The rising cost of building secure on premise infrastructure and increasing concerns around security are prompting the Intelligence Advanced Research Projects Activity (IARPA) to explore interest on the part of existing cloud providers to develop and offer so-called Classified as a Service (ClaaS) offerings. An RFI went out on July soliciting feedback from “large U.S. owned entities that have multiple data centers located both in the U.S. and throughout the world that provide services similar to IaaS to the general public.”
The basic idea behind the RFI was determine if there is interest among large U.S. owned “infrastructure as a service providers” in new technologies and techniques to enable the most sensitive computing workloads to be executed on a public cloud. There is, of course, already a Gov/Cloud, an isolated portion of AWS “designed to host sensitive data and regulated workloads in the cloud, helping customers support their U.S. government compliance requirements, including the International Traffic in Arms Regulations (ITAR) and Federal Risk and Authorization Management Program (FedRAMP).”
Specialized clouds aren’t new. Nimbix and Penguin’s POD, for example, focuses on delivering HPC technology to support HPC workflows. Many have wondered whether the big cloud providers might also get into the game of specialized offerings. For example, might AWS offer an AWS Research Cloud for the academic research community. IARPA’s interest in clouds for handing sensitive material and workflows is unsurprising.
The IARPA RFI notes soberly that the “cost of maintaining and procuring private infrastructure for classified/sensitive workloads for the government continues to get increasingly more expensive compared to the cost of leveraging commercial cloud resources. This disparity may increase exponentially over the next decade. Existing IaaS offerings require customers to trust the software stack and employees of the cloud provider and are subject to numerous potential side-channel attacks due to shared resources. This is not acceptable to customers with the most sensitive data processing needs.”
It will be interesting to so what, if anything, comes of this latest RFI and whether larger cloud providers develop more formally segregated offerings.