NSA Opens The Kimono On Its OpenStack

It’s not often one hears an intelligence agency talk shop, at least not in front of several thousand people at a public technology conference.

So the National Security Agency’s choice to permit Computer Scientist Nathanael Burton to keynote the OpenStack Summit in Portland was a bit of a surprise.

Much of the specifics of Burton’s presentation such as computational use cases, installation size, number of users and other juicy details had to be redacted, Burton explained. But he did describe the need for OpenStack, the path to implementation and the benefits the NSA gleaned from the project.

Burton explained that computer scientists within the NSA had to go through a rigorous and time-consuming process of planning projects, specifying their hardware needs and getting requisite approvals. Developers were frustrated. “The problem we were trying to solve was that it took too much time from idea to capability to develop and deploy in our development,” Burton said.

Burton, along with another Agency scientist learned about OpenStack several years ago and saw it as a possible solution.

The two worked in secret, stealing a server rack and installing Diablo to start testing. Like many similarly situated developers, they found themselves heading a shadow-IT operation. The only difference was that theirs was inside one of the most secretive and security-obsessed organizations in the entire world.

Lucky for Burton (left), a 10-year Agency veteran, his rogue project turned into a success. Agency members started using OpenStack for internal tests. “We really started to get an idea of what it could do,” Burton said. “Users no longer had to submit a lab request to get things done, they could do it on their own.”

So he brought his project out of the shadows, showed the usage and benefits and lobbied to put OpenStack into production. He co-located with the Agency’s big data clusters, opened it to mission-related workloads and let users come find it.

And they found it. Within six months and with no internal promotion, Burton had attracted hundreds of internal users. So he started improving it. He upgraded to Folsom from Diablo. He added OpenStack automation with Puppet and Kickstart, giving him the power to provision on bare metal in 20 minutes. He hardened the system by going nuts with SSL. He set up a system to automatically provision new users and do internal usage tracking using the Agency’s PKI-based identity management scheme.

In short, he took OpenStack and made it NSA-ready, fully optimized for intelligence applications. Now he boasts thousands of users and manages the installation with a team of 15.

“It was a complete paradigm shift to the entire IT community,” Burton said. “We broke lots of things, but using OpenStack gave us better flexibility, better agility and better scalability.”

What’s next? Burton will be taking his show on the road, introducing OpenStack to other government agencies tasked with intelligence and clandestine services.


  1. That is a brave decision to go transparent about this because it can also post danger about the security of the files. Good thing that they stressed about the Secure Sockets Layer (SSL)


Please enter your comment!
Please enter your name here