More specifically, an NSA owned and operated datacenter. They are offering access to other intelligence community services, so technically that would be "cloud", but in this case it's NSA's own "cloud".
The "cloud" in my humble opinion, is just a rebranding of the 1970's mainframe. Everyone sharing resources - just more across multiple systems that 1. So instead of mainframe or cloud, the proper term should really be - Multiframe
Things should be seen in context. People here are trying to understand The Cloud as a technical term. They then see contradictions left and right because everything seems to be The Cloud now. It's definitely not a precise technical term anymore, but I'm pretty sure that the organizations switching expect some concrete benefits.
Often, switching to "a cloud" simply means using a managed service. Either managed by another company/agency, or by another team in the same company/agency. That means it's not necessarily a technical decision, it's more about making their employees productive. The important thing to realize here for hackers is that not everybody has the same tech skills and needs.
As opposed to the (more flexible) hardware in the basement server room, "The Cloud" is bought as a product for a specific purpose. The benefit to end-users is that they can concentrate on their core business, whatever that might be:
- Cloud CRM customers can concentrate on CRM stuff. They don't have to worry about hardware, server administration, etc.
- Application developers using a PaaS can concentrate on their app. The PaaS handles the lower levels: it keeps the app running, load balances traffic, keeps the app responsive (e.g. by scaling up number of app instances).
- Operators of a PaaS can rely on a managed infrastructure layer.
Not having to have in-house experts can be an advantage for companies/agencies that have difficulties attracting the right talent. And even for experts, working on the highest possible abstraction level, e.g. using a PaaS or "serverless" when writing an app, can improve efficiency a lot.
Depending on the type of service, there are a few other benefits that people expect from "The Cloud", such as elasticity.
Self-service and instant availability of resources to end-users is a big one for bureaucratic environments. My team needs a database. I can create one myself through The Cloud, and I don't have to go trough "the official channels" for a permit and then ask a DBA to actually do the work. The Cloud can work around old processes because it comes with risk management built-in. My team can have a resource limit, up to which we can flexibly book any resources we need. Auditing is also built-in. Operators of The Cloud can easily monitor resource usage across teams.
Peer to peer networking is being rebranded as "fog" because its cloud brought down to encompass everything. So now your laptop, phone, fridge, and toilet are the cloud too.
I've yet to see a single instance of "the cloud/in the cloud" that couldn't be replaced with "the internet/on the internet" and still mean essentially the same thing.
Funny?
I would describe it as tragic and scandalous.
It is also potentially subversive because of the consequent ability it gives intelligence agencies to suborn their political masters. For an existence proof, look at the troubles that the orange man is having with his intelligence agencies.
Even worse, it is already happening.
"Five Eyes act as a "supra-national intelligence organisation that doesn't answer to the known laws of its own countries". Documents leaked by in 2013 revealed that the Five Eyes have been spying on one another's citizens and sharing the collected information with each other in order to circumvent restrictive domestic regulations on surveillance of citizens."
To be clear, it appears they are moving to their own thing called "GovCloud" not AWS GovCloud which doesn't allow for safe storage of secret information. AWS C2S does though (thats the special region they built for CIA that launched last year)
I think the comment was that GovCloud is not approved for storing information whose classification level is "secret," not that AWS does not keep data in GovCloud secret.
The word "cloud" is consistently overused. This article would get no points if the title read "NSA Moving All Its Data to a Bigger Cooler Database" which is really all they are doing, no?
The interesting part of this article is that they are improving how data is tagged and implementing a new architecture as part of the migration to allow other agencies more access to what’s collected. The only thing that seems significant about the term “cloud” is that it’s shared infrastructure with the other agencies.
And based on all of the press releases, all the USA government “clouds” are AWS.
It is if there is some central root user for the whole thing. I doubt they'd be dumb enough to do that, however.
Just brainstorming, but at this scale, you could have a separate encryption network built in to the hardware so that users request data only in gigabyte blocks, then read it on hardware that asynchronously requests the key and does JIT decryption via a secure network that IS locked down in the Pentagon somewhere. Hell, it could even be airgapped and just hire a grunt to walk to a file cabinet each time to unlock it. So that even if you exfiltrated their whole datacenter, you'd have nothing without the keys (that's a given regardless).
The keys could be hot-rotating so that if the key center was hacked (and they detected it), they could shut off the cloud, re encrypt everything with new backup keys, and keep running.
But that's sci-fi level shit. In all likelihood it's some crappy instance of azure outsourced to Bozo Hamilton
And the secure cloud should be just fine for protecting the archival copies of your family’s personal and private conversations stored in the NSA’s stash of “its” data.
Not likely to happen, they changed the password to password123 :)
If it's online or in one easy-to-copy place and if 1000's of people have access to it, it's just a matter of time. But then, I guess Russia's or China's secrets have probably been hacked by NSA, so we're even. What a nightmare must be for NSA...your deepest secrets out there, for everyone to see.
So there's now definite proof that there is no oversight. This will only stop if sone politicians most private data will leak from some cloud misconfiguration, as it usually does sooner or later.
Idiots are going to stumble across this on Breitbart or wherever, and later find themselves stuck in traffic in their truck thinking 'NSA's movin' to the AWS cloud, maybe the time's right for me'. After bouncing that same simple thought around their trusted-idiot circle at a bar, the concept will gain steam and AWS is fast on its way to becoming a trusted name in the idiot community.
Breitbart readers hate Bezos because Trump hates Bezos, so their reaction would probably be somewhat different. It would probably involve the terms "Bezos", "Deep State", "Treason".
Often, switching to "a cloud" simply means using a managed service. Either managed by another company/agency, or by another team in the same company/agency. That means it's not necessarily a technical decision, it's more about making their employees productive. The important thing to realize here for hackers is that not everybody has the same tech skills and needs.
As opposed to the (more flexible) hardware in the basement server room, "The Cloud" is bought as a product for a specific purpose. The benefit to end-users is that they can concentrate on their core business, whatever that might be:
- Cloud CRM customers can concentrate on CRM stuff. They don't have to worry about hardware, server administration, etc.
- Application developers using a PaaS can concentrate on their app. The PaaS handles the lower levels: it keeps the app running, load balances traffic, keeps the app responsive (e.g. by scaling up number of app instances).
- Operators of a PaaS can rely on a managed infrastructure layer.
Not having to have in-house experts can be an advantage for companies/agencies that have difficulties attracting the right talent. And even for experts, working on the highest possible abstraction level, e.g. using a PaaS or "serverless" when writing an app, can improve efficiency a lot.
Depending on the type of service, there are a few other benefits that people expect from "The Cloud", such as elasticity.
Self-service and instant availability of resources to end-users is a big one for bureaucratic environments. My team needs a database. I can create one myself through The Cloud, and I don't have to go trough "the official channels" for a permit and then ask a DBA to actually do the work. The Cloud can work around old processes because it comes with risk management built-in. My team can have a resource limit, up to which we can flexibly book any resources we need. Auditing is also built-in. Operators of The Cloud can easily monitor resource usage across teams.
It is also potentially subversive because of the consequent ability it gives intelligence agencies to suborn their political masters. For an existence proof, look at the troubles that the orange man is having with his intelligence agencies.
Even worse, it is already happening.
"Five Eyes act as a "supra-national intelligence organisation that doesn't answer to the known laws of its own countries". Documents leaked by in 2013 revealed that the Five Eyes have been spying on one another's citizens and sharing the collected information with each other in order to circumvent restrictive domestic regulations on surveillance of citizens."
Troubles for which I, for one, am eternally grateful.
Sure it does. I think this has a lot more to do with federal data requirements than technical security. E.g. data centers are all so many miles apart.
And based on all of the press releases, all the USA government “clouds” are AWS.
Just brainstorming, but at this scale, you could have a separate encryption network built in to the hardware so that users request data only in gigabyte blocks, then read it on hardware that asynchronously requests the key and does JIT decryption via a secure network that IS locked down in the Pentagon somewhere. Hell, it could even be airgapped and just hire a grunt to walk to a file cabinet each time to unlock it. So that even if you exfiltrated their whole datacenter, you'd have nothing without the keys (that's a given regardless).
The keys could be hot-rotating so that if the key center was hacked (and they detected it), they could shut off the cloud, re encrypt everything with new backup keys, and keep running.
But that's sci-fi level shit. In all likelihood it's some crappy instance of azure outsourced to Bozo Hamilton
I wouldn't be certain of that...
"Launch code for US nukes was 00000000 for 20 years" https://arstechnica.com/tech-policy/2013/12/launch-code-for-...
Me too, I think it will be due to a toxic brew of stupidity, hubris, and incompetence, rather than just being dumb.
It is a single point, but also allows defenders to focus their efforts.
The "JimsFamousKefir.com" domain isn't going to be hosted on some servers in the next rack over...
Unless we find out Jim is an NSA asset, and his famous kefir just a small piece of a larger network traffic injection/payload delivery operation.
It's delicious!
You're joking, right? Ever hear of a guy named Snowden? The idea of full, 100% control over anything is a fantasy.
And the secure cloud should be just fine for protecting the archival copies of your family’s personal and private conversations stored in the NSA’s stash of “its” data.
/s
If it's online or in one easy-to-copy place and if 1000's of people have access to it, it's just a matter of time. But then, I guess Russia's or China's secrets have probably been hacked by NSA, so we're even. What a nightmare must be for NSA...your deepest secrets out there, for everyone to see.