US Government Says Microsoft Cloud Passes Security Muster
Microsoft's Windows Azure cloud has just got the seal of approval from the CIOs of the major agencies of the US government.
Under the Obama Administration, the US government has been keen on pushing applications off its systems and out onto the cloud under a program called Cloud First. But before apps can jump to public clouds, they have to pass a stringent government security review.
Windows Azure has just been certified under the Federal Risk and Authorization Management Program (FedRAMP) and granted what is called a Provisional Authorities to Operate (P-ATO). Public cloud providers and the agencies they serve have a deadline of June 2014 to meet the FedRAMP security requirements. The chief information officers of the Department of Defense, the Department of Homeland Security, the General Services Administration – what is called the Joint Authorization Board – grant the rights to run government apps in the cloud. If you like acronyms, technically what Microsoft has attained for Windows Azure, in government parlance, is a P-ATO from the FedRAMP JAB.
Microsoft says in its statement announcing the certification that it is the first public cloud with both infrastructure and platform services to get the P-ATO certification. Infrastructure services are raw virtualized compute and storage, while platform services are database, email, data warehousing, and other services that run inside of Microsoft's Azure data centers.
In a blog post, Susie Adams, chief technology officer for Microsoft Federal, explained why this FedRAMP approach was different from the past IT procurement efforts by the US government and would help spur adoption of the cloud.
"For years, the IT systems purchased by Federal government agencies have had to comply with complicated federally mandated security requirements like the Federal Information Security Act (FISMA)," Adams said. "These security guidelines, which are really just a set of policies and security controls, were designed as risk-based frameworks to guide agencies in their security evaluations of the IT systems they used. The challenge with these compliance mandates was that there was no standardized approach used across the federal government when applying them, which resulted in redundant and costly security assessments by each agency. This means that even if the Department of Education approved an IT solution, that same solution would have to go through a second, third and fourth evaluation by every other agency that wanted to use it, making it difficult for agencies to adopt innovative, cost-effective solutions."
With FedRAMP, agencies will be able to quickly identify which clouds are secure enough for government work and just get going. It will be interesting to see if state agencies in the country start using Federal security standards as part of their cloud procurement processes, and if enterprises will follow suit. The Common Criteria security certifications that have been used by the US military and intelligence services since the late 1990s to validate the ruggedness and security of servers, operating systems, hypervisors, databases, network equipment, and various other gear. These security standards were often used by companies that are similarly security conscious, and frankly, that was one of the drivers of the certifications.
At the moment, as you can see from the FedRAMP roster, Hewlett-Packard's Enterprise Cloud Services-Virtual Private Cloud, which is the one run by HP Services and which is not the HP Cloud public cloud, has the P-ATO certification, as does the Solas cloud run by Lockheed Martin, the Federal Cloud run by CGI, the ARC-P compute cloud from Autonomic Resources, and the storage cloud run by AT&T. Akamai's content delivery services cloud has also gained this certification.
At the moment, Amazon Web Services has a plain vanilla ATO FedRAMP certification, which is granted by a US government agency for its specific use. Specifically, AWS has certifications for its EC2 compute. Elastic Block Storage storage services, and Virtual Private Cloud services in the data centers in its US East and US West regions for the Department of Health and Human Services. The HHS has also certified that apps are safe to be deployed in the GovCloud data center that AWS set up in Oregon specifically for the US Federal government to isolate workloads from commercial customers.
Amazon says that it plans to get other services certified under FedRAMP, and it seems reasonably to also assume that the cloud giant will also seek the more broad P-ATO certification from the JAB that spans all Federal agencies. The Department of Agriculture, which has its own cloud, has also received the ATO certification.
Presumably, Rackspace Hosting's Cloud Servers and Cloud Files, Google's Compute Engine, and IBM's SmartCloud Enterprise public clouds will seek FedRAMP certification soon so they can chase the cloud dollars.
