The CIA has signed a cloud-computing contract with Amazon worth $600 million over the next decade, according to Federal Computer Week.
FCW drew its information from unnamed sources. Amazon executives and CIA officials apparently refused to comment on the matter. Amazon’s private-cloud infrastructure will allow the CIA to use data analytics and other technologies “in a cost-effective manner not possible under the CIA’s previous cloud efforts,” the article stated.
Contracting with a privately held company could help the CIA manage its IT costs. For one thing, it could spare the agency from having to build additional data-centers and other infrastructure. It’s also possible that government negotiators—again, if FCW’s report is accurate—could have negotiated with Amazon for reduced rates with regard to cloud services.
The first question that pops to mind, however, is one of security. If the contract stipulates that Amazon build a private-cloud environment behind the CIA’s firewall, it could help mitigate fears of cyber-espionage; but if the CIA is storing at least some of its information in Amazon data-centers, then the arrangement could present a ripe target for cyber-attackers.
It’s also possible that the CIA isn’t giving over all its internal data to the Amazon private cloud. At least in theory, it could isolate particularly sensitive information within another, separate data-center—while leaving data below a certain security level on the AWS platform.
For every organization that isn’t the CIA, securing a public or private cloud is a matter of checking off boxes on an extensive checklist. Making sure all access is authorized is a must, as is encrypting data. SlashCloud’s Steve Ragan offers some tips for locking down a cloud, including the importance of layered defenses and log management; organizations can also hire (or build) a Red Team for penetrating testing, all the better for strengthening the ol’ institutional security posture. IT vendors such as Hewlett-Packard and IBM have also launched tools that rely on analytics to help strengthen clients’ attack detection.
But few organizations have the security needs—or present quite as ripe a target—as the CIA. While the agency and Amazon are unlikely to part with details about the contract anytime soon, it’s certain that security is front-of-mind for both.