Secure communications in defence and other industries is increasingly critical, particularly when threats are evolving ever more rapidly.
This article discusses the AWS Wickr (hereafter referred to a “Wickr”) service, and how the DoD (Department of Defense) have used it to provide secure communications. I wrote this article after attending the AWS re:invent session “BIZ203: Bolstering incident response with AWS Wickr and Amazon EventBridge” and learnt more about the Wickr service (I was relieved to discover it had nothing to do with basket weaving).
What is AWS Wickr?
Wickr is a communications platform that provides AES-256 encrypted end-to-end communication, where messages are only readable on end-user devices. The service is operated by Amazon, who acquired Wickr in June, 2021.
Wickr allows file sharing, screen sharing, voice and video calls, and messaging (either 1:1 or in groups) as illustrated by Amazon:
Message content can, however, remain on the server if a user is “logged off” so it can be delivered to them when they log-on. Nonetheless, the content remains unreadable centrally.
However, if necessary, an administrator can also set a global message retention policy, which will be visible to Wickr users when they use a Wickr client (see, left).
Wickr operates as SaaS (software as a service).
AWS have provided a client for the SaaS offering, but it is also possible to build your own solution that uses the AWS Wickr platform.
For those not wishing to use SaaS, Wickr Enterprise is a self-hosted offering that can be installed on Kubernetes (for example).
Wickr extensibility
During the session, AWS described how “Bots” can be used to extend Wickr. The following example was used to demonstrate how an API Bot might be used. In the AWS example, security was central – with the inclusion of AWS Guard Duty, and with AWS WAF sitting between the Amazon API Gateway and Application Load Balancer:
We also went into more detail on how an API bot works with Wickr:
The Wickr client in the above is deployed as a Docker container, and communicates directly with the Wickr service. It is important to note that client keys remain within the client, and never leave its confines.
A custom application, in this example written using NodeJS, communicates with the outside world through API Gateway
Crucially, the Wickr client is not an overly permissive user of Wickr. The client is a user, like any other Wickr user, and can be managed in the same way.
All communication between Wickr, the Wickr Client, and the Application are fully encrypted. During the session, I asked whether Wickr infrastructure in one region was isolated from another region’s infrastructure, and for confirmation that there was no shared infrastructure. AWS confirmed infrastructure was completely separated in-region. In spite of this, it is still possible to actively provide a user in another region with access to your Wickr service.
How much does it cost?
Wickr pricing starts at $5/user/month.
Where can I use Wickr?
The Wickr FAQs are somewhat misleading as they have not yet been updated with all active Wickr regions. The full list, however, is: Sydney, Canada Central, Frankfurt, London, North Virginia, and GovCloud US West (AWS WickrGov).
Wickr and the DoD (Department of Defense)
Considering the security of the Wickr platform, it is clear that AWS are targeting defence and other government clients. It was no surprise, then, to learn that the USAF (United States Air Force) use Wickr in the following publicly stated use-cases:
- To co-ordinate patient evacuations and connect the DoD to local mission’s partner medical professionals
- To provide battalion-size updates of dangerous weather
- To provide situational awareness of Covid-19 exposures; and
- To allow the families of servicemen to connect to them when they are stationed abroad.
Known as “Wickr RAM“, the DoD application has been deployed to AWS GovCloud (US) and Cloud One (a USAF Cloud Platform). Wickr RAM, naturally, has been awarded an ATO (Authority to Operate) by the Air Force’s Air Combat Command (ACC).
The DoD flavour uses Wickr in the background, with the following additional features:
- It is built within a ZTN (Zero-trust Network)
- It uses a FIPS-certified encryption library
Because of the security of the platform it has been approved for use with various sensitive workloads:
- CUI – Controlled Unclassified Information (e.g., Defence)
- PHI – Private Health Information
- PII – Personally Identifiable Information
The confidence in which the DoD holds Wickr is demonstrated by their open advertisement of the platform, their use of the service to provide secure communications in defence, and in their own words:
“Using Wickr RAM in Cloud One allows our personnel and teams to collaborate securely at the tactical edge and higher; in-garrison, and deployed. Its ability to run on many different platforms and its feature set enables us to reduce security risks and operate successfully”,
Todd Weiser, CTO, USAF Special Operations Command
Conclusion
In today’s wired world – with the ever-increasing sophistication of nefarious actors – a secure messaging platform can be invaluable.
The use of Wickr to provide secure communications in defence by the DoD in the US illustrates the robustness of the platform, and its ability to be used in highly confidential environments. Further, Wickr is also actively used by Qintel, UNCOMN, and others.
The cost of Wickr – at $5/user/month – is affordable. AWS also offers a free 3 month trial for up to 30 users for those who wish to try the platform for themselves.
For those wanting to deploy a highly secure messaging solution for their employees, Wickr may be just what you are looking for.
