How national security and defence missions protect data with Trusted Secure Enclaves on AWS

National security, defence, and law enforcement organizations want to use the cloud so they can share data and communicate in near-real time with their allies to counteract evolving threats to their citizens.

For example, the United Kingdom’s Cloud Strategic Roadmap for Defence says: “A critical component of our Digital Backbone is hyperscale cloud capabilities across all classifications. Our future is one that realises data as a strategic asset, that enables us to move faster than our adversaries. Defence will have the unsurpassed ability to consume, aggregate, analyse and exploit data at orders of magnitude more than ever before.”

In another case, by 2030 NATO’s digital transformation will facilitate multi-domain operations (MDO) with interoperability, heightened situational awareness and data-driven decision making. Collaboration among NATO allies is paramount, digital systems and all the standards and policies around them must be interoperable and secure at all times, in all environments, at all classifications. They also need to move at the speed of mission. The theme of NATO Edge 24, the leading defence technology event, is “Connect. Innovate. Elevate.” This underscores the importance of robust partnerships in strengthening the Alliance’s defence capabilities. As one of the speakers, I’ll discuss cloud adoption.

Mission-focused solutions

From training to supporting the front line, Amazon Web Services (AWS) can provide solutions to help solve the challenges that formations, units, and allies face. More than just providing computer and storage capability in the cloud, AWS can help intelligence, planning and operations teams leverage newer, cost-effective artificial intelligence (AI) and machine learning (ML), analytics, simulations, and other technologies.

AWS provides a global infrastructure and secure, scalable, mission-focused solutions. We designed Trusted Secure Enclaves on AWS (TSE) with our national security, defence, law enforcement, and government customers to meet their strict security and compliance requirements. It’s a reference architecture that provides a secure, compliant, isolated configuration that supports customers’ mission needs because it enables access to all the benefits the AWS Cloud brings, such as speed, scalability, and security.

How TSE works

With TSE architectures, organizations can build and maintain secure environments in the cloud more rapidly than if they have to start from scratch. This can reduce the time it takes to establish robust, compliant, and scalable operational environments for workloads from months down to a few hours. Watch this TSE animation.

TSE provides a standardized, repeatable, and automated secure foundation from which to operate. It means organizations can establish their own operational security posture in the cloud. TSE lays the foundation for organizations to meet some of the most stringent security standards in the world, such as U.S. Department of Defense (DoD) Impact Level 4 (DOD IL4) and FedRAMP Moderate, NIST 800-53 Medium, ITSG-33, Canada’s CCCS-Medium, and Australia’s IRAP.

The TSE environment surfaces compliance drift and security threats through the automatic deployment of security services, including:

• Amazon Security Hub – A cloud security posture management (CSPM) service that performs security best practice checks, aggregates alerts, and enables automated remediation from network interfaces
• Amazon GuardDuty – A managed threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect AWS accounts and data stored in Amazon Simple Storage Service (Amazon S3)
• AWS Key Management Service (AWS KMS) – A service that lets customers create, manage, and control cryptographic keys across applications and AWS services.

Security-sensitive customers around the world trust AWS, which complies with more than 143 security certifications and attestations, laws and regulations, privacy standards, and alignments to industry frameworks. When customers use TSE, they can meet their sensitive and protected-level data security requirements and obligations under the AWS shared responsibility model. This shared responsibility model means customers retain control and have the flexibility they need to deploy the services they select.

Learn more

If you’re already working with Landing Zone Accelerator on AWS, check out the Guidance for Trusted Secure Enclaves on AWS. If you are new to AWS, visit AWS in Public Sector.