Having been involved directly as the first cloud service provider to have achieved the FedRAMP and the DoD authorization, I have experienced the joy of bringing disruptive technology, coupled with the challenges of applying the high standards for cloud security, to the federal marketplace.
In the early days (which was only as far back as 2012) of FedRAMP, the cloud service providers’ security team had more say over what the cloud could and couldn’t do, more than the cloud engineers who were responsible for the functionality of the said cloud. We used to laugh that my security lead’s standard answer was “NO”, before even hearing the details of functionality that the engineers wanted to consider putting in place. API was a “four-letter” word in that world. During my tenure, that mindset never changed and it left many gaps in functionalities that our competitors brought to the market. The security won and the cloud sales, the tenants and the customers lost! We became a security company that happened to have a cloud.
Today, the cloud services from the FedRAMP-accredited providers have many (and growing) cloud functionalities; yet the Company still adheres to numerous stringent security controls. These cloud services were “born” outside the FedRAMP market; so, innovation led and security followed, to secure the innovation and not stifle it. This should not be read to understand that I am not in favor of solid security processes. I am. And I am a proponent of the FedRAMP, the FedRAMP mission and the Office of Management and Budget (OMB) requirements related to the FedRAMP’s adherence.
For instance, look at the current FedRAMP accredited cloud service providers’ services:
Go to www.fedramp.gov then select FedRAMP Authorized Products.
Next, pick one of the CSPs’ accredited services and the click the Service Description. Make a notational comparison of the number of services they have, under the FedRAMP authorization. A few examples are shown as follows (be sure to press the + button under Service Description):
- AWS GovCloud
- Microsoft Azure Government
- Goggle – Google Services
Not having kept this listing over time, I still know that the number of cloud services has grown beyond their first FedRAMP accredited services, which were likely to be just plain ‘ole IaaS.
How did these added services come into being?
The effort order was driven by the needs of cloud customers; innovation first, and then the security supported the inclusion of these services.
Because I have been in the cloud services and the FedRAMP/Department of Defense market since the beginning, I would share the lessons learned, which are as follows:
- Let the smart, innovative thought leaders of cloud services lead the service offerings.
- Support the mission of the security teams, but remind them that they are there not to block or impose their will. Rather they should serve to make the service available in a compliant manner.
- Prevent the “Security God Complex” from taking over.
Take note of what Joel de la Garza, Chief Security Officer for file sharing giant Box, said in an interview with ZDNet, this past March. He was quoted saying the following:
“The biggest challenge that I face, on a daily basis, has to do with how do you actually meet the requirements of highly regulated industries without completely destroying innovation in your company.”
It appears that Mr. de la Garza understands innovation leads and that his role was to assure that innovation comes to market, securely. He went on to reflect on his previous position and stated the following:
“I came from the empire of ‘No’,” de la Garza said in jest. “I had the power in my previous job to shut things down. I could turn off a trillion-dollar business if I had to, because there was a risk of it being compromised. That’s what the regulators wanted and that’s how banks operate.”
“I am happy to say that the market has made peace with high bar security like the FedRAMP and the Department of Defense’s Security Requirements Guide; having seen firsthand the heat the FedRAMP Program Management Office (PMO) took up, over the last few years, for “preventing innovation” that cloud service providers wanted to bring. The FedRAMP was (falsely, in my opinion) accused of being difficult to work with, being too hard (it’s supposed to be), and the accreditation process taking too long. However, evidence shows that many, many cloud service providers have found their way into the FedRAMP compliance.”
How did we gain so many FedRAMP accredited providers?
- Certainly, the FedRAMP leadership, including Matt Goodrich, has worked diligently to engage industries and agencies to create well-documented FedRAMP processes, such that the CSPs can no longer claim that it’s a “black box” process.
- FedRAMP has rightfully earned more funding to staff the FedRAMP office, to meet the demand for its services.
- The FedRAMP PMO has developed creative programs to assist the CSPs in their entry into the FedRAMP accreditation process. To name a few:
- A mature Third Party Assessment Organization (3PAO) ecosystem exists, to guide the CSPs through the FedRAMP and the DoD cloud security process.
- With the advent of automation, there is now a growing market of providers that the CSPs can work with, to automate their FedRAMP compliance requirements. This is an emerging market but a few companies, at least, now exist with platforms that will help the CSPs from being “overrun” by their security teams, whilst improving the security posture of the CSPs’ environment (goal).