NSA Using The Cloud To Thwart The Next Snowden

Inside NSA Headquarters, Fort Meade, Maryland

In a post-Snowden world, is it really a good idea to have analysts swimming around in one vast ocean of NSA secrets and data?

Snowden’s stream of leaked NSA secrets about classified surveillance programs shined the public spotlight on the clandestine government organization. Though the stream has now dissipated to a trickle, the impact to the intelligence community continues.

To privacy activists, Snowden’s leaks were a godsend. They forced a national discussion on government surveillance and even coaxing the likes of Director of National Intelligence James Clapper to admit the intelligence community needs to be more transparent.

Yet, the leaks have “had a material impact” on NSA’s ability to generate intelligence around the world, NSA Director Michael Rogers said back in February 2015.

Within NSA’s Fort Meade, Maryland, headquarters, no one wants to face another Snowden. With NSA’s widespread adoption of cloud computing, the spy agency may not have to.

Could the Cloud Have Stopped Snowden?

NSA bet big on cloud computing as the solution to its data problem several years ago.

Following expanded legal authorities enacted after the Sept. 11, 2001, terrorist attacks, NSA and the other 16 agencies within the intelligence community began to collect a gargantuan amount of intelligence data: Internet traffic and emails that traverse fiber optic cables; telephone call metadata; and satellite reconnaissance.
Much of that intelligence piled up in various repositories that had to stock up on servers to keep up with demand.  

NSA’s GovCloud—open-source software stacked on commodity hardware—creates a scalable environment for all NSA data. Soon, most everything NSA collects will end up in this ocean of information.

At first blush, that approach seems counterintuitive. In a post-Snowden world, is it really a good idea to put everything in one place—to have analysts swimming around in an ocean of NSA secrets and data?

It is, if that ocean actually controls what information analysts in the NSA GovCloud can access. That’s analogous to how NSA handles security in its cloud.

NSA built the architecture of its cloud environment from scratch, allowing security to be baked in and automated rather than bolted on and carried out by manual processes. Any piece of data ingested by NSA systems over the last two years has been meta-tagged with bits of information, including where it came from and who is authorized to see it in preparation for the agency’s cloud transition.

Data in the GovCloud doesn’t show up to analysts if they aren’t authorized, trained or cleared to see it, according to NSA Chief Information Officer Lonny Anderson.

“While putting data to the cloud environment potentially gives insiders the opportunity to steal more, by focusing on securing data down at cell level and tagging all the data and the individual, we can actually see what data an individual accesses, what they do with it, and we can see that in real time,” Anderson told Nextgov. “So we think this actually dramatically enhances our capability.”

NSA cloud strategist Dave Hurry further clarified NSA’s approach to securing data within GovCloud.
“We don’t let people just see everything; they’re only seeing the data they are authorized to see,” Hurry told Nextgov.

What about adventurous, negligent or potentially nefarious insiders? How exactly Snowden ferreted out NSA’s secrets for months across numerous databases and evaded detection remains uncertain. But what is clear is that his actions should have thrown up some Utah Data Center-sized red flags. They didn’t.

GovCloud’s other baked-in security features are likely to deter all but the boldest of would-be rogue insiders. In the past, Anderson said, disparate data repositories contained log files to track user behavior, but those logs “had to be manually reviewed.”

That’s not a good recipe to catch malicious behavior. GovCloud automates those monitoring processes and flags network security personnel, Anderson said, when a user attempts to “exceed limits of authority.”

“The [GovCloud] system could prevent it,” Anderson said. “But what it would have immediately done is highlighted and told our network security heads that someone is pulling a lot of data.” That information would “allow us to visit the individual,” or “we could shut it down at the point we saw it,” Anderson said. “It would have prevented what Mr. Snowden did,” Anderson added.

More Than Just Security

More than simply Snowden-proofing its data, GovCloud’s other features make it even more attractive to analysts and top agency officials charged with protecting national security interests. GovCloud’s architecture has a “fact-of” function that alerts analysts that additional data on a query may be available but inaccessible based on the analyst’s access controls.

NSA’s cloud migration will also significantly beef up the agency’s ability to comply with a plethora of legal rules, mandates and executive order. Just as security is automated in NSA’s cloud, so too are compliance measures such as data preservation orders or data retention rules.

Old repositories operating on legacy architecture predate many more recent laws and policy changes. The USA Patriot Act of 2001, for example, was authored into law after some of NSA’s existing legacy repositories were built, so NSA’s only option to adhere to evolving policies was to “bolt on compliance,” Anderson said.

As NSA further transitions to using cloud, analysts will make better use of their time, making queries against one database instead of repeated ones against dozens of relational databases. NSA’s centralized cloud will also alleviate uncertainty regularly faced by analysts when they query databases.

After running a query, analysts sometimes wonder whether they are actually authorized to view certain data. That kind of doubt influences what and how analysts generate intelligence reports. With the GovCloud, on the other hand, analysts will have near certainty that they’re only seeing information they are supposed to see.

Moving More than Data to the Cloud

NSA has been slowly migrating users to its new cloud architecture to ease the transition, but the pace has begun to pick up speed. Three weeks ago, Anderson said NSA transitioned users off three of the biggest legacy repositories into its cloud environment. Those users include NSA personnel, Defense Department and other intelligence community personnel.

The move has not come without obstacles. The cloud organizes data differently than old repositories, and some analyst methods do not translate to NSA’s cloud model. However, the agency is training analysts on new methodologies.

Closing down repositories filled with untold racks of servers the way NSA did three weeks ago will also save the agency money in operations and maintenance. Some of those systems are decades old. Servers housed in closed repositories will be destroyed and their data deleted, Anderson said.

In the coming years, closed repositories will come to signal the success of NSA’s bet on cloud computing. Will it prevent the next Edward Snowden-like attack? NSA officials are counting on it, but they’re counting on the cloud for a lot more than that.

DefenseOne: 

« Why Executives Need to Prioritise Cybersecurity
A Cashless Society Can’t Fix Our Money Worries »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Sonatype

Sonatype

Sonatype protects the world's enterprise software from security, compliance, licensing risks, while reducing application development and deployment time.

Harbinger Systems

Harbinger Systems

Harbinger Systems is a leading provider of software engineering services including Product Engineering, Software Testing, UI-UX, DevOps and Consulting.

Cyber Risk Agency

Cyber Risk Agency

Cyber Risk Agency is a cybersecurity consulting firm specializing in managing cyber risks for SMEs.

e-Governance Academy (eGA)

e-Governance Academy (eGA)

eGA is a think tank and consultancy founded for the transfer of knowledge and best practice in e-governance, e-democracy and national cyber security.

TrustArc

TrustArc

TrustArc provide privacy compliance and risk management with integrated technology, consulting and TRUSTe certification solutions – addressing all phases of privacy program management.

LinOTP

LinOTP

LinOTP is an enterprise level, innovative, flexible and versatile OTP-platform for strong authentication.

CipherTrace

CipherTrace

CipherTrace develops cryptocurrency Anti-Money Laundering, cryptocurrency forensics, and blockchain threat intelligence solutions.

Swascan

Swascan

Swascan is the first all-in-one, GDPR Compliant, Cloud Security Suite Platform. GDPR Assessment, Web Application Scan, Network Scan, Code Review.

Wipe-Global

Wipe-Global

Wipe-Global is specialized in data erasure with an international established service partner network.

Ensurity Technologies

Ensurity Technologies

Ensurity is a deep-tech cybersecurity engineering company; designs and manufactures specialized secure hardware, software, and mobile application solutions.

Abacode

Abacode

Abacode is a Managed Security Services Provider (MSSP). We help businesses consolidate all of their Regulatory Compliance & Cybersecurity needs, under one roof.

Bridgecrew

Bridgecrew

Secure public cloud infrastructure. Our platform automates security engineering, allowing teams to automatically fix configuration errors in AWS, CloudFormation and Terraform.

IPification

IPification

IPification is a highly secure, credential-less, network-based authentication solution for frictionless user experience on mobile and IoT devices.

Soffid

Soffid

Soffid provides full Single-Sign-On experience and full Identity and Access Management features by policy-based centralised orchestration of user identities.

Stealth Software Technologies

Stealth Software Technologies

Stealth Software Technologies is focused on the generation of research and software products focused on applied cryptography and cybersecurity.

Allied Telesis

Allied Telesis

Allied Telesis delivers the secure, flexible, and agile solutions needed to meet the expectations of any industry’s critical mission.