“Cloud has been a godsend for folks trying to implement systems quickly and for us to secure workloads better,” said CIA Chief Information Security Officer Sherrill Nicely at a recent conference. Surprised that our spies – ahem, the US intelligence community (IC) – uses cloud? What about security? Who built it and runs it? The story behind it, and its rapid and successful deployment, has a lot of lessons for all of us.
Yes, the CIA is a special place and yes, they do have very special security needs. But, if we think about it, they process vast amounts of information and they need to be agile and flexible to respond to evolving threats and situations. The cloud provides that agility and flexibility plus a virtually unlimited sea of capacity. How do you take advantage of that and still meet those special security needs. The answer was to build a “community cloud” that not only the CIA could use but the whole IC of 17 agencies.
Here is one of the best definitions from the National Institute of Standards:
“A community cloud in computing is a collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-party and hosted internally or externally. This is controlled and used by a group of organizations that have shared interest.”
Sure sounds like this is just what the spooks would want. How they went about getting it was both straightforward and a bit industry shattering. Like most government agencies the CIA ran a procurement. Now Federal procurements are much like a Kabuki dance with very specific steps and regulations that must be followed to the letter. It does not necessarily land up with the government buying the best tech but instead often just selecting the vendor who knows the process the best. Can you say: HealthCare.com?
Nonetheless, the ball got rolling in 2012 and true to the process Microsoft and AT&T protested the CIA’s request-for-proposal specifications in mid-2012, forcing the CIA to pull the procurement and rework it. AWS (Amazon Web Services) then won the contract in early 2013, only to have the process slowed again by protests and legal proceedings from the then only other bidder, IBM.
IBM was and is a big government contractor. AWS at the time was not so much. The odds were that IBM would take this candy away from baby AWS. At first, that’s what certainly seemed to play out when the GAO – first stop in the protest process – declared for IBM. But AWS did not take it lying down and sued in federal court – the next step. To everyone’s surprise, the judge not only gave AWS the contract award but also slammed IBM for some sketchy proposal tactics. This was an industry moment of truth. Mighty Big Blue was not only defeated but all agreed the Amazon solution was better and IBM had tried to cheat to beat it!
AWS got the green light to start work in late 2013 and by early 2015 – less than 18 months – it was up and operational. Then AWS took it a step further with the CIA’s blessing. In the commercial world, AWS operates the AWS Marketplace. The AWS Marketplace was launched in 2012 to accommodate and foster the growth of AWS services from third-party providers that have built their own solutions on top of the Amazon Web Services platform. It provides a one-stop shop to get all kinds of applications and services.
AWS said why not do the same thing for the intelligence community. It launched the IC Marketplace allowing spy agencies – led by the CIA – to evaluate and buy common software, developer tools and other products that meet stringent security standards. This really shakes up the usual Federal software procurement process and enables even more of the flexibility and agility that were the original goals. Once your offering has been vetted for the Marketplace any properly cleared shop can try and buy.
Pretty nifty, eh? When was the last time you thought of your IT as a godsend?