CIA Off and Running With Amazon Web Services

The CIA intends to have its AWS deployment near completion this summer, it said at an AWS conference in Washington. The spy agency is working through security challenges while looking ahead to significant operating efficiencies and cost savings.

WASHINGTON — When the CIA began contemplating a move to the cloud, the tech team looked for a commercial partner that could help modernize its IT infrastructure and introduce a level of agility that would bring the agency more in line with private-sector enterprises.

The spy agency embarked on what CIO Douglas Wolfe describes as a rigorous acquisition process, inviting only vendors with an established, commercially viable and highly flexible cloud solutions to vie for the plum contract.

The CIA ultimately settled on the Amazon Web Services cloud platform, a leading player in the market that has been garnering increasing interest from CIOs in the public sector, who amid flat or declining budgets must do more with less.

[ Commentary: What CIA Private Cloud Really Says About AWS ]

[ Analysis: Is the Federal Government Ready to Embrace the Cloud? ]

"The mission that we have is important, and the pace and complexity of that mission is not changing. In fact it may be increasing," Wolfe said in remarks on Tuesday at an Amazon AWS conference.

The award of the contract, valued at up to $600 million, was itself the subject of some controversy, with IBM protesting the way that the CIA evaluated the proposals. Amazon filed a lawsuit in federal claims court, and finally prevailed in October, settling the matter.

The CIA and Amazon today are working together to set up the cloud, which Wolfe says should be close to completion later this summer.

CIA Putting AWS Behind Langley's Firewall

Wolfe describes the implementation as very much a custom build. It brings the flexibility and agility of the public cloud on-location, behind the CIA's very thick firewall in Langley.

"We're … putting together this public cloud on private premises," he says. "The idea is to be able to take the best of the public sector — we're going to lift it and sort of place it behind our fence line, if you will, but then be able to operate them for the intelligence community on our premises."

[ Tips: 10 Ways to Ease Public Cloud Security Concerns ]

That rollout involves testing the commercial cloud to what Wolfe describes as some "pretty high security standards" at the agency, a process that he acknowledges entails something of a clash of cultures as Amazon's AWS team works alongside the technologists at the highly secretive agency.

Amazon, for its part, positions security a key selling point as it courts government contracts, though that issue remains a high hurdle in the public sector.

"Many people are confused about security in the cloud," says Steve Schmidt, AWS' vice president of engineering and CISO. "That's sometimes a little uncomfortable. Many CIOs get a little fidgety."

Different as the method of providing computing power, storage and other services may be in the cloud, the security policies and procedures for securing data are fundamentally the same, "just applied in a different way," Schmidt argues.

CIA Keen to Work With Amazon, Commercial Developers

In an IT environment as famously risk-averse as the federal government, shifting critical systems and applications to the cloud can be worrisome, as, by necessity, the cloud model involves an outside provider shouldering some of the responsibility for security. But cloud computing evangelists often argue that, implemented properly, the cloud can offer a more secure environment than a traditional on-premises data center.

[ Study: Cloud Will Save Government Billions, But Security Concerns Persist ]

"Security is something that's shared," Schmidt says. "Security is something you have to do hand in hand with your service providers."

Amazon's AWS, for instance, is deployed with what the company calls the "least privilege principle," which strictly limits permissions based on job role, and requires those accesses to be reauthorized every three months. Limiting permissions on an as-needed basis offers a sharp security improvement over a more traditional approach where a handful of employees might have universal admin privileges that give them the run of a company's (or agency's) systems, Schmidt maintains.

"This is about minimizing that perimeter, minimizing the number of humans who can touch things," he says.

Amazon also offers an API that provides a holistic, rapidly updating inventory of data assets. The company notes as a point of pride that there's no diminution of standards for lower-end deployments, so that a gaming startup on AWS receives the same baseline level of security as the U.S. Navy, as Schmidt puts it.

Wolfe sees security as a challenge, but not an insurmountable one. Over time, the CIA expects a big payoff in the form of cost savings and operating efficiencies through its cloud deployment.

[ Analysis: Security in the Cloud Is All About Visibility and Control ]

In particular, Wolfe is keen on the metered pricing and flexible usage, where the supply of computing power will flex up and down to pace the agency's needs.

"As we consume products and service from this private cloud, we will be paying Amazon just like you do in the public space," he says. That's a sharp departure from the conventional way that the government acquires IT, which, at around $80 billion a year, entails considerable waste. "They always order for the peak need," Wolfe says.

The CIA also looks to take advantage of AWS as a platform, calling on commercial vendors to develop applications that can run on Amazon's infrastructure that it and other agencies could acquire through the company's cloud marketplace.

"I'm determined that we will not only have the innovation — how do we spin up the servers, spin up the IT at the pace of mission — but we're going to start to bring the innovation from the commercial sector in terms of applications to the mission space as well," Wolfe says. "We've got a whole number of vendors, some traditional vendors [and] some new, but we're asking them to look at how they can participate in a marketplace-like environment."

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.

Join the discussion
Be the first to comment on this article. Our Commenting Policies