BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
AUSTIN, Texas -- Government bureaucracy remains slow-moving despite AWS security certifications that allow the cloud provider to host sensitive data.
Amazon Web Services (AWS) was the first public cloud to receive a provisional authorization from the Department of Defense (DoD) under the Defense Information Systems Agency's Cloud Security Model to host Level 3-5 workloads, in late August. Levels 3-5 refer to unclassified, but highly sensitive data. Level 6, which is still excluded from the provisional authorization, pertains to classified data.
Meanwhile, the DoD is methodical in deploying new technologies, said U.S. Air Force Brigadier General Steve Spano, who now works as Amazon's general manager for defense and national security, in a keynote here this week during the Cloud Computing Association's Cloud Developers Summit and Expo 2014.
Spano described four stages of public cloud adoption, from test and dev apps to migration of production applications to migration of mission-critical applications and eventually, all-in.
"By and large, I would say that DoD is in Phase 1 as an entity and an organization," Spano said. "Moving an organization such as [the] DoD, having lived it for 28 years, is quite challenging."
But while the move has been slow it is still definitely occurring, according to Spano. Some agencies within DoD are at Phase 2 or 3.
"This wasn't the case a couple years ago," he said. "Now … we're beginning to turn the corner."
To earn the Level 3-5 provisional authority, AWS' GovCloud region, already compliant with federal regulations such as the International Traffic in Arms Regulations, had to implement 45 new security controls to satisfy the DoD's security concerns.
These concerns will evolve and probably relax a little, Spano said.
For Amazon, it means "a day-to-day investment in the challenge of continually educating and pushing the transformation in large bureaucracies that aren't used to moving as fast as others, particularly within the commercial sector," Spano said.
Spano also had some pointed words about those who insist on-premises security trumps the public cloud's ability to secure workloads.
"When I was on active duty, I often thought that security was used as a smokescreen for what really is a lack of trust and control," he said. "I'm giving something up -- I can't hug my server and thus it's not secure." However, the demands on the department will increase as time goes on, while resources, particularly as the military cuts its force in response to government sequestration, are in decline.
"Believing that that gap of risk is mitigated by the fact that [systems are] on-premises is a false sense of security in my mind," Spano said.