Sergey Nivens - Fotolia
Lessons corporate users can learn from FedRAMP
FedRAMP provides a standardized approach to cloud security across the U.S. federal government, but it can also serve as a guidepost for corporations in search of better practices.
Amid a constant stream of news about data breaches, compliance and security are front of mind for many IT pros. Because of this, the future of cloud security and automation could be heavily influenced by FedRAMP, especially in industries that deal with sensitive data.
Companies that work in highly regulated sectors, such as healthcare or banking, can look to the Federal Risk and Authorization Management Program (FedRAMP) as a model for a standardized approach to security assessment, authorization and continuous monitoring for cloud and SaaS offerings.
FedRAMP's reusable security assessments could benefit large enterprises because it provides a uniform approach to risk management across the business. The assessment model can also be applied to multi-cloud environments, which have become increasingly common.
FedRAMP basics
Before we get too deep into how FedRAMP could influence the public cloud market, let's first review exactly what it is, at a high level.
FedRAMP is a "do once, use many times" framework intended to save money and free staff from redundant security assessments. The framework governs all U.S. federal agencies' use of cloud services, except for private cloud deployments fully implemented within the facilities of a single agency. Each agency must submit a quarterly report about its cloud services that aren't FedRAMP-compliant, with the appropriate rationale and the resolutions for getting those applications in compliance.
The framework is split into three security levels for the application and data compliance:
- Low impact level is appropriate when the loss of confidentiality and availability would only have limited adverse effects on any organization's operations, assets or staff -- such as applications that aren't critical to the business.
- Moderate impact level is for systems where the loss of confidentiality would affect an agency's operations adversely. This could include significant operational damage, financial harm or individual harm that isn't physical injury or loss of life.
- High impact level is for data that would have a severe or catastrophic effect on an agency if it were lost. This accounts for the government's most sensitive data in the cloud, including data that's safeguarded to protect lives or prevent financial ruin.
Cloud providers and federal agencies go through a formal approval process to be certified FedRAMP compliant. FedRAMP promotes transparency by involving a provider's representatives in the FedRAMP process, and provisional authorization is granted by a board of federal agency CIOs and their representatives.
An agency sponsor reviews the cloud service's security package, and an independent third-party performs a security assessment. Then, based on the results, the agency head or designee can grant authority to operate, which means the cloud service is secure and compliant.
As part of the certification process, cloud vendors must implement controls in accordance with FIPS 199 categorization and remediate any assessment findings from the third-party audit, such as architectural and security issues. They must develop a corrective action plan for tracking and planning the resolution of information security weaknesses. And, they must implement a continuous monitoring program to include monthly vulnerability scans of their FedRAMP compliant services.
Federal agencies gain a compliance advantage by building applications on cloud platforms that are already FedRAMP certified.
FedRAMP compliance for AWS, Microsoft and Google
AWS has made significant FedRAMP investments in its GovCloud Regions, which are provisionally approved at the high impact level, along with 70 cloud services available in those regions. AWS' East and West public cloud regions are also FedRAMP compliant, but only at the moderate impact level.
On the other hand, all Microsoft Azure regions have been approved for FedRAMP high impact level since May 2019. This kind of compliance likely played a role in Microsoft winning the massive JEDI contract.
Google Cloud Platform -- a latecomer to FedRAMP compliance -- received FedRAMP high-level authorization for 17 products in five cloud regions in 2019. Google also expanded its existing FedRAMP moderate level authorization to 64 products in 17 cloud regions.
Lessons to learn from FedRAMP
Organizations can learn several lessons about security and compliance from FedRAMP, even if they're not involved with any federal government workloads.
- FedRAMP is a well-documented, straightforward methodology born inside one of the most massive bureaucracies in the Western world. It's quickly becoming a security benchmark for the financial services, health and manufacturing industries, and it could serve as a blueprint for other organizations, too.
- FedRAMP isn't an insular compliance process. It requires participation from the app developers, cloud teams, organization owners, stakeholders and the service provider. Every compliance effort can learn from this level of participation.
- Going through a FedRAMP audit requires a methodical approach, which can be a lot to ask for some organizations. Audits are a perfect opportunity for cloud teams to clean up their documentation and internal processes.
- FedRAMP audits are also a time to educate clients about the cloud. They provide more transparency into how an organization works with its provider using a shared responsibility model. It's also an opportunity to drill down into cloud security for your business and cloud teams through formal and informal training sessions.
FedRAMP best practices to follow
FedRAMP also showcases many technical and security best practices. Here are a few examples of supported techniques organizations could use to improve their security posture:
- Use machine-readable system security plans created in JSON and XML that can support agencies and their compliance through increased automation. FedRAMP information requirements also mandate a cloud management platform be in place to deliver automation and the requisite reporting to stakeholders and auditors.
- Start with continuous security monitoring across cloud environments. Cloud providers must monitor their cloud environments as part of FedRAMP, but it's up to the customers to monitor across cloud environments, including any hybrid and multi-cloud architectures.
- Have the tools in place to process electronic discovery and litigation holds and be able to clearly define and describe the system boundaries between your organization and your cloud provider.
- Utilize identity and access management best practices, as well as two-factor authentication.
- Put cryptographic safeguards in place to preserve confidentiality and integrity of data during transmission and to prevent unauthorized data transfers via shared resources, such as removable media or unapproved cloud storage.
Potential drawbacks and limitations
While FedRAMP checks all the boxes for security and compliance, its effectiveness is limited in commercial markets. For starters, companies are unlikely to implement FedRAMP-level compliance for another layer of security without a business case.
More importantly, FedRAMP only has teeth in the federal government. Even if a commercial organization were to adapt FedRAMP practices, there's no penalty hanging over it if its applications are out of compliance.
The major cloud providers have yet to really commercialize their FedRAMP work beyond the agencies and system integrators that comprise their public sector customer base. There needs to be more information sharing between cloud providers and their customers to identify ways to extend these frameworks to the private sector and, hopefully, cut back on the data breaches that have become all too commonplace.