After trying for 3 weeks to make AWS WorkSpaces work for my company, I can still confidently say that Amazon doesn't get it. Their solutions are more "Go to Home Depot and get the parts to make a desk", whereas Google Apps is "go to Ikea". The two solutions are neighbors, but not everyone is ready to buy the individual boards and cut them down to size.
Your comparison is bang on, except that's the point. Amazon isn't trying to be Ikea. It is absolutely trying to provide the building blocks for small companies and large to use their cloud platform in a very foundational manner. Yes, the onboarding cost may be high, but Amazon doesn't mind if customers end up using Heroku or EngineYard instead - they are customers too.
AWS is a lot like Linux that way: Deeply challenging initial learning curve, but the only thing worth considering for serious mission critical architecture. Stability and scalability does come at the cost of user-friendliness.
Are you saying there's a security and scalability to Amazon over Google Apps? People still make that argument about in house vs hosted, but hosted vs hosted of two major providers is new to me.
I don't know about security and scalability, but from what I read, it seems that Amazon gives you fine grain control and AD integration which is nice. Also, customer support is one area where AWS is better than Google in my opinion. YMMV.
As a follow-up, the General Manager of Amazon WorkSpaces reached out to me and asked for my feedback. This is one place where the Ikea-analogy holds true. Just like Home Depot, Amazon has workers that engage with their customers and know how to build; like Ikea, getting a Google employee's attention typically requires a plane ticket and a healthy dose of good luck...
If I'm building a company, I absolutely want Home Depot and not Ikea. If I'm building a weekend project, sure, Ikea is great.
And beyond that, I absolutely don't want to have to rely on Google's customer support or pricing/platform stability for anything that really matters to me, and my company's infrastructure really, really matters to me.
Agreed, while they have some excellent services
some other products lose the usability/practicality game . e.g: video transcoding service compared to zen coder, or cloud front service compared to cloud flare.
I tried AWS Zocalo (document store and collaboration) and it was close to feature-free. I have no idea why they released it in that state. I generally like AWS stuff, but Zocalo is a real turkey.
Everyone is talking KMS which is nice but I don't think that is the biggest selling point. Being able to say in which region your email is stored is huge for customers who don't want their data shipped all over the world.
"Another notable feature of WorkMail is that users can specify what Amazon region their e-mail is stored in. Customers can choose a specific, relatively close data center to reduce latency in retrieving e-mail or for compliance purposes—such as European privacy regulations. The feature means that users won’t get the benefit of failover to another data center in the event of an outage, but Amazon may offer mirroring services later."
That is a big differentiator for many companies right there.
> or for compliance purposes—such as European privacy regulations
That sounds nice, but Amazon is still a US company, and the US government seems pretty staunch in their view that US law trumps country-of-residence law.
I can understand why you would say that after the big fight with Microsoft. What if Amazon makes it so the only employees with keys to be able to decrypt data in that region, live in that region. I think that could be the failsafe right there to where even if the government says "hand over the data", Amazon says "we can't and the only people that can are Citizens of xyz and we can't compel them to break the law of their home country".
I'm not saying that is what they are doing but it would be a very interesting strategy.
You can bet there will be some bs charges like obstruction of justice or whatever and it might even fly depending on how much of an asshole the judge is...
What if the company was Enron 2.0 and was keeping their tax records and other incriminating emails on a server in another country that was under the control of an American company? Should the US justice system just accept it is outside of their control, or pursue the American company to turn over material in their control for the case?
That would depend on the law about "where should an American company store its emails". If they are not allowed to store stuff abroad, then you can throw the book at them regardless of whether you get those emails or not.
Like for tax evasion vs tax avoidance, law enforcement cannot complain that individuals and companies use rules to their advantage, they just have to make smarter rules.
That's two different points through from a company perspective. The first is whether you're compliant with well-defined local regulations for the jurisdictions you are within, as well as any industry specific regulations you're under (think Finance). For example, the specific regulations for employee email are substantially different in the UK, Germany and USA.
The point you're making is whether 'state actors' can get into your documents or email. It's a different order of magnitude issue. First, as a company you're going to comply with whatever the law is in the jurisdiction. Second, if you're being attacked by a state actor then you've got major issues. And for many businesses even considering protecting against that wouldn't make sense from a cost vs risk perspective.
IANAL, but these regulations and organization requirements in my experience haven't cared about this. A common requirement is physical location of servers / the data on them which this satisfies.
Amazon and other tech companies can design systems where the keys are held entirely by the end-users. How far is the US willing and able to go to get at that data?
How? If I send an e-mail via Amazon's service, they must at minimum have the standard e-mail headers in order to process it. In which case, it's no different than PGP-encrypted e-mail, available with almost any e-mail provider. This also provides Amazon (and whoever subpoenas Amazon) with significant meta-data on my communications, even if they don't have my actual text.
In order to make e-mail into a system where two people can communicate in a secure fashion, where no data is stored on or passes through a remote system unencrypted, you would have to re-implement e-mail. And of course there goes interoperability.
"extradite" as in to wrench out a server rack, bundle it into a helicopter in a blaze of sparks, and fly the server to the US in a helicopter under the depth of night? Unlikely.
Require US companies to follow US law and regulations, across global legal entities, even when the local law of locally incorporated entities is incompatible with US law, absolutely yes, that is required.
> Require US companies to follow US law and regulations, across global legal entities, even when the local law of locally incorporated entities is incompatible with US law, absolutely yes, that is required.
Then why the hell would anyone build a company in the US?
And where US law has limitations, they have the Five Eyes coalition to do the work for them. "We didn't spy on them. Someone else gave us the info!" ... in an automated fashion, 3ms after "someone eles" did the dirty work.
This uses Amazon KMS. Amazon KMS is PC backed ("HSA"), which means all your mail is encrypted to a key which it now takes two Amazon employees acting under court order to get access to, rather than a court order and one employee.
Google's internal controls are at least this robust, and they have similar key management systems internally.
There might be a reason to buy Amazon WorkMail, but it's not for security advantages over Gmail.
The court order is the bar, not the second employee.
Google's keyservers also don't have single employee control. The ones used for encrypting gmail behind the scenes, and other Google services. This is just table stakes for any large system.
This is in contrast to something like Azure Key Vault, which is HSM backed. A court order should not be sufficient to compel Microsoft to turn over a key from Azure Key Vault; it should be impossible for them (or for nCipher) to do so.
It isn't impossible to unwrap a key from an nCipher system. Getting out the master HSM key is harder but still possible. Really the important part if the steps required to get it out to prove authorization, aka a quorum on the security world. The quorum size is an implementation/configuration detail and only MS would know that on hand to speak to that depth.
If it can be done through policy they can be ordered to do it, but they don't have to physically subvert their hardware. (not a lawyer, but this is an opinion a lot of people have had...)
It depends on how you configure the HSMs whether you can extract and decrypt keys.
HSMs are tamper-resistant/tamper-responding devices with memory/processor inside the protected envelope. With an HSM, your key lives inside, and all operations happen on the security processor.
HSA is an Amazon term for a PC with an HSM inside. The data-at-rest might be protected by the HSM (full disk crypto with a dongle used to decrypt at boot), but the actual keys get decrypted into the host PC's RAM, and further customer-accessible calculations happen in the PC CPU.
Anyone who can tamper with the PC can read the keys!
There are two risks this exposes you to:
1) Someone goes into the datacenter and physically attacks the HSA.
2) Someone legally compels the owner of the HSA to subvert the HSA.
I'm not as worried about #1 (these are equinix tier-4 datacenters; someone rolling in with some M4s and a bulldozer and such is great for Hollywood. Insider threat probably still exists with the HSA even though normal operation is two-employee, though.) I'm incredibly worried about #2, since the bar for #2 is hella low for emails older than 6mo.
I believe ECPA older-than-6mo would be sufficient to compel the email KMS key as mere instrumentality, so even a the fairly low bar today of warrant wouldn't be required.
3) Exploit programmatic access or side-channel attacks on the data.
If the server can decrypt the data and this is driven by code on the box, then you're in a DRM-like situation trying to hide data from a program that has legitimate access.
As you alluded to earlier protecting data at rest doesn't protecting during use.
It protects from a bunch of lesser threats, like backups leaking keys, anyone hacking a front end box getting keys, needing to rotate keys when employees change, etc.
1) Where does this use Key Management Service to encrypt? At the SMTPD? With keys unique to each end user? S/MIME? What?
2) What's the real security model of KMS? Is it using HSMs for keys, or just shipping keys to systems? Does it use any other hardware/platform security features to protect keys, or just basically a "soft HSM" running in Dom0 on each machine? Or something purely network based, and also done in software only?
Scatter gun + Lean Startup principles. Not entirely wrong, though wish some more initial refinement was included, but if the brand doesn't take a hit then fair enough.
I think the biggest distinguishing feature of this is being able to have it encrypt emails with customer provided keys stored on their Key Management Service. This hypothetically should prevent three letter agencies from accessing emails, but I'm not sure that is the top feature on everyone's mind when they are looking to set up email for their company. It definitely piques my interest though.
That is, assuming the mail is stored on the server and it's encrypted, how do you search it efficiently?
It does not seem efficient to download every byte of mail, decrypt it, and search it on your local machine (especially a phone). Perhaps you could build an index locally, but could you keep it updated? And even that requires downloading and reading every byte at least once.
This is something I've always wondered about encrypting hosted email.
The actual content is encrypted, but one can still build an index that points to individual email IDs and score the search results properly. Only when returning the top N results that one needs to decrypt those N emails with the right keys. The index would be kept in the server. Of course, the devil is in the details and things like email threading, order by by date or group by senders will make or break the user experience.
As other commenters elsewhere in the thread have pointed out, we don't know much about the implementation at this point. How it is implemented I think will make or break this product.
In the beginning I don't think so. We've seen recently with Apple and Google, that there is such thing as a non-backdoored encryption product that agencies (both US and abroad) get upset about. That doesn't preclude there from being a backdoor requirement in the future, similar to a wiretap law.
> We've seen recently with Apple and Google, that there is such thing as a non-backdoored encryption product that agencies (both US and abroad) get upset about.
Who says they're not pretending to get upset about them?
Amazon is the company that cut off WikiLeaks when a senator made a hostile speech. Google and Microsoft have both gone to court to resist government actions.
The more I have sat and thought about it, the more use cases I can come up with where there is a business case for it. One big one that comes to mind is foreign companies that don't trust the US.
I've been a user of Rackspace E-mail. It's one of the last services I still have with Rackspace and it's been a good platform for my company. I can't tell you the last time I had an issue. Looks like this is on the road to making Rackspace irrelevant on yet another level.
Racker here responsible for our mail services. Thanks for the positive feedback and for being a customer. Curious why you say this would make our offering irrelevant?
Hi Racker: I dont think this statement is necessarily specific to the mail offering. It's more about the pace of innovation or lack thereof @ Rackspace these days. There just seems to be a better fit for everything Rackspace used to do well somewhere else. :(
I want support and someone I can call, but I can honestly say that the support that I receive at AWS is more comprehensive and detailed that the typical response I got from Rackspace, which is really disappointing. Once I discovered that, I couldnt justify the 2x+ premium that I had been paying.
I also wish some of the more interesting things you have like Airbrake, Mailgun, Exceptional got more love. Instead, the focus seems to be on the non-differentiated stuff and all the "enterprise" stuff that matters less and less everyday.
I'm actually not too surprised. It seems like Amazon feels like they have to have every online service possible, however, some of their services could be better if they focused on fewer.
My personal opinion is that there is a divergence product types between traditional AWS offerings and their new desire to break into traditional Enterprise offerings. The Workspaces and managed Directory Services are nods to the Enterprise space but they are currently getting more shakes of the head back rather than nods.
To qualify any hosted mail service to handle valuable, confidential data seems difficult. For example:
What are the confidentiality provisions? Can they be changed without your consent? Does Amazon possess cleartext data and metadata? Do they monitor it to collect customer data? Who at Amazon can access it and when? What is their retention policy? Is non-retained data destroyed or just left on the storage medium until overwritten? How will they respond to subpoenas, warrants, and similar requests from counterparties in lawsuits or from government? And perhaps most importantly, how able are they to execute their policies and what deters Amazon from violating them (i.e., what is the penalty?)?
Is there any service that satisfies these requirements?
1) a shared consumer service (i.e. a bunch of gmail accounts in the public namespace)
2) some kind of dedicated-instance-within app service (which seems to be how google apps for your domain works)
3) container/vm based isolation of app service (i.e. a provider who runs dedicated VMs of their own or standard platforms for people...I think some of the hosted exchange options are like this)
4) dedicated servers but with provider retaining root, but a third party or your own staff doing app administration on mail server
5) #4 but without root for provider, but with normal machines and thus singleuser
6) #4/5 with encrypted disk, such that it would be trickier
7) Colo vs. dedicated servers, with full crypto.
8) On-premise
I personally think the correct option for most organizations for mail is absolute-minimum 3, maybe 4. I feel uncomfortable less than 6. For someone like wikileaks, you are abjectly incompetent other than 7 or 8, at least using commodity technology today.
I think I read somewhere about rumors of intelligence agencies availabilty zone, under physical control of US intelligence agencies.
After all, at a massive scale, having access to industry standard tools for provisionning makes sense: give $$$ to AMZN for their software stack and hw integration cost probably less than building your own...?
A really private AV zone is just a step away: put gov guards at the entrance of DCs, replace all AWS teams by in-house personnel (or have AWS teams sworned in at the relevant level...?)
"a $600 million computing cloud developed by Amazon Web Services for the Central Intelligence Agency over the past year will begin servicing all 17 agencies that make up the intelligence community."
To run a "real" company, of let's say, 200 people or more, dealing with mildly sensitive data, you need Microsoft[1][2][3][4]. You need Microsoft because you need:
* Calendaring that Just Works, and a capable client for it. This involves an Exchange server and MS Office;
* You need mail that Just Works, and Just Works in conjunction with the above calendaring; this involves an Exchange server and MS Office;
* You need an easily controllable and relatively cheap OS that can run Word, Excel, and a web-browser for non-technical staff, and can be run on cheap-ass Dell boxes; currently this involves Windows and MS Office;
* You need a shared fileserver for people to upload company party photos to, storing improperly protected financial spreadsheets, and so on;
* You need a central identity system to tie the whole shebang together; this involves Active Directory
To summarise, you need:
* ActiveDirectory, for which there is now Amazon WorkMail
* Exchange, for which there is now Amazon WorkMail
* Windows File Sharing, for which there is now Amazon WorkDocs
* Windows desktops that can run MS Office ... for which there is sort of Amazon WorkSpaces
The question now becomes: can I get away with running a 200-person company with no relationship with MS by deploying cheap-cheap Linux machines with a VNC-client to Amazon WorkSpaces for non-technical staff? And the answer is ... perhaps, but I need my people to be able to work without an internet connection, so probably not.
But still, that's fucking huge.
The one piece missing in this lineup is capable local Office apps. You simply cannot get away with not having Excel, Word, and Outlook's Calendar functionality ... yet. Finance, Admin, Management, and non-dev IT will riot without Excel; Admin, Sales, and Management will riot without Word; Sales and Management will riot without Outlook, and blood will be spilled over the management of more than two meeting rooms. OpenOffice, LibreOffice, whatever, they don't cut it in the real world.
So while it doesn't sound like their game, if Amazon were to release a lock-down-able Linux and some high-quality Office apps, they can take SME IT away from Microsoft. That's is HUGE. Hell, if they can put together a package that can run Office under WINE reliably, and sort sensible licensing terms, it's just as huge, but I can't see MS allowing that licensing part to happen, because it would be suicide.
Interesting times!
[1] I don't care how Canonical or RedHat manage their internal IT
[2] Nor do I care about how your 11 person social media startup does it
[3] I too did all my best IT management before I became responsible for it
OpenOffice is not good enough but you still think Amazon can release something better just like that? Oo shows how hard the problem is, even if you have decades of experience. Amazon has almost no experience with huge desktop applications, they can't possibly release something that can seriously compete with MS Office.
> This involves an Exchange server and MS Office;
Pretty sure you must be joking. We 1000+ real company have zero exchange. Google apps. People sure love to run MS products on their Macs though. Puzzler that. I'll stick to google docs when I have to and alternatives when I have a choice.
Can't remember the last MS Word/Excel/Powerpoint document I've ever created. You could not pay me to run Exchange.
Why irony? You can use Outlook as a client for WorkMail. I wouldn't be surprised if they shift to WorkMail once it satisfies their large enterprise requirements (given that it's an MVP right now).
Probably because HN doesnt want people accidentally linking to Google's tracking search results by accident, although HN should really wrap paywalled articles by default, or at least have a policy on what is allowed. Im sure more than 90% cant actually see anything without messing around with referral links.
This to me just emphasizes the need for services like Nilas' email APIs. I don't want to have to worry about integrating with yet another email provider.
That being said, I trust Amazon's data centers and API stack far more then Microsoft alone.
Email can go better than APIs - it has publicly available protocols and there are many implementations of them (including many good FOSS implementations). They are called IMAP and SMTP! Any email client can integrate with any email server, and has been able to since the beginning of email
Sounds wonderful until you have actually tried to integrate IMAP "supported" email services, such as Gmail. What makes it hard is that different providers have different implementations which very often do not follow the protocol spec. Microsoft, Google, Yahoo all have their own higher-level API for email access, and every modern email tool ends up making something like Nilas, with a server taking care of pushes and managing logic for each provider. The industry needs a new standard, and that is why ideas such as Nilas seem exciting.
