Vlad Friedman, CTO at DataBank, explores the benefits of a FedRAMP-compliant facility.
Empowering government agencies to transform their IT infrastructure, the Federal Risk and Authorization Management Program (FedRAMP) helps accelerate the adoption of cloud solutions with an emphasis on the security and protection of federal information. As we move across the spectrum of compliance standards, from SSAE 18 (Statement on Standards for Attestation Engagements) at one end, to FedRAMP and NIST (National Institute of Standards and Technology) at the other, the degree of process maturity needed to meet compliance significantly increases.
A Sliding Scale
SSAE 18 is the foundation of all IT infrastructure certifications. While it does include guidelines, it also involves the reporting of many “self-selected” attributes, meaning you basically pick and choose those components you want to be verified by your auditor. The report typically has limited scope and most infrastructure providers want to be audited against the fewest possible security controls. The SSAE 18 allows for exceptions which are documented within the report. This standard typically represents what a service provider wants to show it does for compliance.
PCI DSS (Payment Card Industry Data Security Standard) and HIPAA (Health Insurance Portability and Accountability Act) represent the next level in compliance complexity and process maturity. Layered on top of SSAE-18, they offer definitive guidance on how to secure Credit Card, Healthcare, and Personal Information. These include both technical (logging, encryption, and access control), as well as business policies and best practices (password policies, background checks, data protection, offsite backups). The requirements are less subjective, and certification requires fulfillment of 100% of the defined controls; one wrong answer causes a failure. These frameworks more than double the amount of process documentation and evidence. Look for an SSAE 18 report with a HIPAA HITECH rider, as well as a PCI ROC performed by a QSA. These standards are more consequential because they come with a mandated financial consequence in cases of a data breach or non-compliance. As such, they represent what a service provider should do for compliance.
FedRAMP certified service providers are held to a higher standard – and subsequently consistently deliver high quality, repeatable outcomes at scale.
FedRAMP and NIST 800-53 are the last step in compliance complexity and process maturity. They include a comprehensive set of best practices to ensure Confidentiality, Integrity, and Availability (CIA) for critical IT systems, delivery of quality within daily operations, and a methodology for continuous monitoring and governance. CIA processes are well documented, routinely tested, optimized for efficiency and effectiveness, and rigorously audited by a 3PAO and the FedRAMP Program Management Office (PMO).
FedRAMP, the Gold Standard
The development of FedRAMP involved a close collaboration among various agencies, including the General Services Administration (GSA), National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Defense (DOD), National Security Agency (NSA), Office of Management and Budget (OMB), the Federal Chief Information Officer (CIO), as well as commercial industry organizations.
Initially, the creation of NIST 800-53 (the FedRAMP standard) was intended to provide a prescriptive framework of best practices to help secure our nation’s critical digital infrastructure. It includes a standardized approach for security assessment, authorization, and continuous monitoring for cloud services. As it was more broadly adopted, enterprises, SaaS providers, state and local agencies, and federal systems integrators began to recognize the value of implementing a single unified, comprehensive security framework. As a superset of SSAE 18, PCI, HIPAA, GLBA, FINRA, and SOX, FedRAMP finally enabled the realization of the benefits of a “managed-to-one” and “comply-with-all” standard.
FedRAMP certified service providers are held to a higher standard – and subsequently consistently deliver high quality, repeatable outcomes at scale. Through quality operations, the transference of risk to the service provider, documented best practices and design patterns to ensure data security and availability, relying on a security-focused service provider such as DataBank ensures you receive the following benefits:
Simplify Audits: By leveraging the service provider’s existing audit documentation, externally audited controls, and technology stacks, eliminate 40%-80% of the documentation and compliance work required for your audit process. Ensure your provider has an online platform allowing you to download compliance documentation, access logs, security scans, IDS/IPS logs, control physical and logical access in real-time, and a central area to upload/store your documentation.
Secure Your Data: A team of highly skilled security professionals protects your infrastructure by creating a multi-tier defense-in-depth perimeter for your most valuable data and applications. By combining security tools, multi-factor authentication, vulnerability detection, log offloading, file integrity monitoring, IDS/IPS, WAF, Anti-Malware/Ransomware/Virus, and offsite disaster recovery vastly improves your ability to defend against even the most aggressive attacks.
Differentiated Messaging: Colocating your application or service with a FedRAMP certified provider allows you to differentiate your products and services by complying with multiple security standards, while lowering costs and only managing to one security framework.
Faster Time-to-Market: A FedRAMP-certified provider will have the staff needed to achieve any level of compliance, and their expertise can be tapped anytime you need resources to scale or launch new infrastructure.
It bears mentioning that last year our industry witnessed a significant uptick of attacks against service providers. On an average day, DataBank detects and blocks over 20 million attacks against customer infrastructure. While it may be frightening to know that every public-facing application is under attack 24/7/365, having the right partner ensures that the next time your organization is in the news, it’s for all the right reasons.
Vlad Friedman is the Chief Technology Officer at DataBank.