Working with a Cloud VendorA Federal CTO Recounts His Time Spent with Amazon
When Amazon this week announced its new cloud computing offering for the government on Tuesday, it quoted one of its federal users, Tomas Soderstrom, to endorse the service.
Soderstrom is chief technology officer of NASA's Jet Propulsion Laboratory, and employed Amazon's service as JPL prototyped different uses of cloud computing, which he described in a series of interviews with GovInfoSecurity.com late last year (see NASA's JPL Reaches for the Cloud and A NASA CTO Professes Faith in the Cloud).
Major points Soderstrom made in our chats were that government agencies, or any other organization, should begin prototyping cloud services using non-sensitive information to identify potential security risks as well as challenges managing vendors such as Amazon.
Soderstrom recalled how JPL spent 15 days of 24x7 processing to download 180,000 images from a Saturn mission, and still didn't finish the project. JPL turned to Amazon and its cloud offering:
"We spun up 60 processors in Amazon's cloud, and we finished it in five hours for a total cost of $200. For us, that was a real validation. We took the real processing that missions would do, and we were able to start and stop it, and went from weeks to hours, and we were able to validate the costs, and we turned it off after it was done."
JPL developed a good working relationship with its cloud computing vendors that also included Google and Microsoft. Soderstrom explains his relationships with them:
"With each of the vendors, we met with their security teams, we met with expert control teams. They came down and visited and we visited them, to explain to them what we would have to pass, what kinds of audits, Federal Information Security Management Act certifications, etc., that we would need to pass, so that they can ready to take that on by the time we spin the wheel of security.
"One of the exciting examples, for instance, is Amazon's virtual private cloud. It's like a hybrid cloud, and it lets us put more sensitive data, because we can encrypt it, and it's going through our own secure network, to get to the data. That's a good combination of a bridge between the private cloud, which is very secure and the public cloud, which is getting more and more secure. So, for real mission critical data, we'll encrypt all of it. The encryption keys will not live in the cloud but in our application. So, we feel comfortable that that will work."
In our conversation, Soderstrom discussed the challenges of reaching agreement to use offerings from big vendors such as the cloud hosting service offered by Amazon:
"It turned out to be an educational process of all of ours from anybody from the engineers to the procurement organizations to the lawyers to the CIO. That took much longer than we had expected. Comparing stories with other enterprises, it is a very common challenge across industry. We're actually one of the first to get it done. We weren't particularly pleased with our progress. We thought we should have done it sooner, but it's done and it's working.
"What we did learn is if we were to do it again, which we will, we would have everybody sit down in the room at the same time, all the stakeholders and say, "Here is what we're trying to do on the strategic side and we're just prototyping. We're not going to put any mission data in the cloud until we all agree that its ready, but in the meantime we want to prototype and move forward so let's get some of those agreements signed.' I think that would have cut months off of the eventual time line."
In our talk, Soderstrom discussed conflicts between customer and service provider, and how they were addressed:
"If we want to take advantage of commodity hardware and software pricing, which is cheap, right? Commodity means volume, which usually means inexpensive. We need to figure out how to live with those end-user licensed agreements. We're used to negotiating back and forth because they are usually much larger procurements. The contract itself, if there was a disagreement, where would it be litigated and things like that. These are very different. When you rent a computer for a couple of hours, it is a very different thing than buying spacecraft components, and that is an area for all of enterprise industry to learn and try to understand. Get something going rather quickly so we can test it out, before we go to the next big stage.
"It is a learning experience. I'm not sure in the end that anything really changed, except for the education on both sides. Amazon and the others learned a little bit more about how we think and what we worry about, and we learned what they think and worry about. Having that discussion at a more inclusive level upfront would have saved some time."
What Amazon announced this week was a new Amazon Web Services region designed to let federal government agencies and contractors to move more sensitive workloads into the cloud by addressing regulations that limit access to data by only Americans. In its new offering, Amazon guarantees that its computers hosting cloud data are only physically and logically accessible by U.S. personnel.