Federal Government Cloud Migration – How to migrate federal government workloads to the cloud
Federal Government Cloud Migration
Depending on the agency, many government organizations are seriously looking into the cloud at this point if they haven’t already migrated some, if not all of their workloads for various reasons.
Why does the federal government want to migrate to the cloud?
Typically most of the reasons stem from a requirement to quickly provision computing resources, to lower their acquisition costs, integrate DevOps best practices in an elastic environment, and deploying security resources on demand. Whatever the agencies reasons are, they typically require steps that lead down categorizing the controls that are required for the data that is being processed. Unclassified public, FOUO, Classified, Top Secret, and so on. Different levels of data classification dictate how security controls are applied to the cloud environment following various compliance standards. The core compliance standard that allows cloud providers to streamline new workloads into the cloud is based on FedRAMP (Federal Risk Authorization Management Program), which allows existing ATO’s (Authorization To Operate) to be leveraged for new workloads. What this means is your government organization gets to reap the benefits of the trail blazers that went through the compliance and auditing process to have their workloads in the cloud. The “do once, use many times” framework FedRAMP has established saves an estimated 30%-40% of the costs and time associated with compliance requirements.
The three step process to authorize cloud systems are:
- Security Assessment – Standard set of requirements in accordance with FISMA (Federal Information Security Management Act) that uses a baseline of NIST 800-53 controls to grant security authorizations.
- Leveraging and Authorization – Using existing authorizations in the FedRAMP repository to grant security access at other agencies. This is the step that allows agencies to speed up the compliance hurdle.
- Ongoing Assessment & Authorization – maintain your security authorization with ongoing assessment activities. Cloud service providers need accredited third party assessors (3PAO) to ensure consistent cloud environments.
Compliance Paths to Cloud Migration
The decision making board that assesses all authorizations is the Joint Authorization Board (JAB), which consists of CIO’s of various agencies like the GSA, DoD, DHS, etc. Some internal agencies choose to self assess and not go the route of assessing through the JAB. It makes sense to self assess if the agency applying is not multi-tenant and doesn’t have a broad use case.
Internal agency authorizations mean that the assessment comes from the internal information assurance (IA) authority. If the agency has as specific requirement then the agency would need to justify migrating to the cloud to support that requirement. FedRAMP controls and FISMA
Cloud Architecture to Meet Compliance
After identifying the IA authority and controls that are applicable to your environment, the next step is to design, test, and deploy your architecture to a FedRAMP approved cloud service provider. Amazon Web Services (AWS) is one of the cloud service providers that offers templates to quickly deploy NIST/FedRAMP/DoD SRG compliant CloudFormation templates that will automatically configure AWS resources using scripting languages like YAML or JSON. Deploying infrastructure as a service (IaaS) using templates allows for quick deployment of environments and a repeatable process to maintain security compliance standards. Application vendors also offer templates to deploy Software as a Service (SaaS) like, Atlassian Jira-Confluence, Chef, SQL Server, SAP HANA, Splunk, etc.
The image of the AWS CloudFormation architecture is an example of a NIST compliant cloud deployment that includes all of the necessary auditing, security, and configuration management that makes deploying compliance workloads quick and repeatable.
Building compliant applications in multiple regions to support a fully redundant cloud architectures is what makes the cloud such a powerful tool for organizations that need to quickly deploy IT resources at a low cost.