Amazon Web Services have announced they have achieved the recently released FedRAMP high Authorisation accreditation. The accreditation only applies to AWS Gov Cloud in the US. There are 421 security controls in the high baseline and 169 of these are already required for FedRAMP approval. It requires companies to meet a High/High/High categorisation for confidentiality, integrity and availability. This is all based on the FIPS 199 standard and mapped to the National Institute of Standards and Technology (NIST) security controls.
Amazon are not alone
Amazon are not the only company to have achieved the baseline. One of its major competitors, Microsoft, has also achieved certification with Azure Govcloud. The third, perhaps less well known company outside the US public sector is CSRA / Autonomic Resources with its ARC-P IaaS platform. It will be interesting to see who follows. Companies such as Oracle, SAP and IBM will want their names on the list quickly as possible.
Teresa Carlson, Vice President Worldwide Public Sector, AWS commented: “We are pleased to have achieved the FedRAMP High baseline, giving agencies a simplified path to moving their highly sensitive workloads to AWS so they can immediately begin taking advantage of the cloud’s agility and cost savings.”
International ramifications
While this announcement sees Amazon achieve the certification in the US, there is relevance abroad as well. Amazon should be able to now deploy this process around the world. AWS will be able to respond quickly as other governments bring in their own high level security accreditations .
Carlson alludes to this opportunity saying: “Over 2,300 government customers across the world are using the AWS Cloud to innovate in amazing ways – from analyzing data on social media to collect information on adverse drug effects, to making genomic data publicly accessible, to collecting images from Mars. By demonstrating the security of the AWS Cloud with the FedRAMP High baseline, agencies can confidently use our services for an even broader set of critical mission applications and innovations.”
Accreditation rich
Amazon has provided a list showing which of its products are covered by the GovCloud accreditation. Among them are Amazon Elastic Cloud Compute (EC2), Virtual Private Cloud (VPC), Simple Storage Service (S3), Identity and Access Management (IAM), and Elastic Block Store (EBS). Amazon is now capable of supporting most of the US Government operations, though there are likely to be some that may never see the cloud. Besides FedRAMP AWS GovCloud adheres to US International Traffic in Arms Regulations (ITAR), Criminal Justice Information Services (CJIS) requirements, as well as Levels 2 and 4 for DoD systems.
These standards allows AWS GovCloud to offer increasing levels of service to U.S. government agencies. AWS GovCloud can now offer services for highly sensitive workloads. Examples include Personal Identifiable Information (PII), sensitive patient records, financial data, law enforcement data, and other Controlled Unclassified Information (CUI).
These standards allows AWS GovCloud to offer increasing levels of service to U.S. government agencies. AWS GovCloud can now offer services for highly sensitive workloads. Examples include Personal Identifiable Information (PII), sensitive patient records, financial data, law enforcement data, and other Controlled Unclassified Information (CUI).
After months of consultation the US Government has taken a positive step forward to ensuring that cloud environments are safer to use going forward. Matthew Goodrich, FedRAMP Director, GSA’s Office of Citizen Services and Innovative Technologies (OCSIT) commented: “We’re excited to launch the FedRAMP High baseline, and to recognize AWS as having achieved the most rigorous FedRAMP level to date.
“The High baseline applies the same, ‘do once, use many times’ approach as the rest of the FedRAMP program in an effort to standardize cloud security controls, and reduce the burden of assessing cloud security for agencies. The FedRAMP High baseline will be important for civilian agencies, the Department of Defense(DoD), the Department of Veterans Affairs (VA), and other agencies to use the cloud for highly sensitive data.”
So what?
This news doesn’t just affect Amazon. Companies who host their solutions with AWS GovCloud will also be excited by the news. Infor, for example, are just starting on their journey to FedRAMP approval. They may now consider a second phase to the project that will see them achieve the higher status. This may ensure that they obtain an earlier advantage over some of their ERP rivals.
For companies like Salesforce, it is a hurdle that they will have to jump through alone. The controls are not onerous but the processes to ensure them can be costly and time consuming. By hosting their own data they will need to consider whether the benefit of extra sales is worth the effort.
Conclusion
Organisations are need to tighten their security in the face of increase cybersecurity threats. That the US Government has now put in place a higher level of accreditation is welcome. Whether other governments will follow their lead will be interesting. Enterprises should also sit up and take notice.
There are a growing number of companies looking to achieve ISO 27001 accreditation. It is not just about winning government business but assuring other clients of their security. With higher levels of security become the norm this is a serious business benefit.
CISO’s might consider looking through the controls in FedRAMP high. They are a good baseline to aim for especially when the board decides the company must “Switch on” security. It should mean the processes and controls are already in place. If they are not in place, as many know, it can be a long and painful journey.
