back to article Amazon launches Secret Region – so secret it's endorsed by the CIA

Amazon Web Services has launched a Secret Region – which we know about because the CIA has endorsed it. The new region is certified to run workloads rated “Secret” on the United States' data classifications, which proceeds from Unclassified to Sensitive, then to Secret and finally to Top Secret. AWS claimed the launch is …

  1. Anonymous Coward
    Anonymous Coward

    very interesting, does this mean every Amazon employee now has a security clearance after being vetted?

    1. Anonymous Coward
      Anonymous Coward

      No, just the very small subset that work within, have involvement or access to (physically or digitally) to that particular facility.

      1. Anonymous Coward
        Anonymous Coward

        So I can write backdoors into the Amazon cloud code, I just can't work in that building or be assigned to that project? Sweet!

      2. Anonymous Coward
        Big Brother

        Anonymous Agent: "No, just the very small subset that work within, have involvement or access to (physically or digitally) to that particular facility."

        What's stopping agents of a foreign power apply to work at Amazon and so gain access to all yer secrets in the cloud. I figure this would be easier than breaking into a building at night and scraping the contents of a harddrive.

        1. Muscleguy Silver badge

          I would expect US citizens only. But then you said agents, who would have, or appear to have citizenship and pass security checks. So nothing. Unless AWS has offloaded staff clearance to the CIA/NSA of course.

          Which is what I would do if I were AWS. Then WHEN an agent gets in they can say 'not our SNAFU' to the spooks.

          The question is did AWS do this? or did some suit veto that?

        2. Mark 85 Silver badge

          What's stopping agents of a foreign power apply to work at Amazon and so gain access to all yer secrets in the cloud. I figure this would be easier than breaking into a building at night and scraping the contents of a harddrive.

          No need to go to that trouble. Give it some time and this area will probably be just as leaky due to misconfiguration as the S3 buckets.

        3. Chairman of the Bored

          What's to keep foreigners out?

          Our extraordinarily skilled Office of Personnel Management. You know, the same guys who... wait a sec... (hyperventilating into bag)

    2. Anonymous Coward
      Anonymous Coward

      very interesting, does this mean every Amazon employee now has a security clearance after being vetted?

      You have never worked on a secure project then? You have a subset of people who get put through a clearance process. First you start with generic vetting (no criminal convictions, no dodgy past, not too much debt), and then (depending on level) you do the deep stuff which is not so much a pass/fail as a risk assessment of what you have to put in place to protect the employee against subversion. That's why lying during especially that last process is a very bad idea, however embarrassing it may be - because exactly the thing you're worried about can be used to blackmail you.

      So yes, there will be cleared people, no, it doesn't need to be everyone.

      1. wyatt

        I use to have this problem with Cable and Wireless at my last job. You'd call in a fault on a circuit and because there was no one cleared to the required level, they couldn't resolve it.

        It's expensive and unnecessary to vet everyone, but at least some on the shift should be vetted.

        1. Anonymous Coward
          Anonymous Coward

          I use to have this problem with Cable and Wireless at my last job. You'd call in a fault on a circuit and because there was no one cleared to the required level, they couldn't resolve it.

          You could have called me at Brentford :).

      2. Pen-y-gors Silver badge

        Subversion?

        a risk assessment of what you have to put in place to protect the employee against subversion.

        So the principal is that so long as you are open and tell them about being president of the squirrel love society (as noted on your website) and your enjoyment of country and western music you're okay? But a hidden affair with the next-door-neighbour is a no-no?

        Actually it used to be quite tough - my father was a senior officer in the RAF (back in the 1970s) and had to do a lot of explaining when his step-sister-in-law decided to go and work as a librarian in East Berlin!

        1. Anonymous Coward
          Anonymous Coward

          Re: Subversion?

          So the principal is that so long as you are open and tell them about being president of the squirrel love society (as noted on your website) and your enjoyment of country and western music you're okay? But a hidden affair with the next-door-neighbour is a no-no?

          I don't know if that is a principal, but it sure is a principle (sorry, give me a moment to kick my inner pedant back in its box). In less enlightened days you also had an interview with some colonel who then asked if you were, ahem, *cough*, shuffle, gay. Very, very amusing to see how much of a problem that question was. However, the reasons behind it are sane: everything that can be used to subvert you is a risk to both you and the organisation who sponsors your vetting, so they need to know - it's not like the lower levels which is pass/fail, this is a risk assessment so there is no right or wrong outcome, simply a list of things to watch.

          I actually must go and talk to some people. I've been through this years ago, but as I plan to visit China next year I need to work out what (if anything) I need to do before or after. I no longer work in those exalted spheres because they started filling up with people who were proud of being "leet" instead of doing useful work, but the demands of a nation's secrecy laws do not expire.

      3. JimboSmith Silver badge

        Called my dad at the office one day and he was apparently in a meeting with a Government bloke according to his PA. When he got home and I asked he said he and a few others at work had had a visit from someone from the Government. Apparently he wasn't able to disclose anything from the meeting to anyone else. I knew what the firm did knew about a major building project and putting 2 & 2 together I got four. He didn't say anything but he was lucky he never played poker as you could see the shock in his eyes. After the colour had returned to his face I pointed out how I knew what I'd just told him and showed him a couple of sites on the internet. He told me that what I'd just said was pure speculation and he couldn't talk to me about anything (i.e. confirm or deny). Given I might breach the Official Secrets Act I'm not going to say anything more. It was amusing that he (and other senior people) had to be read into something that I already knew about. He did tell me years later that he was told he'd been vetted & cleared and if he hadn't he wouldn't have been allowed into the meeting.

        1. Anonymous Coward
          Anonymous Coward

          I knew what the firm did knew about a major building project and putting 2 & 2 together I got four

          That was actually my problem with classified matters - if you let people with an analytical brain like mine near partial information there is simply no way you can prevent them from filling in the blanks by simple logic and some very basic guesswork and theorising. It's not deliberate, it's simply how their brain works so it's worth planning for.

          The key to safely working with secure material (or "protectively marked", to give its official name) is to kill off your curiosity. Not easy, but avoiding knowing too much is a safer approach than knowing and acting on data you're not even supposed to have.

    3. Anonymous Coward
      Anonymous Coward

      AWS playing catch-up with Azure as usual:

      https://www.theregister.co.uk/2017/10/18/azure_cloud_blabs_about_secret_clearance_from_us_government/

  2. allthecoolshortnamesweretaken

    You'd think the NSA would be able to run a secure gov.cloud that other agencies can use for secret & sensitive stuff... OTOH, given the internal turf wars, struggles over jurisdictions and, above all, budgets and perceived relevance within the US intelligence community, I can see the CIA be in favour of using AWS rather than the NSA. Not that I would put it past the NSA to try and get a copy anyway.

    1. Anonymous Coward
      Anonymous Coward

      Been there, got the hat and the toy unicorn

      "You'd think the NSA would be able to run a secure gov.cloud that other agencies can use for secret & sensitive stuff... "

      It has been tried, it wasn't a success. The UK has a similar initiative, the G-cloud. There was much heat, little light, about the launch of G-cloud and it has turned into a giant "meh" since it's possible to get better services in the private sector.

      1. Anonymous Coward
        Anonymous Coward

        Re: Been there, got the hat and the toy unicorn

        It has been tried, it wasn't a success. The UK has a similar initiative, the G-cloud. There was much heat, little light, about the launch of G-cloud and it has turned into a giant "meh" since it's possible to get better services in the private sector.

        Given the competence and especially goals of the people involved, that outcome was not just possible, it was actually unavoidable..

    2. Anonymous Coward
      Anonymous Coward

      Makes sense to have someone experienced manage it

      The NSA will no doubt be closely involved to make sure Amazon does everything right and to double check their security measures. This way they get Amazon's tools for managing it, but still have the assurance it is secure since it is no doubt located inside a government facility somewhere (maybe that huge datacenter they built in Utah) and would be isolated from the rest of Amazon's network.

      Basically they've hired Amazon as a government contractor to provide a cloud, instead of rolling their own cloud and hiring contractors to operate it.

  3. Anonymous Coward
    Anonymous Coward

    When is the CIA

    Leaky Amazon S3 Bucket 'server-mis-configuration' story coming El Reg?

    After Shadow Brokers, Julian Assange and Snowden, you'd think the US-military industrial spending complex would be terrified of Public Cloud?

    ... 'The region is not only very secure'...

    For now maybe, until the next NSA breach, when ready-to-go Cloud-zero-days end up with hackers! They can't even catch Shadow Brokers!

  4. Anonymous Coward
    Facepalm

    Ingenious Tradecraft Intelligence

    Don't keep your secrets on a computer connected to the Internet.

    1. wallaby

      Re: Ingenious Tradecraft Intelligence

      I think the biggest secrets on there will be what's on offer at the staff canteen this week, cant see them hosting any real sensitive stuff -

      no wait -

      its a government agency -

      scratch that - stupidity abounds

      1. JimboSmith Silver badge

        Re: Ingenious Tradecraft Intelligence

        I think the biggest secrets on there will be what's on offer at the staff canteen this week, cant see them hosting any real sensitive stuff -

        Given The Post Office/BT Tower was left off offical maps and an official secret for decades......

        If you ever get the chance to go up it's a brilliant place. The view is stunning and I just sat there watching the world go past as we revolved.

    2. Adam 52 Silver badge

      Re: Ingenious Tradecraft Intelligence

      It's for stuff classified to "secret". Which is basically the colour of the White House toilet paper and the number of uniforms the Navy is buying.

      1. Chris G Silver badge

        Re: Ingenious Tradecraft Intelligence

        Yeah! The really Top Secret For Your Eyes Only stuff is usually kept on pendrives hidden in commuter train seats.

    3. Muscleguy Silver badge

      Re: Ingenious Tradecraft Intelligence

      Also remember how Snowden and Chelsea Whatsername were low level grunts who got given top secret access. What starts off requiring top level and only a few have it and the access requirements are onerous gradually becomes open to more and more folk and levels and the access requirements get watered down because delegation and need to get stuff done.

      Someone will upload the access codes and certificates to github at some point and nobody will notice . . .

  5. Anonymous Coward
    Anonymous Coward

    Please note..

    "Secure for US government" does not magically imply in any way, shape or form "secure for anyone else" of any of their other services. I know that most PHBs believe in the homeopathy shown by marketing people, but this is most likely a fully isolated service container.

    It's not even sure if lessons learned securing this will make it to the main platform - you'd hope so, but you have no certainty.

  6. Anonymous Coward
    Anonymous Coward

    It's not very secret if everyone knows about it.

  7. Anne-Lise Pasch

    And they will still store their keys unencrypted on Github.

  8. Mark M.
    Black Helicopters

    CIA + Secrets = red flag to Wikileaks & the conspiracy nuts

    So, how long will it be before some disgruntled AWS employee secretly backdoors this secret region to Wikileaks?

    1. Anonymous Coward
      Anonymous Coward

      Re: CIA + Secrets = red flag to Wikileaks & the conspiracy nuts

      Given how quickly stuff leaks these days, they might as well host on Wikileaks and save themselves the hassle of all those intermediate steps. Is there really nobody anymore who can just keep a secret?

      1. Lotaresco

        Re: CIA + Secrets = red flag to Wikileaks & the conspiracy nuts

        If you think about it WikiLeaks isn't much of a threat. WikiLeaks just publish information that is handed to them by idiots. The threat is therefore the idiot, not WikiLeaks.

        Conspiracy nuts are mostly just nuts and although the activities of some of those nuts have becom popular with the press/other nuts they don't present much of a real threat since they ether just wander around screeching tinfoil helmet stuff (as in this thread) or they manage to hack into a "Sekrit Government Internet Service" which later turns out to be something like the order list for office delivery of milk or the prices in the canteen.

      2. Michael Habel Silver badge

        Re: CIA + Secrets = red flag to Wikileaks & the conspiracy nuts

        As theCat from the 100$(USD), Note, was noted to have remarked....

        Two can keep a Secret... If One of them is dead...

  9. GX5000

    Madness

    The Cloud is you paying to have your Data Shared on someone else's Servers, PERIOD.

    You are not the one who will benefit from this in the end.

    Historically Secrecy is not served well by Centralization.

    I will retire soon and will move to a vacant part of Vermont or Canada with no cell service, just Fiber.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021