39 comments

[ 5.2 ms ] story [ 83.5 ms ] thread
I'm impressed that Amazon capitalized on this so quickly. The cost of actually meeting the lowest tiers of certification is pretty low, and with the "you must migrate some applications to the cloud" mandate by the ex-CIO, it's pretty similar to the "meaningful use" HIPAA thing for EHR vendors.
They had made it public they were working on this awhile ago, and IMHO its the main reason behind booting off wikileaks for utter bullshit reasons. When Lieberman's office made that phone call to ask them what their plan was to take the site down, it was with an unstated but obvious implication that not doing so would jeopardize this. The government loves to contract things out, amazon stands to make a lot of money off this by keeping them happy.
I think you're implying Amazon (or any normal business) wouldn't have kicked wikileaks off unless it had explicit federal contracts, which is pretty overly optimistic.

For a $20/yr revenue customer, I'm pretty sure most businesses would kick off a customer costing them lots in DoS and other expenses.

I doubt they're a $20/yr customer, somehow. You can't host a site the size and popularity of Wikileaks off a single Micro EC2 instance.

Amazon is reasonably hard to DoS, and Wikileaks would've been charged for all the bandwidth incurred from one. Amazon would likely profit off such an attack, really.

(comment deleted)
(comment deleted)
This is great, I have heard about many public safety customers who wanted to move to cloud computing, e.g. for compute intensive stuff like face recognition in videos, but didn't because of security considerations.
Wonder how quickly this availability zone will become a target for attacks? A concentration of government data in a single location? Won't be (shouldn't be) classified data, but HIPAA data has it's own risks.
That's a risk, but EC2 actually provides better security in most ways than your average government datacenter does now, at least for unclass data (and is far superior to any classified system I've ever seen for usability and availability and cost).

There's a substantial net benefit in doing this. There are other cloud providers focused on the government market today (Terremark, EDS, Savvis), all using mainly VMware or in some cases Hyper-V; the benefits of being able to use EC2 are that EC2 is in a lot of ways more innovative itself, and that a lot of companies using EC2 can now build a Federal version by just running an instance in a new zone, rather than negotiating for a new hosting provider and porting all their provisioning infrastructure to a new system.

Also, the really secret can't be connected to the internet at all. Anything top secret will be on a server that can only be accessed by people on site. All USB drives on the network must be logged, or maybe disabled. All cables, computers, and other equipment must be visible, so people can't but the network. No mobile phones can be switched on, and cameras are strictly forbidden. All that jazz.

The stuff that will be put on here will mostly be stuff that's a little confidential, but not particularly threatening.

Obviously, it's still a threat if somebody got it all in one hit. But Gmail and Facebook would hold much more useful data.

(There are global TS/SCI networks, e.g. JWICS, UAV feeds of TS missions, etc., but definitely not connected to the Internet...although even the unclassified DoD networks are connected to the Internet only through special firewall/proxy things now.)

I don't think any of the Amazon GovCloud stuff will be used for anything classified, at least for the next few years. It will mainly be used for Sensitive but Unclassified or For Official Use Only type data, which is the vast majority of day to day data processed.

What probably will happen is FOUO/Unclass apps will be developed for GovCloud about 80% as well as on the public internet (which is a huge improvement over things now), and then the users who also have classified needs will complain about how crappy their classified apps are by comparison, then ask for a solution -- which probably will be an EC2-compatible classified cloud owned by the government and operated by a contractor (such as "Amazon Federal Systems" or an Amazon, Inc. partner). It might be dedicated per agency or command. It might just be an EC2 rack appliance in existing DoD datacenters.

This is a great first step toward that.

(comment deleted)
Yes but consider how dependent governments have become on software like MS Office. If Amazon gets governments overly dependent on it, then they become a massive cash-cow. It's probably more than worth the risk to non-classified data from Amazon's POV.
I would have thought that Amazon would be more interested in making sure it's cloud services are a bit more stable before advertising them for this sort of use...

It seems like the overall opinion of AWS (at least on HN) is "sketchy, would not use again".

We've had a good deal of success running on AWS, but YMMV. Your budget and your design are going to determine how much you like AWS during their technical difficulties. The hiccups are easy to forgive, given how it's such an otherwise nice platform to run/develop on.
For all e-gov services with which I had the displeasure of interacting, all around the world, merely approaching the AWS levels of availability and stability would be an immense improvement...
AKO as a google apps service alone would be amazing.
I think Verizon/Terremark has a leg up on Amazon on this one. They have some type of massive secure data center near DC for federal customer clouds.
Terremark does a great job on the physical facility, meeting compliance, and marketing to the government, but it's basically VMware.

VMware is easier for a non-cloud application to migrate to the cloud, which is the case for most existing government apps, but isn't as good a platform for building really large scale applications (e.g. you wouldn't want to run Google Apps on VMware)

There's room for both, but the real win for the new Amazon product is moving existing Amazon EC2 apps to a government-specific shard in a new AZ with minimal effort. This is more a 2-5 year thing than a 0-2 year thing.

Quote from the website: Because AWS GovCloud is physically and logically accessible by U.S. persons only, government agencies can now manage more heavily regulated data in AWS while remaining compliant with strict federal requirements.

I'm really curious that they made this promise and even more surprised that any one believed them. Physical I can buy but logical? What happens with people with VPN credentials that get hacked? How does ANYONE make such a promise for a network-accessible resource?

This statement relates to the support support personnel and customers being ITAR compliant.
This is a bigger deal than most people think. Government has been clamoring to use the the cloud, but couldn't because of security reasons. Every government consulting shop will try and sell this to their clients.
As someone who works in Government in Australia in a non-IT area this is a huge deal.

So much of what we do is simple database - form type applications. To be able to develop these in a more agile, less pay IBM a billion dollars type way, will revolutionise IT in Government.

If you work for the government in Australia, you probably want the OPPOSITE of what this is - cloud servers hosted entirely outside the USA. If the servers are located in the US, they are potentially subject to the US patriot act, and i doubt that would pass Australian government privacy regulations
I'm pretty sure he was simply using his position as the background to why he has that opinion, not suggesting that non-US governments will look to use it.
That's right. Sorry should've made that clearer.

Obviously for the Australian government we would need an Australian version of this or a similar service.

Government IT procurement for fairly trivial systems cost unbelievable amounts of money. A lot of this is due to an overly rigid scoping and dev process.

That's pretty cool. I am sure I am going to be tasked at work with researching it.
Unfortunately GovCloud users will have to do without FreeBSD for now, as I'm not allowed to create AMIs there.
This announcement likely explains the administration announcement that it was shutting down 800 data centers[1] a year or so after announcing that it was going to ramp up its IT effort.

I imagine Amazon provided a compelling argument for using their infrastructure with certain security guarantees in place.

Just the cost savings infrastructure/software/platform normalization across the govt would be significant I imagine.

Best of luck to Amazon.

[1] http://computerservicenow.wordpress.com/2011/07/21/obama-adm...

I wonder what they mean by "AWS GovCloud is physically and logically accessible by U.S. persons only"?
I suspect that means they only allow US Citizens into the facility that houses the servers.
And verification of citizenship for all who require logins. This was SOP at Lockheed.
So that policy is there just so that you can never hire any foreign contractors right? Something about security theather...
A "U.S. Person" has a specific meaning in this context:

* a citizen of the United States

* an alien lawfully admitted for permanent residence

* an unincorporated association with a substantial number of members who are citizens of the U.S. or are aliens lawfully admitted for permanent residence

* a corporation that is incorporated in the U.S.

Wikipedia: http://en.wikipedia.org/wiki/United_States_person

Amazon's competitor for US government agencies is NASA: http://nebula.nasa.gov/
NASA merged it with Rackspace's Cloud Servers and now it's called OpenStack.
(comment deleted)