Steven J. Vaughan-Nichols: The CIA and the cloud

If your company mistrusts the security of the cloud, it might want to take a look at what The Company is doing.

"The Company" is a term that insiders have long used to refer to the CIA. Is there any organization that takes security more seriously? Perhaps, but probably not within the Fortune 500. And yet the CIA appears to be moving to the cloud.

Seriously. According to FCW, a publication that tracks the intersection of government and technology, the CIA has agreed to a cloud computing contract with Amazon that may be worth up to $600 million over 10 years. Specifically, Amazon Web Services will help the intelligence agency build a private cloud infrastructure.

What? You expected the CIA to put its secrets on the Amazon EC2? I don't think so!

But get this: One reason the CIA started moving to cloud-based computing in 2009 was that it saw the cloud as being more secure than conventional IT systems. Back then, Jill Tummler Singer, who was the CIA's deputy CIO at the time, said, "By keeping the cloud inside your firewalls, you can focus your strongest intrusion-detection and -prevention sensors on your perimeter, thus gaining significant advantage over the most common attack vector -- the Internet."

While we don't know exactly how the CIA will be using Amazon's services, it's a safe bet that it will be creating its own private clouds. But the hardware used for those clouds might not be hosted on the grounds of the CIA's Langley, Va., headquarters. Instead, the agency's cloud hardware may well end up hiding out somewhere in Amazon's mammoth U.S. East data center, located in nearby Ashburn, Va. Why? Well, just like any other government agency or private business, the CIA wants to save money in its IT budget.

Now, I'd have to say that if the CIA trusts the cloud, just about anyone can trust it -- provided, of course, that you always keep your eye on security and make sure you and your vendor are taking the steps necessary to safeguard your data. As Michael McConnell, former director of the National Security Agency, said last year, "The economics of the cloud are so compelling they can't be denied. [But] we have to get the security aspects right."

How do you do that? The CIA isn't likely to tell you, or to leak its cloud plans in the next season of Homeland. But there are guidelines from groups such as the European Network and Information Security Agency on how IT shops should handle public cloud vendors and monitor their security measures.

Don't treat moving to the cloud as some kind of commodity purchase. You are always going to need to do your homework to make sure that your cloud-based services are properly kept up to date and use best security practices.

As Mark Gilmore, president and co-founder of Wired Integrations, a California-based technology consulting firm, recently observed, if your "people fail to meet security standards, such as using complex passwords, and leave machines running for days on end, the likelihood of intrusion is going to increase and eventually resources will be hacked." In short, security basics remain the same, whether you use cloud-based systems or have an in-house client/server setup.

The Company knows that, and so should your company.

Steven J. Vaughan-Nichols has been writing about technology and the business of technology since CP/M-80 was cutting-edge and 300bps was a fast Internet connection -- and we liked it! He can be reached at sjvn@vna1.com.

Join the discussion
Be the first to comment on this article. Our Commenting Policies