When shopping for furniture online, people usually look at several factors – price, reviews and dimensions, just to name a few. But another consideration is the ease with which the furniture can be built.
The same is true with the cloud. In recent years, agencies have become more cognizant of the cloud and its potential benefits, but the comfort of the status quo still beckons.
After all, moves to the cloud require agencies to prove that they are meeting compliance requirements all over again, in addition to satisfying their own security departments. Or, so it would seem.
“They may be looking at solutions that can very quickly get them through FedRAMP,” said Nicci Neal, Principal Business Development Manager at Amazon Web Services (AWS). The AWS GovCloud (US) Regions are compliant with several major U.S. government regulations including FedRAMP, which vets and assigns security levels to vendors’ cloud offerings.
Neal spoke with GovLoop about how to expedite moves to the cloud while maintaining security and compliance. She offered these best practices.
1. Don’t oversell on-premise security.
People often talk about how they felt more secure having applications in their data center, but on-premise systems had their own security challenges.
For example, shadow IT, unapproved systems or services introduced by employees that circumvented security policies, came on premises. Shadow IT is rarely introduced with malicious intent. Because it’s hidden from security experts, however, it leaves applications and data vulnerable. While cloud doesn’t eliminate shadow IT, it allows agencies to take greater stock of what’s in their IT environments so that they can secure them.
Cloud providers like AWS can help provide centralized visibility and management of customers’ environments with resource tagging to track access. Moreover, with software solutions found on AWS Marketplace, agencies can standardize their baseline security configurations and manage configuration drift.
“Security does lead every decision that we make, from the design and build phases all the way through operations,” Neal said. “And that’s where our customers want to go.”
2. Seek out ways to accelerate compliance.
Compliance does not have to be the chore it was on premises. Agencies can design in cloud regions like AWS GovCloud (US) to meet governmentwide compliance and security standards faster by moving out of data centers and inheriting readymade security controls. They also gain greater control of their networks and overall security posture, even just by preparing for hybrid cloud.
Relying on cloud compliance programs like FedRAMP, agencies can see where secure and approved offerings fit into their own architectures. The AWS GovCloud (US) Regions, for example, are authorized at the FedRAMP-High baseline and align with NIST, ITAR, DoD SRG, DFARS, CJIS and other federal compliance models. Looking forward, AWS GovCloud (US) will also meet DoD’s Cybersecurity Maturity Model Certification (CMMC), which examines vendor supply chains’ security.
To speed up compliance and acquisition processes, agencies can also look to shared responsibility models. With terms defined in advance, agencies know what they have to manage security for, such as data and access – and what they don’t.
3. Ready the workforce and IT operations models for cloud.
Lastly, agencies need to make sure that they’re ready for cloud. Adhering to sound security policy is good for the higher-ups, but workforces still need to be trained on the tools and applications needed for the new environment.
AWS offers widely enrolled-in training courses, which cover standards, compliance and security. Agencies’ workforces can receive customized training as well.
When workforces know how to operate in the cloud, not only is the environment more secure and compliant, but it is also more productive. Agencies can bring readymade automation into secure development and operations models, such as DevSecOps, to speed up application rollouts and meet compliance requirements.
“Those benefits are really great for customers that are looking for prescripted guidance and meeting compliance,” Neal said.