FedRAMP is known as the stamp of approval for government cloud computing. Since the 2012 launch, the Federal Risk and Authorization Management Program (FedRAMP), the number of cloud service providers has grown tenfold. Meaning the need for some sort of standardization of a common baseline for assessing the security of cloud products and services is greater than ever.
Federal agencies have been given the green light to move from in-house, single-server environments to multi-tenant, tiered colocation data centers. In fact, with the DCOI, the Data Center Optimization Initiative, there is a mandate to phase out non-tiered government-run data centers. This opens up a tidal wave of opportunities for federal agencies and federal system’s integrators with regard to using third-party cloud-based solutions.
The real goal is to provide a path to success for federal agencies’ move to multi-tenant environment. Over the past couple of years there has been increased confidence by CIOs regarding the security of the cloud and the ability to protect sensitive data.
Federal Cloud adoption is on the rise thanks to FedRAMP Authorization.
Federal agencies are now able to purchase hardware and software as a service versus acquiring and owning those assets. The whole idea of ‘build’ versus ‘buy’ is changing the fundamentals for federal cloud computing. By establishing standard security requirements for cloud vendors, it eliminated the need for costly and time-consuming processes associated with security assessments and authorizations. The two most important components impacted by FedRAMP are data security and data access control.
Data Security – this is the basis for FedRAMP. From disaster recovery to continuity of operations the program requirements must meet, or exceed, those set by the National Institute of Standards and Technology (NIST).
Data Access Control – this is focused on detecting and mitigating unauthorized access, including setting privilege thresholds and disabling accounts.
Now, there is another challenge facing federal cloud service providers: where to house the clouds. Once again there is the decision of whether to build a data center versus buy or lease space in a colocation environment. And, as with the cloud services, the data center itself should be certified with FISMA – High Accreditation.
An important side note. If you can find a data center provider that already successfully supports multiple partners through FedRamp that would prove very valuable. They already understand the FedRAMP regulations and physical requirements.
The cost of building a federal data center usually runs hundreds of millions of dollars including construction, operations and maintenance. Then there is the risk of building to suit existing needs or for future needs. Both can have consequences; such as a low-density facility can cap your available power and limit your bandwidth, while underutilizing a high-density facility can wreak havoc on your budget and operating costs.
The big buy-in.
There are many benefits associated with buying or leasing space from a federal data center. Colocation providers offer a much more economical alternative with significantly lower build and operating costs. They use the latest hyper-speed, hyper-connected building techniques that create efficiencies across design, engineering and building phases. Other high-impact benefits of outsourcing collocation are no large capital expenditure and no long-term operating costs. Those dollars can be better spent against mission-critical initiatives.
As mentioned earlier, data security is a huge concern for federal systems integrators and cloud providers. But, there is a huge upside to using third-party data centers regarding security for both the physical location and the stored data. Although requirements differ among federal agencies, and there are varying levels of certification, there are several criteria that should be used in selecting a data center.
Security and Certifications – FedRAMP cloud service providers are under constant scrutiny and are subject to scheduled audits to ensure they maintain their FedRAMP authorization.
- On-site data center security guards 24×7, year round
- Video surveillance and recording of exterior and interior facilities
- Biometric and key-card security for strict access control, up to the cage level
- Turn-style and other secure passages to prevent tailgating
- Reinforced physical infrastructure that could include concrete bollards, steel-lined walls, bullet resistant glass and perimeter fencing, additional costs may apply
- Perimeter security that includes iron fences, gates and restricted access to the property
- Dedicated data halls, suites, and cages to minimize traffic
- ISO/IEC 27001,SSAE 16 (SOC 1 Type II), Type 2 AT 101/SOC 2 & 3, PCI DSS, FISMA-High, HIPAA/HITECH, Business Continuity and Disaster Recovery (BCDR), and TRUSTe.
The door is now wide open for federal systems integrators to migrate from non-tiered data centers to tiered data centers, and FedRAMP is huge proponent.