This blog post was created in partnership with Amazon Web Services.
The future of federal cloud security depends in large part on the Federal Risk and Authorization Management Program (FedRAMP). The governmentwide program provides a standardized approach to secure re-assessment, authorization and continuous monitoring for cloud products and services.
In 2011, the White House released its Cloud First Policy, which was designed to increase cloud adoption across government. At that time, the Office of Management and Budget estimated that about a quarter of the $80 billion federal IT budget was a possibility for cloud transformation. That number has climbed in the years since, which has introduced both an opportunity and a challenge for federal cloud migration.
Dede Dascalu, CEO of Stratus Solutions, joined host Francis Rose on a recent episode of Government Matters, “Security in the Cloud,” sponsored by Amazon Web Services (AWS) to discuss how government cloud has evolved over the decade. Dascalu explained the concept of cloud at scale, which refers to a more holistic view of cloud’s impact on an agency at full capacity. A good governance program is usually underpinned by a well-designed cloud infrastructure, he said.
For example, some elements of a well-designed infrastructure include:
- Access points, or ways to access data and systems that are in the cloud.
- A security regime that enables agencies to aggregate and manage security incidents
- A network strategy to interconnect various cloud accounts
- And a well-defined certification and accreditation policy that accelerates approval to operate
Additionally, Dascalu said he’s witnessed the development in recent years of a multi-account strategy, where agencies use cloud boundaries to isolate themselves from other tenants in that cloud environment. That provides an advantage to IT staff and developers because they can exercise the full power of the cloud within a smaller radius. It also limits the damage any individual tenant can do inside the larger environment.
When the General Services Administration first introduced FedRAMP, it gave two reasons to explain its importance. One was consistency in the security that’s offered, and another was confidence for agencies that whatever FedRAMP-compliant security regime they chose would work for them. This has bolstered buyer confidence in the federal government and has dramatically reduced the amount of time needed to procure cloud.
Of course, the added consistency of FedRAMP doesn’t absolve customers from practicing good security and compliance on their end. Amazon Web Services, for instance, refers to this as a shared security model, where AWS is responsible for the security of the cloud, and customers are responsible for the security compliance of their workloads in the cloud.
“Automation is key,” Dascalu said. “In order to achieve the promise of better, cheaper, faster [IT services] … you need automation, not more humans or more manual processes. That’s essentially the gist of that. These automated tools also need to not just report and observe, they need to enforce rules and act based on pre-defined thresholds and boundaries.”
Government cloud compliance can be complicated because of slightly different standards across departments. The Defense Department, for instance, uses its own Cloud Computing Security Requirements Guide (DOD SRG), which forces providers like AWS to straddle both standards.
But ultimately, requirements like FedRAMP have greatly boosted consistency and security of government cloud, and they’ve laid a strong foundation for future migration.
Want to learn more? Check out the full Security in the Cloud segment on Government Matters here.
To learn more about Stratus Solutions visit: https://stratussolutions.com/
For more information on AWS in the public sector, head here: https://aws.amazon.com/government-education/
[…] GovLoop has a nice summary of the discussion and a link to the episode replay. […]