Amazon's cloud business just took a sharp right turn toward private cloud this week, which foreshadows good and bad things for enterprise IT.
The cloud giant said it has built a special region of its cloud dedicated to the U.S. government, called AWS GovCloud. It's a step away from its public, amorphous, low-cost AWS cloud and toward a private, dedicated -- and expensive -- cloud.
The U.S. Department of Defense required a cloud that could meet International Traffic in Arms Regulations (ITAR), rules that govern how it manages and stores defense-related data. Specifically, data subject to ITAR can "only be accessible by U.S. persons."
Instead of trying to do real-time security on every region of AWS to check whether anyone touching any part of its cloud is a U.S. citizen, Amazon has created a separate zone just for the government that is physically and logically accessible by American citizens only.
Presumably it would be extremely complex and expensive to do this for the whole of AWS. Think of the regulatory paper work! Creating a separate region manages costs and limits the scope of an audit.
But it also raises sticky questions.
Can anyone who has a special need and deep enough pockets get his own AWS cloud? Will there be an AWS Exxon Mobile? What about AWS Bank of America? That's not cloud anymore, unless AWS goes in the direction of private clouds for the money (which presumably would be a lot!). If that happens, does the public, low-cost cloud go away?
More importantly, GovCloud is an admission by Amazon that it cannot modify its entire cloud so it will isolate data and applications completely. Instead, it has to carve it up.
History shows us that most breaches come from out of scope, "isolated" systems that are not truly separate. The attackers enter through a back door, a system that's connected to the backplane for emergency use only but gets them into the rest of the network. Could a contractor who is not a U.S. citizen get in under ITAR? Is Amazon hiring separate administrators to run GovCloud?
AWS itself admitted that the major outage of its Elastic Block Storage service in April happened because it did not have good separation of systems. Has it just created a false sense of separation between the GovCloud secure zone and the rest of AWS? It's certainly given potential attackers something to look for.
Jo Maitland is the Senior Executive Editor of SearchCloudComputing.com. Contact her at firstname.lastname@example.org.