But on Dec. 12, Microsoft became the second company to hold the Pentagon’s highest-level IT security certification, called Impact Level 6, Defense Information Systems Agency spokesman Russ Goemaere told The Washington Post in an email. The temporary certification lasts three months, after which a longer one will be considered, Goemaere said. The news of Microsoft’s certification was reported earlier by the Washington Business Journal.
The certification means that, for the first time, Microsoft will be able to store classified data in the cloud. Defense and intelligence agencies typically use air-gapped, local computer networks to store sensitive data rather than the cloud-based systems that most companies now use to harness far-off data centers. Previously, Amazon was the only cloud provider trusted with secret data. Amazon remains the only cloud provider that can store data in the cloud at the top secret level, an important qualifier for JEDI.
The IT certification could help justify Microsoft’s surprise JEDI win, which has become the subject of a high-stakes, politically charged lawsuit over allegations that President Trump meddled in the government procurement process to steer public funds away from Amazon.
Before the award to Microsoft, Trump directed Defense Secretary Mark T. Esper to review the Pentagon’s approach to JEDI. Trump said on television that he had received “tremendous complaints” from companies that compete with Amazon, and he privately expressed concerns that the contract would go to Amazon. Trump has long derided Amazon founder Jeff Bezos, who owns The Washington Post.
The matter is being litigated in the U.S. Court of Federal Claims, which handles disputes over federal contracts.
In its legal complaint, Amazon leaned heavily on its CIA experience to justify the idea that Microsoft could not possibly have bested it in a fair fight, although much of the information was redacted. Spokesmen for Microsoft and Amazon declined to comment for this report.
In the complaint, Amazon Web Services criticized the Pentagon for failing to recognize its alleged technical superiority. And it said Microsoft’s product is inferior, arguing that certain cyber vulnerabilities disclosed in a government database raise questions about its fitness for the contract. Specifically, Amazon’s lawyers pointed to a type of cyber attack called a “hypervisor breakout attack,” in which a hacker can hijack the system that manages the seams between different customers using the same server.
“A successful hypervisor breakout attack would be devastating to customers, like DOD, who need absolute security on their cloud platform,” the company’s lawyers wrote in the complaint, adding that Amazon’s product “is the first and only cloud architecture available to DOD that is capable of effectively preventing such attacks.”
The company’s chief technology officer, Werner Vogels, touted AWS’s security advantages at a recent conference hosted by Amazon.
“Everything is encrypted by default,” Vogels said. “In that way, we’ve actually improved security significantly.”
Both companies appear to have their share of security issues. A database managed by the National Institute of Standards and Technology includes dozens of vulnerabilities involving Microsoft’s hypervisor, known as Hyper-V. Cloud security experts contacted by The Post could not point to a known instance in which such an attack played a role in a major data breach, however.
Andras Cser, a cloud security analyst with Forrester, said AWS’s hypervisor “seems more security focused” but added that customers generally do not see the hypervisor breakout issue as much of a threat.
By comparison, numerous instances have occurred in which a person using the system accidentally left sensitive data online in a cloud-based system.
In a 2017 incident, a Booz Allen Hamilton contractor working for the National Geospatial-Intelligence Agency inadvertently left sensitive government passwords online in an unprotected AWS system. In a similar but unrelated incident, a contractor working for the Republican National Committee left detailed information on nearly every U.S. voter online, also in an AWS system.
Both disclosures were discovered by a security researcher who had been searching random AWS web addresses to see which of them contained sensitive data.
In a more recent incident involving AWS, a data breach exposed more than 100 million applications for Capital One credit cards. A 33-year-old former Amazon employee was arrested in connection with the breach, prompting several lawmakers to call for a deeper inquiry. Spokespersons for Capital One and Amazon said at the time that the vulnerability was not cloud-specific.
Rich Mogull, a cloud security expert who heads a security research firm called Securosis, said he thinks Amazon still has a substantial lead on Microsoft from a security perspective.
“Microsoft is increasingly competitive,” Mogull said, “but Amazon just has a multi-year lead in terms of working on these technologies."