vendors in this space are actually quite bad at managing data. Amazon already had all that they needed to build this out. They saw an opportunity that was being badly managed by others, made the investment, and got it done. You can not say that about most (all?) traditional government contractors.

No matter; my company’s classified does not, and will never, be stored on someone-else’s-harddrive (“the cloud”

This particular comment shows a lot of ignorance about how data is managed. That you own a server with a hard rive in some building somewhere you also own is actually an anomaly. The “cloud” is just the natural evolution of what’s been going on since the invention of the computer. And if you know what you are doing data can be as secure or even more in the cloud than in your own data center.

Wael November 21, 2017 10:20 AM

@tim,

data can be as secure…

Under some strict conditions. Availability is always at risk, though as the provider has control of depriving the owner of access to their data.

AJWM November 21, 2017 10:25 AM

The “cloud” is just the natural evolution of what’s been going on since the invention of the computer.

Not really. Cloud services have been around since the 1960s, if not the ’50s — although we called them “timesharing” back then. Then came the seventies, and microprocessors, and everyone started pulling their data and computation not only in-house, but onto their own desks.

It’s only the last decade or so when the realization that managing all those desktops or server closet systems is a pain in the butt for non-IT companies, and that the internet made it relatively easy (if not necessarily safe) to let someone else take care of, that all the X-as-a-Service cloud stuff became popular again.

This too shall paas. 😉

neill November 21, 2017 10:55 AM

@andrew g

amazon customers had been promised “security” for their data, not 2nd class security

think of a bank saying “deposit boxes on the 1st floor are secure, on the 2nd floor are not so secure ….”

Smoke and Mirrorsrrors November 21, 2017 11:43 AM

In light of levels of gross incompetence revealed in many Inspector General reports, outsourcing seems the most likely way forward

wumpus November 21, 2017 2:30 PM

@Nickie Halflinger

The problem with this industry is that it is pretty much the definition of a “lemon market”. You can try to explain until you are blue in the face but most people simply think “password problems” when you say “computer security” and the rest assume that the “obscurity is the only form of security” (why Windows is so easily rooted).

In such a market, expect “security professionals” to understand that their job fundamentally relies on CYA engineering (because you don’t have the authority to keep users from fundamentally breaking security).

Philip November 21, 2017 3:42 PM

This is an extension of the C2S private cloud that AWS has operated for the IC for several years: https://fcw.com/articles/2017/06/14/cia-cloud-aws.aspx

C2S is a private implementation of AWS feature in a physically separate setup just like you’d expect for something like that this.. Not all of the fancy new AWS services are available but the core ones are (EC2, S3, etc.)

C2S has operated at the TS SCI level from the beginning. Now they’ll have an S level region as well.

Anon November 21, 2017 3:44 PM

@Cesar Branco:

Amazon already handles secure data, a lot of their infrastructure is certified for payment card industry (PCI) requirements, to protect card data that transits AWS customer systems.

PCI DSS is not worth the paper it isn’t written on. It does not, in any way, guarantee the system to be secure. It even says so in the documentation.

It is, frankly, a joke.

trsm.mckay November 21, 2017 3:54 PM

@niell and @wumpus

It is quite evident that you have never had the fortunate experience (?) of selling products to the USA government. Here are a few interesting search terms that will give you a clue of how much work Amazon must have done just for normal government systems (let along handling classified data):

FISMA, Fedramp, FIPS 140 (aka CMVP), NIAP Common Criteria Protection Profiles, STIG

I could got on for a while more (as I have had this wonderful experience). But (as mentioned above) the requirement that all operators would need some type of clearance can be traced to one of the alphabet of USA standards that Amazon was most likely subjected to.

It is an interesting argument as to how much those processes improve security, and also discussion if the Amazon solution is inherently un-securable. But the point of this post – it was not a trivial exercise in security evaluation by people who equate computer security with password problems.

hmm November 21, 2017 5:52 PM

“I hasn’t even considered that this might be a private cloud service.”

The implications are manifold.

Amazon is tied in at that level – and you put their camera in your house.
And their intelligent speech recognition system that’s always on.

What’s the worst that could Orwell?

Nate November 21, 2017 8:27 PM

Yep, this isn’t especially new news. Amazon has been running a private cloud for the US security community for several years now.

https://www.theatlantic.com/technology/archive/2014/07/the-details-about-the-cias-deal-with-amazon/374632/

” Jul 17, 2014

This summer, a $600 million computing cloud developed by Amazon Web Services for the Central Intelligence Agency over the past year will begin servicing all 17 agencies that make up the intelligence community.”

Did nobody know this? Bruce, how did YOU of all people not know this?

This is why I’ve been Chicken Littling about Amazon AWS and the Cloud generally ever since I found out.

Remember how we discovered Kaspersky was backdooring machines? Of course it was technically possible ever since antivirus was invented, but everyone thought “no antivirus vendor would be such a bad actor”.

Well, imagine cloud computing as the ultimate, undetectable, US intelligence-community backdoor to a sizeable chunk of US and world corporate servers.

Running an AWS server – especially, given Amazon’s close relationship to the CIA – means handing US spies all your root passwords and secrets. Do you think they won’t do anything with that access?

Security Sam November 21, 2017 8:57 PM

In fact the cloud security mirage
Creates a spurious safe feeling
But, what it is is not what it was
And meanwhile they made a killing.

Mark November 21, 2017 9:17 PM

A very concerning relationship given what we learnt from Snowden.

Now those agencies requesting data from Amazon also have financial/contractual influence over the company.

Clive Robinson November 21, 2017 10:11 PM

@ Security Neil,

Amazon is just a storage. Cloudflare is a gate

More “a tunnel, dark, dank and dangerous” than a gate.

But sadly they are not the only ones “doing the nasty” to your connection in various ways. For instance quite a number of ISPs add tags to your packets that pass through even VPNs you might use.

It’s the reason my comment above just says,

    The problem I see is not just the “cloud storage platform” which is bad enough but the communications inbetween it and the end user…

There is a belief that all data can be turned into money, all you have to do is collect it as cheaply as you can… Which is why privacy is so darn hard, because in effect they are all at it one way or another. It’s the free market mantra at work with the “don’t leave money on the table” ethos turned into “rent seeking” either directly or indirectly.

Now the FCC has a compleat “loony two tunes” in charge that ethos became solid gold, users will be sliced, diced, wrapped and marketed a thousand ways, one piece at a time or wholesale whichever lifts more money off the table in the shortest time…

Cesar Branco November 22, 2017 4:40 AM

@Anon

My point regarding PCI DSS is that AWS already handles a lot of important data that it needs to protect and complies with a load of regulations, and has done it for a while. It is not a stretch to extent its infrastructure in capacity and capability and do it for the intelligence agencies. In any case there haven’t been any credit card number breeches from AWS servers compliant to PCI DSS rules.

ats November 22, 2017 4:48 AM

@Joe, in theory,CIA/NSA/et al could setup a cloud on their own. But since the whole point is to enable use of the standard interfaces, selecting the most popular interface for cloud services makes perfect sense. And once you’ve selected a companies stack for use, it makes perfect sense to just hire that company to run the whole thing. After all, they have a shit ton more experience with it and likely much lower costs.

In the actual case involved here, several years ago, the IC contracted with AWS to build and run an entire facility for IC use. It was built and is run largely the same as anyone other AWS facility modulo the additional secure requirements and restricted outside networking. Just like other AWS facilities, they periodically roll in new racks and storage to keep current with what’s available.

The whole point was to enable use of the standard cloud APIs to take advantage of existing applications, existing toolkits, and existing training and education. After all, almost all the cutting edge development work is happening in the cloud and many CS programs are training specifically for cloud environments.

GregW November 22, 2017 5:50 AM

@Bruce, are you surprised that they could manage the bureaucracy, the moderately well defined technology, or the risk? The risks they have been managing for some time are enormous… think FINRA data.

helpMeUnderstand November 22, 2017 6:53 AM

“The physical and computer requirements for handling classified information are considerable…”

i might be missing something but if me or the nsa or whoever encrypt everything before sending it to the cloud it doessn’t have to be seucre.

i could also publish everything on the internet because it is encrypted.
what am i missing?

i understand that pc of the user must be secure but the cloud isn’t just a huge shared hdd?

Clive Robinson November 22, 2017 8:01 AM

@ HelpMeUnderstand,

i might be missing something but if me or the nsa or whoever encrypt everything before sending it to the cloud it doessn’t have to be seucre.

You are missing sonething 😉

There are three basic things you can do with information,

1, Communicate it.
2, Store it,
3, Process it.

You can do all three with the cloud. However you can only do the first two if the information is encrypted with current ciphers.

Thus if you have a terrabyte or so database you want to search you have two choices,

1, Have the information in plaintext and search in the cloud.

2, Download the infoemation in it’s entirety to your PC decrypt and search it there.

Of the two there are various good reasons to do the first over the second.

It’s why one of the “holy grail quests” of the CS researchers is to find an efficient encryption system that alows complementing, addition, multiplication and comparison on encrypted data.

wumpus November 22, 2017 10:27 AM

@rsm.mckay
“It is quite evident that you have never had the fortunate experience (?) of selling products to the USA government.
[…]
But the point of this post – it was not a trivial exercise in security evaluation by people who equate computer security with password problems. ”

To be honest, the real change is that some thought has gone into the CYA aspects of the design (and the implementing engineer needs only make the design fit the spec). That removes a lot of uncertainty from the vendor, but really doesn’t address the fundamental problem that nobody is addressing the security of the end product.

“You read the spec and you write the code” may work for ordinary (Murpy’s law) computer design, but this is (as Bruce writes) the “Devil’s computer”. This is compounded by the fact that under no circumstance will the government reject a system that passed all the tests written before the equipment was shipped, all sides have too much riding on the project.

[I’ve designed equipment for the US government, but it was always of the “murphy’s law” variety. Although there was that time when the equipment passed every single test except do the job it was designed to do. That through all of engineering for a loop (the issue was traced to a timing glitch in a single board). I can’t say how they deal with the “Devil’s computer” but all the government procedures I’ve seen will fail badly.]

Nick P November 23, 2017 12:42 AM

@ Bruce

Remember also that the NSA dropped the security requirements for protecting classified data in their newer evaluations which take the lowest assurance level, a lot of paperwork, and ninety days. Lots of previously hacked stuff is on the list. Amazon just has to have a list of rules (esp like physical separation/security), implement processes to follow them, use a bunch of COTS garbage for hardware/software, and get a rubber stamp on that stuff. Well, it might be a little harder but way easier than something that’s actually secure against any serious threat model.

As always, just ask them where’s their covert channel analysis for anything operating in MLS, MSL, or MILS mode. Watch closely to see if they recognize the terms. If you see confusion, all is messed up beyond all recognition as usual.

Jarda November 23, 2017 10:07 AM

“I am surprised that a company with no experience dealing with classified data was able to do it.”

Don’t exagerate, the US record on computer acces security is famously low. There are data leaks on weekly basis, hackers can turn off the electric grid an spill sewage an experts on security are complaining that the state IT infrastracture has security like in IT Middle Ages. Can Amazon do any worse?

justina colmena November 23, 2017 7:53 PM

Classified data?

In the cloud?

In the Amazon cloud?

no, I didn’t think so, either. .gov needs to lose altitude fast on this one. hit the eject button and yank the rip cord. they should have packed their parachute better because this is not going to end well for anyone involved.

Jim November 24, 2017 1:49 PM

“I am surprised that a company with no experience dealing with classified data was able to do it.” — Are you sure that they are actually able to do it?

Amazon is one of the huge data mining companies. That’s the mindset that they have. How are their employees going to resist the temptation to look at the data? Also, do their employees in this division have security clearances that match or exceed the classification of the information they are storing?

The reason they got this contract is because they “met all the requirements” and they underbid everyone else. Unfortunately, government agencies are required to go with Amazon if they underbid everyone else.

Nationalize The Military November 24, 2017 3:46 PM

@ats

After all, they have a shit ton more experience with it and likely much lower costs.

I guess this impression of the NSA expertise is somewhat embarassing (to US citizens). One would hope the NSA would be even better at putting together racks of servers in ways that are much more secure than amazon.

Outsourcing such critical IT also introduces a dependence on a commercially interested corporation, that in this case, is already way too monopolistically (near enough) dominant in most citizen’s lives. This would be the genesis of the Military-Industrial-Complex, and the canonical example of why people express concern about that characterization. I.e. that commercial industry concerns will find themselves innapropriately bolstered by the government due to the government’s technical dependence on the (few big players of that) industry.

Somewhere along the line, the libertarian wing of the right wing went from “privatize everything, except the police/executive, courts/judiciary, military” to “privatize everything”. Such influence will lead to where those long concerned about it knew it would lead. But hey, they already demonstrated that they will torture whoever they want (including innocents caught up in dragnets) in contravention to the geneva convention, so this is just- oh well, whatever.

Clive Robinson November 24, 2017 4:44 PM

@ Nationalize The Military,

One would hope the NSA would be even better at putting together racks of servers in ways that are much more secure than amazon.

Probably not… It was US Politicos that forced COTS computing and comnunications on all the branches of the USG. Most do not have the budgets to afford the skilled labour rrquired to set up such systems. But worse still it’s well known that the Gov only gets “a little discount” compared to corporations, because it’s “free money” from the US Citizens via the tax take… Another problem is the quaint notion that “you can only spend money to save money” which means obsolete kit in most places, ubless they outsource it. As for developing new kit and ideas that’s a no no for most of the USG because that would put them into competition with the commercial guys…

So all in all it’s probably easier to just follow the line of cash that feeds the politicians, and out source most of government…

As for,

Somewhere along the line, the libertarian wing of the right wing went from “privatize everything, except the police/executive, courts/judiciary, military” to “privatize everything”.

Sorry not realy, it’s all parties including the extream lefts and rights, look at the voting records. Remember that political funds care not a jot where the next billion or so has to come from to get the votes to bring even more cash in… It’s a fundamental article of faith for a politician that there is no source of campaign funds to dirty that it can not be laundered clean by cleaver acounting etc…

When Tony Blair was the UK PM, he was interviewed on television and said of the Labour Party “We’ll take money from anyone…”. And as “cash for questions” and other scandles showed, yup they would take it from anyone and do them political favors…

One of the reasons give –by somr of the UK Press– as to Why Tony Blair never took up a place in the house of lords was the requirment for declairing “interests” were more stringent than the commons so he stayed out to keep his shady dealings under wraps…

Need to be Anonymous November 25, 2017 1:05 AM

I have reviewed AWS FedRAMP documents for both GovCloud and AWS-East and AWS-West and I am surprised!

AWS-East and AWS-West FedRAMP certification is just junk. It is window dressing to make the simps at civilian agencies feel better. They started with an Agency accreditation from the Dept. of the Interior. Let me tell you… if you trust the Department of the Interior to keep your data safe then you might as well store it on the street corner! But AWS has leveraged the DOI ATO to fool a lot of agencies into believing that this is secure stuff. Rather than look at the ATO, look at their POA&M list. There are some moderate findings that should be classified as high and when I last looked, Amazon has not mitigated those risks.

GovCloud is a little better. First, it received its ATO from the FedRAMP Joint Accreditation Board (JAB). Since I know some of the people working with the JAB, I trust them more. However, GovCloud is not perfect either. While it is walled off from the rest of AWS there are questions they never answered about boundary controls that I am not comfortable with. There is also a question about maintaining the ATO and how they undergo retesting and coordinate that with the JAB.

After three years of experience trying to work with Amazon and keeping compliance with FISMA, I wouldn’t trust Amazon. I think they are hiding things that I just don’t feel comfortable with. And unless there is more transparency in their testing and the support documentation, I would never trust that they have the ability to create systems to handle classified data. I just don’t believe they have the capability.

Sorry… I’ve worked on creating SCIFs and have a more paranoid view of this than Amazon does!

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.