Ob­scure cer­ti­fi­ca­tion key in clas­si­fied data stor­age bat­tle

Orlando Sentinel - - WALL STREET REPORT - By Aaron Gregg

WASH­ING­TON — An ob­scure De­fense Depart­ment IT cer­ti­fi­ca­tion has be­come the lat­est flash­point in a long-run­ning fight over which West Coast tech com­pany is best suited to safe­guard Amer­ica’s na­tional se­cu­rity se­crets.

In late Oc­to­ber the Pen­tagon jilted Ama­zon when it turned to Mi­crosoft for a cen­tral­ized cloud com­put­ing net­work called the Joint En­ter­prise De­fense In­fra­struc­ture (JEDI). An­a­lysts had widely as­sumed the con­tract would go to Ama­zon Web Ser­vices, the com­mer­cial mar­ket leader, in large part be­cause an ear­lier CIA con­tract gave it years of ex­pe­ri­ence handling sen­si­tive gov­ern­ment data.

But on Dec. 12 Mi­crosoft be­came the se­cond com­pany to hold the Pen­tagon’s high­est-level IT se­cu­rity cer­ti­fi­ca­tion, called Im­pact Level 6, De­fense In­for­ma­tion Sys­tems Agency spokesman Russ Goe­maere told The Wash­ing­ton Post in an email. The tem­po­rary cer­ti­fi­ca­tion lasts three months, af­ter which a longer one will be con­sid­ered, Goe­maere said.

The cer­ti­fi­ca­tion means that, for the first time, Mi­crosoft will be able to store clas­si­fied data in the cloud. De­fense and in­tel­li­gence agen­cies typ­i­cally use air-gapped, lo­cal com­puter net­works to store sen­si­tive data rather than the cloud­based sys­tems most com­pa­nies use to har­ness far-off data cen­ters. Pre­vi­ously, Ama­zon was the only cloud provider trusted with se­cret data.

The IT cer­ti­fi­ca­tion could help jus­tify Mi­crosoft’s sur­prise JEDI win, which has be­come the sub­ject of a high-stakes, po­lit­i­cally charged law­suit over al­le­ga­tions that Pres­i­dent Don­ald Trump med­dled in the gov­ern­ment pro­cure­ment process to steer pub­lic funds from Ama­zon.

Be­fore the award to Mi­crosoft, Trump di­rected De­fense Sec­re­tary Mark Esper to re­view the Pen­tagon’s ap­proach to JEDI. Trump said on tele­vi­sion that he had re­ceived “tremen­dous com­plaints” from com­pa­nies that com­pete with Ama­zon, and pri­vately ex­pressed con­cerns that the con­tract would go to Ama­zon. Trump has long de­rided Ama­zon founder Jeff Be­zos.

The mat­ter is be­ing lit­i­gated in the Court of Fed­eral Claims, which handles dis­putes over fed­eral con­tracts.

In its le­gal com­plaint, Ama­zon leaned heav­ily on its CIA ex­pe­ri­ence to jus­tify the idea that Mi­crosoft could not pos­si­bly have bested it in a fair fight, al­though much of the in­for­ma­tion was redacted. Spokes­men for Mi­crosoft and Ama­zon de­clined to com­ment for this story.

In the com­plaint, Ama­zon Web Ser­vices crit­i­cized the Pen­tagon for fail­ing to rec­og­nize its al­leged tech­ni­cal su­pe­ri­or­ity. And it said Mi­crosoft’s prod­uct is in­fe­rior, ar­gu­ing that cer­tain cy­ber-vul­ner­a­bil­i­ties dis­closed in a gov­ern­ment data­base raise ques­tions about its fitness for the con­tract.

Specif­i­cally,

Ama­zon’s lawyers pointed to a type of cy­ber at­tack called a “hy­per­vi­sor break­out at­tack,” in which a hacker can hi­jack the sys­tem that man­ages the seams be­tween dif­fer­ent cus­tomers us­ing the same server.

“A suc­cess­ful hy­per­vi­sor break­out at­tack would be dev­as­tat­ing to cus­tomers, like DOD, who need ab­so­lute se­cu­rity on their cloud plat­form,” the com­pany’s lawyers wrote in the com­plaint.

The com­pany’s chief tech­nol­ogy of­fi­cer, Werner Vo­gels, touted AWS’ se­cu­rity ad­van­tages at a re­cent con­fer­ence hosted by Ama­zon.

“Ev­ery­thing is en­crypted by de­fault,” Vo­gels said. “In that way, we’ve ac­tu­ally im­proved se­cu­rity sig­nif­i­cantly.”

Both com­pa­nies ap­pear to have se­cu­rity is­sues. A data­base man­aged by the Na­tional In­sti­tute for Stan­dards and Tech­nol­ogy in­cludes dozens of vul­ner­a­bil­i­ties in­volv­ing Mi­crosoft’s hy­per­vi­sor, as well as quite a few that in­volved Ama­zon’s Nitro.

An­dras Cser, a cloud se­cu­rity an­a­lyst with For­rester, said AWS’ hy­per­vi­sor “seems more se­cu­rity fo­cused,” but added cus­tomers gen­er­ally do not see is­sue as much of a threat.

GABRIEL BOUYS/GETTY-AFP

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.