Message from Yoda...
'Begun, the Cloud wares has'
The Atomic Weapons Establishment (AWE) is moving some of its internal tech to the public cloud, in a move to "embrace the opportunities that modern IT can bring". The AWE has a £1bn-per-year contract with the UK Ministry of Defence lasting 25 years covering the design, manufacture and support of warheads for Blighty's nuclear …
I was trying to keep an open mind while reading this article, thinking "yes...but how bad could it really be in practice". Then I reached this bit...
"[...] Lockheed Martin and engineering consultancy Jacobs, both US-based, and Britain's Serco Group."
...and by the end of the sentence I came to the conclusion that they could be pretty shit actually.
There was a very good programme about AWE on BBC a little while ago (might still be on iPlayer, but I can't check as the Fun Police have blocked that through the corporate firewall)
The ubiquitous science person that is neither Jim Al-Khalili or Brian Cox had quite good access and got to see quite a lot of what goes on. That said, it became obvious that there is a lot more that goes on than just that - a lot of his questions got the response "that's one of the things we don't talk about"
Is there a moral hazard here? I imagine that the "opportunities" are ultimately about saving money, since any other benefits can be obtained simply by spending more to implement whatever in-house. But do the same people who benefit from the saving also bear any increased risk?
e.g. Do we all collectively bear an increased nuclear proliferation risk, but just the AWE contractors benefit financially, or are the savings passed back to the taxpayer?
A spokeswoman said: "AWE has gone through a process to identify a range of trusted suppliers to support the business, as we continue to embrace the opportunities that modern IT can bring.
In other words, "We chose to suck the NSA's cock, and now the major foreign investors in what was once a crucial publicly-owned UK defence establishment are satisfied that they will no longer be under uncomfortable levels of US government pressure."
Corporatism marches safely on.
I say "unwise" with the trepidation of knowing that some of the smartest people on Earth will have considered this decision: who am I to gainsay them?
My guess is that AWE will absolutely not store classified data in the cloud, but that it has a ton of workaday bureaucratic and general organisational BS that it feels it can shovel off cheaply and easily.
Two concerns, though.
First, people used to dealing with cosmic-level secrecy around nuclear warhead design may actually underestimate the potential for mischief of what appears to them as quotidian, boring bureaucracy. You may keep your physics at home; but would you really want to provide enemies with the opportunity to learn about who works at AWE, and where they live, or what their NI numbers are (for example)? Beware of non-obvious routes into your citadel of secrets.
Second, although compartmentalisation is a good thing for outfits requiring secrecy, it's generally poorly implemented. One would hope that before even touching a cloud, AWE reviewed its policies, training and data structures from top to bottom and back again. If this isn't well designed and strictly enforced ... it will leak.
And having said all that, one wonders: why take the risk? Just spend some more money, keep it all in house, and don't leave hostages to fortune.
I say "unwise" with the trepidation of knowing that some of the smartest people on Earth will have considered this decision: who am I to gainsay them?
Not quite. The HR Department that manages the payroll for some of the smartest people on Earth (and handles PII regarding their job role, security clearance, home address, etc!) has considered this decision... that's a very different thing!
You may keep your physics at home; but would you really want to provide enemies with the opportunity to learn about who works at AWE, and where they live, or what their NI numbers are (for example)? Beware of non-obvious routes into your citadel of secrets.
Exactly this. Putting the PII of workers is as risky as putting classified data in the cloud - because the workers can get their arms twisted, be blackmailed, coerced, etc into giving you that data (and the really secret stuff they didn't put in the cloud).
If you're not happy to put your crown jewels in the cloud, then you probably shouldn't put the PII of people who have access to your crown jewels in the cloud either!
Well the sensible approach to solving your problem with personal data is to use a tokenisation tool. Bluecoat offer one that basically allows you to randomise all the key data and store the real values in a small on site instance that acts like a proxy as you request or store the data it replaces the important stuff with nonsense. Only your site knows what the real values are but you store a tiny subset of the data.
Required pedantic comment: "Restricted" doesn't exist any more. There's only OFFICIAL, OFFICIAL-SENSITIVE, SECRET, and TOP SECRET.
I got an OFFICIAL-SENSITIVE email...from the Research Councils, telling me to do my grant reviewer's training...complete with encrypted PDF with non-unique password in following email.
Sigh.
"You may keep your physics at home; but would you really want to provide enemies with the opportunity to learn about who works at AWE, and where they live, or what their NI numbers are (for example)?"
I live between both AWE main sites. There's not miles of tiny country roadways to get there. Pretty much straight out of the main gates and you're on a main road. Should be extremely easy to identify where any number of staff live, especially given the long tailbacks caused by the army of cyclists leaving the sites every day. Hint: They aint riding to a home a long distance away..
While there at it can they set up some IoT as well? Apps and devices for tracking warheads. Submarine toilet roll buttons for ordering replacements. Switches and lights because walking over and turning something on or off has always been a pain.
In for a penny in for a pound, if you're going to fuck security up you might as well do it right.
After all we wouldn't want to hide anything from them would we... the EU share our travel plans and bank accounts with the yanks, now we share who works on our weaponry (we probably already did but now it is open for all to see we are). Because it is the cloud I guess it is only a matter of time before ISIL also know and perhaps come knocking on someones front door...
And as if all this were not insult enough this is YET MORE British tax payers money disappearing to foreign lands without supporting any British jobs. What the hell do our government think will happen when everything they ever want is already bought overseas... eventually ALL our companies will close, ALL our jobs will be gone and EVERYONE will be sat on their backsides twiddling their thumbs... even the MPs because there will be no money left to pay for their duck houses.
We have a trade imbalance, we buy more than we sell.. the governments answer... to buy MORE foreign stuff, and then MORE and MORE... foreign cars, foreign NHS software, foreign cloud services, foreign army uniforms, foreign fighter planes, foreign tanks... is there one single damned thing our government buys from its own country... anything??? NO. So now anyone who is trying to sell cloud services, cars, tanks, planes, uniforms... anything has to convince potential customers that its products are worthy DESPITE the fact ITS VERY OWN GOVERNMENT doesn't think so????? Really if I had my way I would get every single civil servant and every single politician (apart from Johnson who did at least buy BRITISH buses to replace those horrible German interlopers in London) and gas the lot of them.
That would be the time I might have been having a nice little chat with one of their fellows about their Sun server farm and wheather they'd be interested in an upgrade.
Probably all virtualised now of course.
As for what harm could be done by having your HR compromised perhaps a chat with the USG Office of Personnel Management could be enlightening.
"The Atomic Weapons Establishment (AWE) is moving some of its internal tech to the public cloud .. The Register understands that the AWE has signed a deal with Workday, the US based on‑demand financial management and HR software vendor."
This is a joke - right !
"In common with all such activity, security arrangements have been assessed against AWE’s robust security requirements."
We need funnel even more government revenue into the private sector. Never mind the moral implications of privatizing war.
They could just write the launch codes on a wall with the operation board and hope for the best. Public anything and secure infrastructure do not mix.
Some people never learn and corruption and greed in the public sector is a big problem (hint, its never called corruption, just something else).
... and no, it is not April 1st.
Hacking into a cloud-based HR System like Workday is a great way to learn all about the organisation, the personality and skills of its people, and finding out who of those might be susceptible to what kind of spy recruitment. A great idea indeed - could well have been brought up by a foreign secret service ...