Yes, but now Amazon will show them orange alerts if they do that!
I've argued this before around here - I believe it's a platform provider's responsibility for the most part to secure data, and less so the responsibility of the developer or user. Amazon should go much further and make it hard to open-up the data to the public, at least for certain categories of buckets.
So for instance some buckets should always be public by default, and some should always be encrypted and private by default. That should make intelligence agencies' choice easier, because I would imagine even if it's "harder" to process the data from an encrypted bucket, they would still prefer that option to the always public bucket.
And maybe both categories could still be configured to either be private or public, respectively, but the account owners should have to really go out of their way to make those changes. So most shouldn't bother, and just use the defaults for each category of buckets.
>I believe it's a platform provider's responsibility for the most part to secure data, and less so the responsibility of the developer or user
I would say that is going too far, or maybe I'd say it differently. If a certain problem becomes very frequent relative to it's severity, the problem is a design bug and not just user error. The provider isn't responsible for every mistake, but they are responsible for designing with mistakes in mind.
If your design allows insecure setups without users understanding the risks in full, I think that's on the providers and not the user. If the user understands the risks fully, then it's on the user.
I think we are way far away from users fully understanding the risks, and we're still mostly dealing with people not realizing they're vulnerable. So I put this primarily on the provider.
And it only took the Pentagon exposing its main surveillance operation to get Amazon to make that change. Progress.
I wonder what other improvements we'll see when CIA's surveillance or drone strike data is also exposed to the public by a similar fuckup? Fully homomorphic encryption?
"With the new AWS Secret Region, we are bringing the same tools and workflows that are already available for Top Secret workloads to customers with Secret datasets and workloads."
Does this mean they already had an AWS "Top Secret" Region?
Article says that this is the first cloud provider certified for these workloads, but I believe both Microsoft Azure and Amazon AWS began negotiating these contracts around the same time.
Microsoft announced their version a few weeks ago[1]. I wonder if Google will follow shortly?
Yeah, I worked on an AWS product launch for a product that was not ready to go live, and we ended up trying to dog-food a bunch of other AWS services that were also not ready to be live. It was honestly pretty shocking.
It's not, though it's related. Govcloud only supports up to "Controlled Unclassified Information." This can handle Secret and Top Secret. I'd expect it to be even further restricted in terms of supported services.
Why? It can still be connected to SIPRnet or JWICS.
Or customers can get a Direct Connect from their existing facilities into the region. I presume the USG has plenty of fiber straight into these new datacenters and I'm not sure why Amazon wouldn't allow Direct Connect.
As someone else mentioned, perhaps this will get contractors to stop using public S3 buckets to share data.
The term “air gap” does not directly imply anything to do with the Internet (doesn’t exclude it, but it applies more generally than specific networks). Yes, IC uses it to signify high/low networks, but the original usage of the term was to indicate a machine with no direct connection to the outside world. The theory being (since proven wrong), you can’t exfiltrate data remotely from a device not connected to a network.
Yes, I know the inteligence community uses this definition of air gap to signify the barrier between high/low networks, but I kinda feel it misses the point of the term. If it is networked to the outside world, even securely, I feel it kinda misses the point of the “air gap” connotation (aka requiring a “sneaker net” to get data in / out). I’m likely being pedantic though, so I upvoted you as you at least gave a good response unlike others.
It’s useful insofar as it’s connected to itself, allowing individuals and companies to share data and compute with one-another, where data can ingress/egress manually but travel the network between VPCs automatically.
It might also mean that the cloud is connected to networks that are not, themselves, Internet-routed. For example, users of the Secret region might have leased lines connecting airgapped computers in their own facilities directly to the DC for ingress/egress.
It might also mean that the network is connected to a “different Internet”, like MILNET.
The contracted top secret cloud is connected to JWICS. JWICS and SIPRnet (the secret counterpart) are both government internets (but are not the Internet with a capital I).
I know of two government approved methods for data transfers for closed networks, one of which is pretty close. You basically have two servers connected to the same disk array, and they take turns mounting it to move files onto/off it. There is of course scanning and logging and such involved.
The other (unidirectional) method is a fibre pair connection that does not physically connect the TX with the RX in one direction, and there is some bumblefuckery that pushes the data through.
Of course classified data is only transferred from networks with lower classification to networks with higher classification, never the other way.
Raytheon Trusted Computer Solutions (RTCS), a wholly owned subsidiary of Raytheon Company (NYSE: RTN), today announced that its High Speed Guard (HSG) big data transfer solution has received Cross Domain System Authorization and Authority to Operate for Secret and Below Interoperability (SABI).
This allows government customers to connect to networks classified at secret and below, and enables them to start the SABI site test and evaluation toward full system accreditation.
Raytheon's HSG solution is a commercial-off-the-shelf product that enables the rapid transfer of all types of data across multiple networks at different classification levels. With the industry's fastest bi-directional transfer rates of any guard technology and proven sustained transfer rates of more than nine gigabits per second, HSG is ideally suited for large-scale deployments that require rapid, automated data transfer.
That is precisely how I would describe the Tenix and/or FOX-IT data pump implementations. It's amazing what people can manage to get away with even at EAL-7+.
Fun fact: many desktop printers can hit 3kbps in V40L QR codes (biggest + lowest ECC).
(Estimated at approx 10ppm by 20KiB per code.)
For the security conscious on a budget, printing QR codes to scan to a networked machine can be a way to get information off an otherwise air-gapped machine, with easy introspection and auditing. (This came up in the context of offline signing of Bitcoin transactions with a "warm" wallet -- digital, but airgapped from the "hot" wallets.)
> the CIA has placed a big bet on adopting
> commercial cloud technology
Can't they get the NSA to rent them some of their spare capacity from the CNCI? Or is this because they trust Amazon to have actually solved the hard problems?
A region is a cluster of typically three distinct data centers and this could have the three D.C.'s distributed geographically in a model specifically designed to provide both.
They're not charging per GB of S3 or whatever. It's likely a fixed(ish) priced contract that basically covers their cost of building a complete region. So the pricing doesn't really compare.
Basically, AWS is all public cloud, none of this private cloud nonsense... until you come along with a $600MM check and then you can have a private region all to yourself!
If they didn't nobody would know about it. It's not like Amazon has a big list of email addresses of people who have Secret data that they might want to put on the cloud. Even if they did have a list of government people like that, most of the people interested in this service are contractors who don't officially work for the government.
The government doesn't work like those spy movies where everybody knows everything the instant it happens. It's more like a big bloated corporation with thousands of subcontractors and generally lousy communication all around.
When I first saw the headline, I thought it had something to do with secrets management, for, like, ssh keys... Why would they need an entire region for that?
We are pleased to announce the new AWS Secret Region. The AWS Secret Region can operate workloads up to the Secret U.S. security classification level. The AWS Secret Region is readily available to the U.S. Intelligence Community (IC) through the IC’s Commercial Cloud Services (C2S) contract with AWS.
Usually when I post a quote from the article to shed light on what it's actually talking about it is appreciated. What's different about this time that causes a bunch of downvotes?
Will it be locatable by latency (roughly) or is that not the point?
Additionally, if I was doing secret things I'd really think it was not a great idea to put that into a data centre marked "Definitely where I keep all of my secrets".
I don't think the point is to hide its real location or to hide secrets, but to be able to build services that comply with US classification levels (sensitive, secret, top secret).
