Securing sensitive data and systems in the cloud


May 29, 2018

Context

Cloud computing promises substantial potential benefits for public sector and commercial organizations alike, including more efficient capacity utilization, reduction in information technology (IT) capital expenditures, flexibility to scale capacity and usage up or down as demand changes, and more rapid deployment of applications and services than in traditional internal agency deployments. While many private sector organizations have been quick to embrace cloud computing to realize benefits in terms of cost-efficiency, flexibility, and solution delivery speed, some Federal and state government agencies view cloud service delivery models with more skepticism considering concerns about information security, data stewardship, privacy, governance, and change management. The Federal government formally adopted a “cloud first” strategy in 2011 and, seeking to help ensure cloud computing environments met stringent security and privacy requirements, launched the Federal Risk and Authorization Management Program (FedRAMP) to address agency and government-wide concerns about security, interoperability, portability, reliability, and resiliency in cloud computing. FedRAMP provides a standard process for assessing cloud service providers against the Federal Information Security Management Act of 2002 (FISMA) requirements and the security control framework specified in National Institute of Standards and Technology (NIST) Special Publication 800-53. The centrally-managed FedRAMP approach establishes preauthorized cloud computing providers so that individual agencies can avoid incurring the time and resource costs ordinarily required to perform an agency-specific assessment, or at least minimize those costs where agencies have specific requirements that may not be fully addressed by FedRAMP authorizations.

When using cloud computing services, agencies need to adapt their information security management practices to incorporate security control assessment information produced under the FedRAMP third-party authorization process in a manner analogous to use of common control providers like data centers. Agencies also need to include the operational and security monitoring capabilities of their cloud service providers in their information security continuous monitoring strategies and ensure that cloud computing environments comply with agency and system-specific business continuity and disaster recovery requirements specified in continuity plans.

 

Challenge

Despite the growing number of FedRAMP-authorized service providers and growing momentum in many agencies to move more of their applications and data to the cloud, some program managers and system owners remain reluctant to deploy applications to the cloud, particularly when they store or process sensitive data such as protected health information or other types of personally identifiable information. Ensuring effective security and privacy protections are in place in cloud computing environments is essential if government agencies are to realize the cloud’s potential. As more cloud service providers achieve FedRAMP authorizations at the high impact level associated with agencies’ most sensitive data, leveraging the cloud for even mission-critical systems should become more acceptable to Federal agencies. Making effective use of the cloud requires more than choosing a provider; existing applications being migrated from conventional data centers to cloud environments may need to be redesigned or updated to take advantage of services and functionality available in the cloud, or to ensure that no security protections are lost when moving to a cloud service provider. Cloud solutions must deliver promised mission and business benefits while also meeting security requirements.

 

Our Innovative Solution

Our approach to designing and securely deploying solutions in the cloud begins with developing a detailed understanding of system capabilities, functional and technical requirements, and data and system sensitivity aligning those characteristics to appropriate infrastructure-, platform-, and software-as-a-service cloud solutions. Cognosante’s security and privacy operational framework is based on Federal standards and guidance from NIST, FedRAMP, and agency-specific security requirements that augment or extend those standards. Cognosante has established partner relationships with Amazon Web Services GovCloud and Microsoft Azure Government, both authorized to operate at the FedRAMP High Baseline level. Our approach to solution security architecture, deployment, and operations is optimized for the cloud and meets government-wide and agency-specific standards.

 

Tangible Result

Cognosante has migrated legacy applications and deployed new solutions to cloud environments for multiple Federal and state agencies. Our experience includes collaborating with agency information security programs to complete the full authorization to operate (ATO) process, including obtaining agency ATOs for FedRAMP-authorized cloud service providers and working effectively with independent security control assessors to ensure all security and privacy requirements are met with effectively implemented controls. In the past three years, Cognosante has deployed three new systems in cloud environments, migrated three others to the cloud from traditional data centers, and moved one system from a commercial public cloud to a government-only cloud environment operated by a different provider.