SPONSORED CONTENT
that they can build secure systems on top of a cloud environment. To verify security and compliance is being managed as promised to help agencies meet security control requirements, cloud providers should undergo testing by third-party auditors. Important certifications include:
• FedRAMP High baseline: This includes more than 400 security controls for non-classified systems certifying the cloud environment is able to host highly sensitive workloads. FedRAMP High assesses cloud environments using NIST SP 800-53 security controls. Achieving FedRAMP High allows FISMA High systems to be deployed in
the cloud environment.
• DoD Cloud Computing Security
Requirements Guide (SRG): Achieving this certification means a commercial cloud provider has a provisional authority to host DoD data. There are four levels of certification, each more restrictive than the last. Impact level 4, for example, lets DoD agencies use the cloud for production workloads with export-controlled data, privacy information and protected health information, along with other controlled unclassified information.
With certifications checked and
confirmed, the next step is determining
whether a potential commercial cloud
provider has the most advanced security features. That includes full visibility and control capabilities, as well as state- of-the-art identity & access
management features.
Visibility and control of an agency’s infrastructure and data are critical to ensure strong security in the cloud. Knowing how many servers exist, who has access to those servers,
who can touch specific data sets and where encryption keys are stored is a constant challenge. These tasks are easier to achieve in the cloud, especially in an API-driven environment that uses Software Defined Networking to logically isolate private networks.
With one command or audit report, you can get a sense
in real time of how all your infrastructure is configured across all cloud resources. This lets you move fast while still ensuring your cloud resources comply with agency standards and best practices. You can see who has configured the cloud service APIs, including who, what, and from where calls were made. AWS CloudTrail provides deep visibility into API calls through log files you can ingest and analyze for anomalies.
Using the AWS Identity and Access Management (IAM) service, agencies can implement fine-grained access controls to manage and monitor privileged user access at a granular level. For example, you might allow only certain
users to have access to specific AWS service APIs and resources and deny access to other resources. IAM also lets you add specific conditions to privileged access, such as time of day, originating IP address, whether they are using SSL/TLS, or whether they have authenticated with a multi-factor authentication device to control use of AWS.
All cloud computing activity should be logged and fed to log analytics services, which expedites incident response and troubleshooting. With proper logging and activity monitoring, IT managers can even review the agency’s
cloud resource history, including how they have been configured over a period of months or even years.
Encryption techniques are another critical factor. While all cloud providers that have earned security certifications will have excellent encryption options, there are differences when it comes to encryption features and key management options. For example, the ability for agencies to control encryption keys gives them the power to put data into any environment, as long as they ensure those encryption keys are secure and isolated.
Today, there is no reason you can’t be as secure
if not more secure operating in a commercial cloud environment. Check out the cloud provider’s ability to comply with applicable security compliance regulations or audit standards completely. If they meet all of the criteria, commercial cloud services can be a great way to securely support the mission of the warfighters.
FOR MORE INFORMATION, PLEASE VISIT: AWS.AMAZON.COM/GOVERNMENT-EDUCATION/
*Gartner, How to Make Cloud IaaS Workloads More Secure Than Your Own Data Center, 24 June 2016
CERTIFICATIONS ONLY GO SO FAR
While commercial cloud environments have become more secure,
it’s important to leave nothing to chance. Here are some best practices to ensure your commercial cloud environment is fully secure.*
▸ Use the cloud provider's native security capabilities in conjunction with DevSecOps practices and tools to automate security controls throughout the application lifecycle
▸ Encrypt all data at rest in IaaS
▸ Control and monitor administrative access tightly
▸ Log everything, and monitor logs for indications of malicious intent
▸ Scan workloads for vulnerabilities before release into production and
while in production
▸ Integrate application security testing and other vulnerability scanning
capabilities into the deployment cycle, including scanning containers if they are used