Anyone who has ever had to call the IRS or wait in line at the DMV sees a snapshot of what looks like a morass of red tape that seemingly personifies government inefficiency. While it’s easy to take shots at the government, many are surprised to discover that from a technology standpoint, the government has been an ardent advocate of cloud adoption and has developed specific disciplines around how to use GovCloud from Amazon Web Services. To support the efforts of the federal government to become more efficient, Evident.io today announced ESP GOV SaaS, a new product that will give GovCloud users continuous monitoring for security and compliance.
Two interesting forces have overlapped to bring us to this point. First, Amazon has been rapidly blazing a path to make the cloud a preferable choice for every organization on the planet. For reasons of cost, operations, security, and digital engagement, public cloud offerings make life easier for enterprises that want to truly be digital organizations. Secondly, the government started defining a blueprint for cloud usage back in 2011, when then-U.S. CIO Vivek Kundra delivered a set of guidelines for federal agencies to move to the cloud. In that document, Kundra definitively stated the thinking for government cloud adoption: “The Federal Government’s current Information Technology (IT) environment is characterized by low asset utilization, a fragmented demand for resources, duplicative systems, environments which are difficult to manage, and long procurement lead times. These inefficiencies negatively impact the Federal Government’s ability to serve the American public.”
Being a prescient reader of opportunity, Amazon developed GovCloud as a specific AWS region that operates for both government and private organizations that need to meet specific requirements for hosting sensitive data and regulated workloads in the cloud. In addition to increased security capabilities, GovCloud can leverage automatic compliance with critical government regulations like the International Traffic in Arms Regulations (ITAR) and Federal Risk and Authorization Management Program (FedRAMP), among others, and provides a foundational set of controls and compliance automation for National Institute of Standards and Technology (NIST) Security Publication (SP) 800-53, Department of Defense (DoD) Security Requirements Guide (SRG) IL4, and both physical and technical security.
GovCloud provides government agencies with a roadmap for migrating to the cloud and operating securely within it, all according to compliance standards. But as you can see, there are strict security and compliance guidelines that need to be continuously addressed.
It’s important to note that Amazon’s shared responsibility model for security dictates that AWS will maintain the strong security and compliance controls across their entire infrastructure platform: data center controls, core network/hardware controls, operational security practices like data disposal, change control, and other requirements. The job of the AWS/GovCloud customer is to manage anything they implement and operate “in the cloud.” The onus is on federal agencies to know where the data is, how it’s being used, and by whom it’s being used, which necessitates deep insight through continuous monitoring and automated remediation – without it, agencies could be non-compliant or be vulnerable to security breaches and find out too late to avoid major risk. Our new ebook, 5 Security Considerations for Leveraging AWS GovCloud, goes into more detail about how to frame security as a part of an organization’s GovCloud environment.
This is why we developed the Evident Security Platform (ESP) GOV SaaS. In addition to giving GovCloud users a real-time picture of the state of their IT infrastructure security, it also comes enabled with NIST 800-53 Compliance View which provides one-click reporting for the pass/fail status of all testable controls (our webinar, How to Achieve NIST Compliance in the Cloud, explains this in more detail). ESP GOV SaaS will help federal agencies automate their view into, and plans for fixing, risks that arise within their overall cloud infrastructure, both within their own domain and in that of GovCloud.
As more government organizations and third-parties move to GovCloud to host their data and application infrastructure, they will need a platform for risk-management and compliance. When sensitive, confidential or even classified data and assets are at stake, they will need to provide assurances that they can identify issues before they become disastrous problems.