Finding FedRAMP’s missing piece
- By Wayne Lewandowski
- Nov 14, 2016
Earlier this year, the Federal Risk and Authorization Management Program, better known as FedRAMP, underwent some restructuring. One effort was aimed at speeding up the accreditation process for cloud service providers. Called FedRAMP Accelerated, this fast lane to cloud accreditation was a direct response to both agency buyers and CSPs that wanted a shorter and more streamlined process for approval.
Shortly after FedRAMP Accelerated was launched, the program office introduced a high-baseline standard that allows CSPs to store highly sensitive government data.
Even as FedRAMP continues to offer agencies a wider variety of cloud computing options, however, government cloud computing adoption continues to lag. A survey from the Cloud Computing Caucus Advisory Group found that 80 percent of agency technology leaders worried CSPs could not provide adequate security, giving agency technology leaders pause when it comes to adoption.
The missing piece
For all its benefits, FedRAMP only goes so far. The program certifies that CSPs have the capability to securely store data, but does not tackle the security of the data itself. Once CSPs receive the data, agencies lose the ability to secure it while at rest -- even though they still bear the responsibility of keeping data secure.
This lack of control makes many government technology leaders uncomfortable; some would rather keep data on premises than turn it over to a CSP. Implementing data security through the CSP usually incurs additional recurring costs and is associated with other limitations and caveats. Switching CSPs can also be difficult and costly for agencies.
As the private sector has learned, cloud encryption gateways can address the data security issue.
Cloud encryption gateways encrypt data before its sent to a CSP. Because the organization holds the encryption keys and controls the data security, even if hackers steal the data, they will not be able to decode it. In many ways, the use of cloud encryption gateways provides the benefits of a public cloud with the security of a private cloud.
For federal agencies looking to the cloud, cloud encryption gateways offer a middle ground. Agencies can leverage FedRAMP, using government-approved cloud computing vendors, but maintain a level of security and control that will make senior leaders more comfortable, especially with high-value data.
How to use cloud encryption gateways
Imagine that you put something valuable in the trunk of your car and then hand the car -- and the keys -- to someone else to park. While the parking attendant may be trustworthy and the garage secured, there is no way to be sure that what has been placed in the trunk is actually protected.
For agencies that want to begin using cloud encryption gateways, the Cloud Security Alliance offers some guidance:
- Select a CSP that adheres to the CSA’s set of best practices.
- Data should be encrypted before it leaves the end-user organization’s control.
- Encryption should be implemented for data-at-rest, data-in-transit and data-in-use.
- Encryption keys should be retained by the end-user [data-owning] organization, not the CSP.
The future of FedRAMP
FedRAMP will continue to grow in the coming years. The addition of higher priority data going to FedRAMP-authorized CSPs is a valuable step in its evolution. FedRAMP Accelerated indicates that the program’s managers are listening to its customers and are working to ensure the program works.
With the use of cloud encryption gateways, government can rapidly increase deployment and take advantage of the cost savings, scalability and power that the cloud offers.
Wayne Lewandowski is senior vice president of public sector, HyTrust