FedRAMP continues to evolve with expectations for process improvements fanning a raging debate depending upon your perspective. The intent of FedRAMP, to modernize and streamline best practices and standards for the secure adoption of the cloud in the government marketplace is positive, but the focus must be on doing it properly.
A recent FCW article, Can Federal IT lead the way in secure cloud, was generally positive in its praise for FedRAMP making it easier for companies to offer compliant cloud services to the federal government, and easier for federal CIOs to rapidly procure cloud services
FedRAMP has facilitated the certification of 60 cloud service providers (CSPs) that (theoretically) accelerate the review and approval of others reducing the up-front paper work required. However CSPs are limited in that they can address only a few of the many security controls required for FedRAMP certification. This has resulted in a confusing situation with companies being FedRAMP certified but for a small portion of the required FedRAMP controls, and it does not mean that the application is FedRAMP certified.
The article acknowledges that the upfront cost of FedRAMP compliance is “non-trivial”, but rationalizes it by saying that this is by design so not to “lower the bar” for compliance at the expense of better security.
What the article did not make clear is that the majority of the challenges exist because companies do not fundamentally design security into their applications.
FedRAMP and commercial enterprises should take a closer look at connection-based, application-centric architecture such as software defined perimeters (SDP) that enables a far more effective approach to certifying security controls and compliance.
SDP is a new reference architecture being proven the in public and private sector as 100% impenetrable. It is being utilized to protect the most valuable assets, critical infrastructure and applications and enables organizations to go beyond patching to effectively secure critical infrastructure and applications during run time operations.
SDP is a connection-based and application-centric architecture built by proprietary security providers. SDPs allow you to hide infrastructure by disallowing access to only those legitimate users. It is core to a new security and risk management paradigm that establishes an undetectable application infrastructure often referred to as a “Black Cloud.” The primary effect of the SDP is that it transforms the application infrastructure into an effectively invisible or “black cloud” that shows no domain name system (DNS) information or IP addresses.
To learn more, check out this white paper on Software Defined Perimeters.