
Amazon announces AWS GovCloud for U.S. government agencies - DVassallo
http://aws.amazon.com/about-aws/whats-new/2011/08/16/announcing-aws-govcloud-us/
======
mey
Wonder how quickly this availability zone will become a target for attacks? A
concentration of government data in a single location? Won't be (shouldn't be)
classified data, but HIPAA data has it's own risks.

~~~
rdl
That's a risk, but EC2 actually provides better security in most ways than
your average government datacenter does now, at least for unclass data (and is
far superior to any classified system I've ever seen for usability and
availability and cost).

There's a substantial net benefit in doing this. There are other cloud
providers focused on the government market today (Terremark, EDS, Savvis), all
using mainly VMware or in some cases Hyper-V; the benefits of being able to
use EC2 are that EC2 is in a lot of ways more innovative itself, and that a
lot of companies using EC2 can now build a Federal version by just running an
instance in a new zone, rather than negotiating for a new hosting provider and
porting all their provisioning infrastructure to a new system.

~~~
wisty
Also, the really secret can't be connected to the internet at all. Anything
top secret will be on a server that can only be accessed by people on site.
All USB drives on the network must be logged, or maybe disabled. All cables,
computers, and other equipment must be visible, so people can't but the
network. No mobile phones can be switched on, and cameras are strictly
forbidden. All that jazz.

The stuff that will be put on here will mostly be stuff that's a little
confidential, but not particularly threatening.

Obviously, it's still a threat if somebody got it all in one hit. But Gmail
and Facebook would hold much more useful data.

~~~
rdl
(There _are_ global TS/SCI networks, e.g. JWICS, UAV feeds of TS missions,
etc., but definitely not connected to the Internet...although even the
unclassified DoD networks are connected to the Internet only through special
firewall/proxy things now.)

I don't think any of the Amazon GovCloud stuff will be used for anything
classified, at least for the next few years. It will mainly be used for
Sensitive but Unclassified or For Official Use Only type data, which is the
vast majority of day to day data processed.

What probably will happen is FOUO/Unclass apps will be developed for GovCloud
about 80% as well as on the public internet (which is a huge improvement over
things now), and then the users who also have classified needs will complain
about how crappy their classified apps are by comparison, then ask for a
solution -- which probably will be an EC2-compatible classified cloud owned by
the government and operated by a contractor (such as "Amazon Federal Systems"
or an Amazon, Inc. partner). It might be dedicated per agency or command. It
might just be an EC2 rack appliance in existing DoD datacenters.

This is a great first step toward that.

------
fomojola
Quote from the website: Because AWS GovCloud is physically and logically
accessible by U.S. persons only, government agencies can now manage more
heavily regulated data in AWS while remaining compliant with strict federal
requirements.

I'm really curious that they made this promise and even more surprised that
any one believed them. Physical I can buy but logical? What happens with
people with VPN credentials that get hacked? How does ANYONE make such a
promise for a network-accessible resource?

~~~
res0nat0r
This statement relates to the support support personnel and customers being
ITAR compliant.

------
Jun8
This is _great_ , I have heard about many public safety customers who wanted
to move to cloud computing, e.g. for compute intensive stuff like face
recognition in videos, but didn't because of security considerations.

------
cperciva
Unfortunately GovCloud users will have to do without FreeBSD for now, as I'm
not allowed to create AMIs there.

------
muriithi
I wonder what they mean by "AWS GovCloud is physically and logically
accessible by U.S. persons only"?

~~~
vineel
I suspect that means they only allow US Citizens into the facility that houses
the servers.

~~~
samstave
And verification of citizenship for all who require logins. This was SOP at
Lockheed.

------
Joakal
Amazon's competitor for US government agencies is NASA:
<http://nebula.nasa.gov/>

~~~
3am
NASA merged it with Rackspace's Cloud Servers and now it's called OpenStack.

------
rdl
I'm impressed that Amazon capitalized on this so quickly. The cost of actually
meeting the lowest tiers of certification is pretty low, and with the "you
must migrate some applications to the cloud" mandate by the ex-CIO, it's
pretty similar to the "meaningful use" HIPAA thing for EHR vendors.

~~~
samstave
Not surprised at all, READ THIS:

[http://www.cio.gov/documents/Federal-Cloud-Computing-
Strateg...](http://www.cio.gov/documents/Federal-Cloud-Computing-Strategy.pdf)

They intend to transfer as much as $20 billion to private cloud services.

This was a no brainer.

------
rkalla
This announcement likely explains the administration announcement that it was
shutting down 800 data centers[1] a year or so after announcing that it was
going to ramp up its IT effort.

I imagine Amazon provided a compelling argument for using their infrastructure
with certain security guarantees in place.

Just the cost savings infrastructure/software/platform normalization across
the govt would be significant I imagine.

Best of luck to Amazon.

[1] [http://computerservicenow.wordpress.com/2011/07/21/obama-
adm...](http://computerservicenow.wordpress.com/2011/07/21/obama-
administration-shutting-down-800-data-centers/)

------
chr15
This is a bigger deal than most people think. Government has been clamoring to
use the the cloud, but couldn't because of security reasons. Every government
consulting shop will try and sell this to their clients.

~~~
thmcmahon
As someone who works in Government in Australia in a non-IT area this is a
huge deal.

So much of what we do is simple database - form type applications. To be able
to develop these in a more agile, less pay IBM a billion dollars type way,
will revolutionise IT in Government.

~~~
canadiansaur
If you work for the government in Australia, you probably want the OPPOSITE of
what this is - cloud servers hosted entirely outside the USA. If the servers
are located in the US, they are potentially subject to the US patriot act, and
i doubt that would pass Australian government privacy regulations

~~~
corin_
I'm pretty sure he was simply using his position as the background to why he
has that opinion, not suggesting that non-US governments will look to use it.

~~~
thmcmahon
That's right. Sorry should've made that clearer.

Obviously for the Australian government we would need an Australian version of
this or a similar service.

Government IT procurement for fairly trivial systems cost unbelievable amounts
of money. A lot of this is due to an overly rigid scoping and dev process.

------
mitrick2
<http://aws.amazon.com/federal/> says they support FISMA Low, but
[http://aws.typepad.com/aws/2011/08/new-aws-govcloud-us-
regio...](http://aws.typepad.com/aws/2011/08/new-aws-govcloud-us-region.html)
says FISMA Moderate. Which is it?

------
lgv
I think Verizon/Terremark has a leg up on Amazon on this one. They have some
type of massive secure data center near DC for federal customer clouds.

~~~
rdl
Terremark does a great job on the physical facility, meeting compliance, and
marketing to the government, but it's basically VMware.

VMware is easier for a non-cloud application to migrate to the cloud, which is
the case for most existing government apps, but isn't as good a platform for
building really large scale applications (e.g. you wouldn't want to run Google
Apps on VMware)

There's room for both, but the real win for the new Amazon product is moving
existing Amazon EC2 apps to a government-specific shard in a new AZ with
minimal effort. This is more a 2-5 year thing than a 0-2 year thing.

------
sigzero
That's pretty cool. I am sure I am going to be tasked at work with researching
it.

------
pseudonym
I would have thought that Amazon would be more interested in making sure it's
cloud services are a bit more stable before advertising them for this sort of
use...

It seems like the overall opinion of AWS (at least on HN) is "sketchy, would
not use again".

~~~
andos
For all e-gov services with which I had the displeasure of interacting, all
around the world, merely approaching the AWS levels of availability and
stability would be an immense improvement...

~~~
rdl
AKO as a google apps service alone would be amazing.

------
cagenut
They had made it public they were working on this awhile ago, and IMHO its the
main reason behind booting off wikileaks for utter bullshit reasons. When
Lieberman's office made that phone call to ask them what their plan was to
take the site down, it was with an unstated but obvious implication that not
doing so would jeopardize this. The government loves to contract things out,
amazon stands to make a _lot_ of money off this by keeping them happy.

~~~
rdl
I think you're implying Amazon (or any normal business) wouldn't have kicked
wikileaks off unless it had explicit federal contracts, which is pretty overly
optimistic.

For a $20/yr revenue customer, I'm pretty sure most businesses would kick off
a customer costing them lots in DoS and other expenses.

~~~
ceejayoz
I doubt they're a $20/yr customer, somehow. You can't host a site the size and
popularity of Wikileaks off a single Micro EC2 instance.

Amazon is reasonably hard to DoS, and Wikileaks would've been charged for all
the bandwidth incurred from one. Amazon would likely profit off such an
attack, really.

