Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Monday April 13 2015, @07:20PM   Printer-friendly
from the trusted-cloud-module dept.

Snowden's stream of leaked NSA secrets about classified surveillance programs shined the public spotlight on the clandestine government organization. Though the stream has now dissipated to a trickle, the impact to the intelligence community continues.

[...] Within NSA's Fort Meade, Maryland, headquarters, no one wants to face another Snowden. With NSA's widespread adoption of cloud computing, the spy agency may not have to.

NSA bet big on cloud computing as the solution to its data problem several years ago. [...] NSA's GovCloud - open-source software stacked on commodity hardware - creates a scalable environment for all NSA data. Soon, most everything NSA collects will end up in this ocean of information.

At first blush, that approach seems counterintuitive. In a post-Snowden world, is it really a good idea to put everything in one place -- to have analysts swimming around in an ocean of NSA secrets and data? It is, if that ocean actually controls what information analysts in the NSA GovCloud can access. That's analogous to how NSA handles security in its cloud.

NSA built the architecture of its cloud environment from scratch, allowing security to be baked in and automated rather than bolted on and carried out by manual processes. Any piece of data ingested by NSA systems over the last two years has been meta-tagged with bits of information, including where it came from and who is authorized to see it in preparation for the agency's cloud transition.

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Insightful) by Anonymous Coward on Monday April 13 2015, @08:09PM

    by Anonymous Coward on Monday April 13 2015, @08:09PM (#169952)

    Instead of limiting the potential breach to those with "physical" access, put it in the cloud where any hacker in the world can take a shot at it.

    Starting Score:    0  points
    Moderation   +2  
       Insightful=2, Total=2
    Extra 'Insightful' Modifier   0  

    Total Score:   2  
  • (Score: 3, Insightful) by Snow on Monday April 13 2015, @08:26PM

    by Snow (1601) on Monday April 13 2015, @08:26PM (#169960) Journal

    I'm pretty sure it's all housed in their own private cloud computing service, not something like EC2 or Azure.

    • (Score: 3, Interesting) by kaszz on Monday April 13 2015, @08:37PM

      by kaszz (4211) on Monday April 13 2015, @08:37PM (#169964) Journal

      There are also two lessons to be learned from this:
      1) The only secure cloud if there ever is one is the one you have physical control over. And built the software for.
      2) Security must be a design criteria. Not a bolt or gatekeeper with all or nothing.

      But when the data is electronically accessible. It can be thwarted. It's just question of how, not if.

      And don't forget that your data goes into this processing box. Thus if the software processing it makes any mistakes in that process there might be consequ^H^HDROP TABLEes.

      • (Score: -1, Spam) by Anonymous Coward on Monday April 13 2015, @08:47PM

        by Anonymous Coward on Monday April 13 2015, @08:47PM (#169977)

        YOU JUST GOT HIT BY

        ¶▅c●▄███████||▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅|█
        ▄██ OBAMACARE ███▅▄▃▂
        █████████████████████►

      • (Score: 4, Interesting) by frojack on Monday April 13 2015, @09:20PM

        by frojack (1554) on Monday April 13 2015, @09:20PM (#170000) Journal

        2) Security must be a design criteria. Not a bolt or gatekeeper with all or nothing.

        True. But what they have developed seems worse than both of those things.

        What I mean is the security now relies solely on the credentials used to log in. Physical security of segregated data sets in different departments are gone, and now the cloud tags each piece data with some credential necessary to actually see the data.

        Little better than ACLs.

        You can steal the credentials, or hack the access control manager. Either gets you in.
        I imagine not much (if any) of the stored content is encrypted.
        I imagine there are no physical firewalls/air-gaps between data elements.

        No, I'm betting they put all their trust in the data engine to protect everything.

        --
        No, you are mistaken. I've always had this sig.
        • (Score: 2) by kaszz on Monday April 13 2015, @11:15PM

          by kaszz (4211) on Monday April 13 2015, @11:15PM (#170070) Journal

          My thought to. All bets are on the data engine control of credentials. One failure and the flood gates open. Or there's some essential detail that is kept hidden.

    • (Score: -1, Redundant) by Anonymous Coward on Monday April 13 2015, @08:47PM

      by Anonymous Coward on Monday April 13 2015, @08:47PM (#169976)

      YOU JUST GOT HIT BY

      ¶▅c●▄███████||▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅|█
      ▄██ OBAMACARE ███▅▄▃▂
      █████████████████████►

  • (Score: -1, Redundant) by Anonymous Coward on Monday April 13 2015, @08:47PM

    by Anonymous Coward on Monday April 13 2015, @08:47PM (#169975)

    YOU JUST GOT HIT BY

    ¶▅c●▄███████||▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅|█
    ▄██ OBAMACARE ███▅▄▃▂
    █████████████████████►