Amazon talks cybersecurity in the cloud for feds

The White House and some atypical federal contractors are out to calm fears among agency technology managers that outsourcing their computing to the cloud is a security nightmare waiting to happen.

Cloud computing, using on-demand hardware and software that is hosted online by a third party, might be gaining traction at some agencies. The Recovery Accountability and Transparency Board, which oversees stimulus spending, recently announced Amazon will host its money-tracking website Recovery.gov. But many chief information officers are only dipping their toes into Web-based information technology, uneasy about the possibility that data could be lost or hacked if an outside contractor is managing their information on the nebulous Internet.

Still, Federal CIO Vivek Kundra is pushing agencies to embrace the cloud within 10 years to cut IT costs and to gain flexibility that would allow them to serve the public better. To meet that deadline and to bridge a technology gap between the private and public sectors, he is trying to ease the procurement process for innovative, nontraditional vendors such as Amazon.com to provide federal services. The Seattle-based company has long hosted IT for corporations.

Kundra met in March with West Coast firms, including Amazon, "to discuss how government can improve how it is delivering services to the American people [and] to look at some of the impressive investments in next generation technologies," he wrote on the White House blog.

Aliya Sternstein interviewed Adam Selipsky, vice president of Amazon Web Services, to discuss federal manager's worries about IT security in the cloud.

Nextgov: When government officials are concerned about handing control of their data to a cloud services provider, what do you say to assure them of your networks' safety and security?

Selipsky: The word control is a good word. . . . I think there is often an initial fear of loss of control, but I think what most of them, such as Recovery.gov, Wall Street firms, large pharmaceutical firms, come to realize pretty quickly is that they are not relinquishing control of things that are really important to them. The data is going to be where you put it.

[Amazon offers organizations a choice of data centers located worldwide, including facilities in Ireland, Singapore and Northern Virginia.] We can guarantee that information will not leave that region unless you choose to move it. They also have a lot more control than they have traditionally had in terms of the computing resources they can bring to bear on their products. [Amazon's scale allows the company to apply significantly more security policing and countermeasures than almost any large company could afford, according to Amazon officials.]

Nextgov: The government typically has managed the physical security of its data centers, which is another reason federal officials might be reluctant to cede control. What steps does Amazon take to ensure that people cannot break into facilities that contain government data?

Selipsky: It's not just the physical security. It's about physical security, as well as security of the software and network layers. We think of security as an end-to-end issue. We use the same approaches that governments and large organizations have used for decades and are using today -- and then we add some things on top.

[As far as physical security,] it's the typical nondescript buildings that are not heavily advertised. . . . It's strict logging of anyone who has physical access to the facilities, video surveillance. We do appropriate background checks on every employee entering the facility. We give the ability to encrypt your data.

Nextgov: Your company offers a networking security service called the Amazon Virtual Private Cloud. What makes this service different from other cloud providers' data protection tools?

Selipsky: It simply makes Amazon Web Services look like another data center that they own or control. . . . It's a secure bridge between the agency's own [information security management] infrastructure and the AWS cloud.

Nextgov: How do you address the concern that a federal department's information will accidentally become stored with another client of yours?

Selipsky: There's basically no way for that mixing to happen. With the Virtual Private Cloud you really do create the same security measures that the company already has. . . .[It] allows you to cordon off your own private corner.

Nextgov: How many physical locations typically store a government customer's data to ensure adequate backup and disaster recovery?

Selipsky: We make multiple redundant copies in separate physical facilities. A tornado or a lightning strike is not going to take out the facilities where you have your data. We have multiple data centers within a specific region.

Nextgov: What do you say to federal officials who are worried about Amazon employees accessing government files?

Selipsky: A lot of organizations have issues with even knowing what assets are in place. Those are all access points into the network. It's incredibly hard for the CIO to know about all of those access points into the network. [On AWS], with a single command, a CIO can get a listing of every resource that is running in the AWS cloud. There is complete visibility and knowability of all assets.

We have strict policies on who can access what. There really is no way for AWS [personnel] to access an agencies' data if it's been encrypted. We have strict and effective logging so that if anyone did attempt to do anything that was technically feasible while prohibited, we would have instant visibility into who was doing that.