NSA’s Plan to Snowden-Proof Data Using the Cloud

tumblr_mob69pepAm1r6e620o1_1280.jpg

Almost two years ago, the National Security Agency forever lost its “No Such Agency” nickname at the hands of one of its contractors, a once-trusted insider by the name of Edward Snowden.
Within NSA’s Fort Meade, Maryland, headquarters, no one wants to face another Snowden. With NSA’s widespread adoption of cloud computing, the spy agency may not have to. NSA bet big on cloud computing as the solution to its data problem several years ago.
Following expanded legal authorities enacted after the Sept. 11, 2001, terrorist attacks, NSA and the other 16 agencies within the intelligence community began to collect a gargantuan amount of intelligence data: Internet traffic and emails that traverse fiber optic cables; telephone call metadata; and satellite reconnaissance. Much of that intelligence piled up in various repositories that had to stock up on servers to keep up with demand.  
NSA’s GovCloud, open-source software stacked on commodity hardware, creates a scalable environment for all NSA data. Soon, most everything NSA collects will end up in this ocean of information.
At first blush, that approach seems counterintuitive. In a post-Snowden world, is it really a good idea to put everything in one place, to have analysts swimming around in an ocean of NSA secrets and data?
NSA built the architecture of its cloud environment from scratch, allowing security to be baked in and automated rather than bolted on and carried out by manual processes. Any piece of data ingested by NSA systems over the last two years has been meta-tagged with bits of information, including where it came from and who is authorized to see it in preparation for the agency’s cloud transition.
Data in the GovCloud doesn’t show up to analysts if they aren’t authorized, trained or cleared to see it, according to NSA Chief Information Officer Lonny Anderson.
“While putting data to the cloud environment potentially gives insiders the opportunity to steal more, by focusing on securing data down at cell level and tagging all the data and the individual, we can actually see what data an individual accesses, what they do with it, and we can see that in real time. So we think this actually dramatically enhances our capability.”
GovCloud’s other baked-in security features are likely to deter all but the boldest of would-be rogue insiders. 
In other words, if NSA had this cloud-based system in place two years ago, Snowden wouldn’t have made off with what NSA Deputy Director Richard Ledgett in a 2013 interview called the agency’s “keys to the kingdom.” According to NSA officials, if GovCloud works, as they believe it will, Snowden may have never left Hawaii, where he lived and worked, without his actions raising alarm bells.
NSA’s cloud migration will also significantly beef up the agency’s ability to comply with a plethora of legal rules, mandates and executive order. Just as security is automated in NSA’s cloud, so too are compliance measures such as data preservation orders or data retention rules.
The move has not come without obstacles. The cloud organizes data differently than old repositories, and some analyst methods do not translate to NSA’s cloud model. However, the agency is training analysts on new methodologies.
In the coming years, closed repositories will come to signal the success of NSA’s bet on cloud computing. Will it prevent the next Edward Snowden-like attack? NSA officials are counting on it, but they’re counting on the cloud for a lot more than that.
Nextgov: http://bit.ly/1aITJlA

 

« The Internet Connected Car
China’s Cyber Attacks on Governments and Corporates in Asia »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MarQuest

MarQuest

MarQuest provides services and systems to enhance network reliability and security.

Kenexis

Kenexis

Kenexis is a consulting engineering firm providing services for process hazards analysis, fire and gas mapping, and industrial cybersecurity.

Hacker House

Hacker House

Hacker House teaches you what hackers can learn about your business and systems so that preventative solutions to protect your assets can be applied through active measures.

Baffin Bay Networks

Baffin Bay Networks

Baffin Bay Networks operates globally distributed Threat Protection Centers™, offering DDoS protection, Web Application Protection and Threat Inspection.

DDLS

DDLS

DDLS is Australia's largest provider of corporate IT, process training and cybersecurity training courses and certification programs.

UST

UST

UST is a global provider of digital technology and transformation, IT services and solutions including managed security services.

Clear Skye

Clear Skye

Clear Skye, an Identity Access and Management (IAM) software company, reimagines enterprise identity access and risk management software to make a complicated problem easier to manage.

Ankura Consulting Group

Ankura Consulting Group

Ankura is a global expert services and advisory firm that delivers services and end-to-end solutions in a wide range of areas including cybersecurity and digital transformation.

Nomios

Nomios

Nomios develops innovative solutions for your security and network challenges. We design, secure and manage your digital infrastructure.

Josef Ressel Centre for Intelligent & Secure Industrial Automation

Josef Ressel Centre for Intelligent & Secure Industrial Automation

The Josef Ressel Centre for Intelligent and Secure Industrial Automation investigates the fundamentals of digital assistants for industrial machines that enable intelligent and secure operation.

Siren

Siren

Siren provides the leading Investigative Intelligence Platform to some of the world’s leading Law Enforcement, National Security and Cyber threat investigators.

Keepit

Keepit

Keepit offer all-inclusive, secure, and reliable backup and recovery services for your data.

Teal Technology Consulting

Teal Technology Consulting

TEAL Technology Consulting is your trusted advisor for all your information security needs.

Baidam Solutions

Baidam Solutions

Baidam Solutions is a 100% Australian owned and operated First Nations information technology business.

CyberGuardPro

CyberGuardPro

CyberGuardPro is a premier cybersecurity firm that prioritizes safeguarding businesses and individuals from the evolving landscape of digital threats.

LabEx

LabEx

LabEx is an AI-Powered learning platform with labs spanning from Linux devops to web development and cybersecurity.