Private companies ♥ U.S. government cloud security controls
A funny thing happened as the federal government embraced the cloud: The rest of the world started using U.S. government standards to make their own clouds more secure.
A number of companies and foreign governments have taken advantage of rules like the ones set out by the Federal Risk and Authorization Management Program or those that govern Amazon’ Web Services GovCloud — not so their products can sell to the U.S. government, but for their own purposes.
That same demand has driven steep growth in secure cloud offerings: AWS has seen a 273 percent year-over-year growth in use of GovCloud by government and private sector customers.
Amazon Web Services’ Vice President of Worldwide Public Sector Teresa Carlson told FedScoop at last week’s re:Invent conference that the standards set in FedRAMP have driven the U.K., Australia and Singapore to use the same baselines as what’s established for the U.S. government.
“There is no real cloud security model that’s been written in the U.S. outside of FedRAMP,” Carlson said. “Enterprises want a model they can snap into, and I think FedRAMP is as good as model as any.”
Jon Check, the vice president of North American public sector for CSC, said FedRAMP not only allows gives the agencies a way to drive out security complexities, it has helped with the company’s own move into Amazon’s GovCloud.
“Is it perfect? Absolutely not,” Check said. “But there is a baseline. FedRAMP controls give you a great way to document everything that you are doing. Everybody has a certain layer they want to add to it, but I think it is a baseline to build from.”
That baseline has been important for CSC, which has been dealing with a company split since May. The split has forced the public sector side of the company to move into a hybrid cloud environment, which Check said helps CSC guide agencies when setting up their own hybrid cloud instances.
“We focus on ensuring that we are ‘customer zero’ for everything we are delivering for the federal government,” Check said. “We are living the dream that we are professing.”
By operating in AWS GovCloud, CSC meets a number of government standards by default, including FIPS 140-2, the Federal Information Security Management Act and the Criminal Justice Information Systems standards.
Private satellite imagery company Planet Labs has stood up its operations in GovCloud due to the clearance needed for its satellites, which are governed by International Traffic in Arms Regulations. The San Francisco-based company is in the process of placing 150 satellites into orbit that will take 370,000 images of the Earth’s surface per day.
Troy Toman, director of Engineering for Planet Labs, said GovCloud’s ITAR clearances, along with the ability to store and process 11 terabytes of photos a day, provides an ideal solution for the startup.
“The flexibility that GovCloud gives us is being able to serve both parts of this business in a way that’s economic and efficient,” Toman said.
He told FedScoop that he attributes the rise in GovCloud to the government driving the public sector to meet requirements and doing so in a manner that meets the speed of startups.
“Many government customers helped,” Toman told FedScoop. “It wasn’t just commercial users trying to push the government to say, ‘Let us do this.’ We’d always push people to go faster, but we’ve found [the government] to be very flexible and open to making [regulatory] adjustments. I think it’s all part of the partnership that goes into various commercial entities that are moving into some of these spaces that were traditionally government only.”