Strategic CIO // Executive Insights & Innovation
Commentary
2/18/2014
04:10 PM
Sean Applegate
Sean Applegate
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

How FedRAMP Can Accelerate Cloud Adoption

Federal IT leaders can foster cloud adoption by incorporating automated, repeatable security processes.

Top 10 Government IT Innovators Of 2013
Top 10 Government IT Innovators Of 2013
(Click image for larger view.)

The Federal Risk and Authorization Management Program (FedRAMP) has made important contributions to cloud security. However, FedRAMP focuses primarily on security compliance for public government cloud services. The approval process requires a lot of time and can hinder innovation and drive up costs.

However, FedRAMP leaders have an opportunity to enable -- not simply enforce -- faster government IT operations by fostering repeatable, high-quality, automated security operations -- in short, by championing a DevOps approach in government clouds.

In the 1980s, US manufacturing faced fierce competition from abroad, which forced a massive overhaul of manufacturing processes. That led companies to focus on new business practices, like Lean, Six Sigma, and Theory of Constraints, to eliminate process constraints and optimize costs. IT operations are undergoing a similar transformation today.

DevOps, automation, and the cloud are at the core of this IT revolution. DevOps integrates development and operational teams so they can solve problems faster. That's a cultural shift from previous IT practices. Combined with an automated cloud infrastructure, DevOps enables organizations to innovate and scale faster, usually saving significant costs.

[FedRAMP is changing the way cloud computing providers think about security. Read Cloud Providers Align With FedRAMP Security Standards.]

DevOps organizations often improve their cloud services hundreds of times a day, implementing improvements, responding to incidents, and making security fixes in minutes instead of days or weeks. This results in continuous delivery and a faster feedback loop -- or, as the military strategist Col. John Boyd called it, an OODA loop (observation, orientation, decision, action). A faster OODA loop is exactly what DevOps reinforces.

But to accomplish that, government certification and accreditation practices need to operate at the speed of the cloud. It does no good to be able to spin up creative cloud services quickly if the security approval process requires 6-12 months of cumbersome, expensive security paperwork -- possibly costing more than the actual monetary savings of the cloud project itself.

FedRAMP -- which is supported by IT leaders from the General Services Administration, the National Institute of Standards and Technology, the Office of Management and Budget, and several Cabinet departments -- could help every agency build secure government cloud solutions faster by creating automated, repeatable security processes and enabling accelerated responses to security incidents.

FedRAMP governance entities.
FedRAMP governance entities.

FedRAMP could start by modeling the open-source practices of DevOps leaders Netflix, Facebook, LinkedIn, Twitter, Amazon, and others, which use small, multi-disciplinary teams to build, improve, and release open-source cloud software components and frameworks continuously. From a security perspective, DevOps encourages embedding and constantly improving automated security practices at design time, making it easier to conduct continuous automated verification in production.

Adrian Cockcroft's FlowCon 2013 discussion does an exemplary job of outlining the DevOps practices and successes of the Netflix Open Source Software (OSS) Center. Many startups are using the center's software to accelerate their time to market within the cloud. Helen Bravo's discussion of the Open Web Application Security Project is another good source on the benefits of integrating DevOps with web application security to create a repeatable, ever-improving security framework.

FedRAMP or its partners could host and nurture an open repository of shared security and best-practice recipes (script modules) based on cloud automation standards. That would accelerate security compliance by allowing companies to import security recipes into their automation frameworks. FedRAMP could also accelerate compliance work, and lower its costs, by making key parts of the required security paperwork available.

If these recipes were available publicly, commercial entities could also use them to improve their security postures.

Here are a few leading automation options to consider:

For a real-world example of how powerful automation recipes can be, look at an example from the consulting company Answers for AWS, which walks the reader through the process of setting up a complete Netflix OSS architecture in a few simple clicks. A FedRAMP model like this could enable repeatable, fine-grain security controls for various cloud architectures (email, websites, big data repositories) while decreasing human error, costs, and time to value.

It wouldn't be difficult to create a code repository. DevOps' open-source resources are often stored in GitHub, a powerful code management and collaboration repository, which is already being used by the US government. The president's executive order for an open data policy calls for releasing government policy in machine-readable format, but the policy itself was made an open-source resource on GitHub.

The Office of Management and Budget (OMB) followed this up by hosting Project Open Data in GitHub, which includes a series of open-source tools to make it easier for the government to release machine-readable formats. The GSA even provided open-source code for Data.gov in GitHub.

If you're looking to save time and effort on your government cloud project, you have a few options. You could start with Thomas McGonagle's Puppet NIST module in GitHub, which automates applying security policies in the NSA's Guide to the Secure Configuration of RedHat Enterprise Linux 5.

If you want more of a head start, you might consider using Buddha Labs' hardened Amazon Machine Images, which come with full security compliance audit reports. They were developed by Vincent Passaro, founder of Buddha Labs. Passaro is a highly certified security expert who understands the Defense Departments Information Assurance Certification Accreditation Process firsthand. He makes building and documenting a security compliant system in the cloud as easy as possible.

But agencies would clearly benefit if FedRAMP and its partner agencies seized the opportunity to improve operational security practices. The question is whether the FedRAMP community will remain cloud controllers or become cloud enablers.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

Sean Applegate is Director of Federal Technology Strategy and Advanced Solutions at Riverbed Technology. He specializes in wide-area network optimization for midsized to large enterprises, traffic shaping, and network and application monitoring and acceleration. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Author
2/25/2014 | 10:08:52 PM
Re: Good suggestion
Stratustician makes a valid point. Operations team want to move forward and security specialists historically are the ones to say to no. Add to that layers of contractors and subcontractors who have vested interests in keeping the status quo and its easy to see hard it is to break the old pattterns. But that's another reason why repeatable processes need to be part of FedRAMP practices.

 
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
2/22/2014 | 1:30:54 PM
Re: Good suggestion
I think the biggest hurdle will be getting the security and operations teams to work together.  In most cases, I've seen the animosity between the 2 departments be a driving factor behind why the approval process is 6-12 months.  Operations folks are seen by the Security folks as a team that wants to be the great creators, but have little respect for security controls required to protect the assets.  When Security returns the project to them to say "Hey, it's good but X, Y, and Z need to be fixed to meet requirements A, B and C" the operations folks are rarely understanding. From an Operations perspective, Security folks are seen as the police force who are hell-bent on making their lives difficult by making the requirements so specific that any meetings between the two teams result in bashing of heads on desks out of frustration.

So putting these folks on the same team, while absolutely necessary and viable, could be hard, especially with folks who have been around for long periods of time and have the mentality of "This is how we've always done things".  The leading DevOps companies are all newer companies (compared to old Federal agencies) so they tend to have more forward-thinking employees who are open to new ways of doing things.  That is the real change you need to see in FedRamp to make it successful.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
2/18/2014 | 6:34:11 PM
Good acceleration advice?
Fed cloud provisioning: spin up a service in a day; spend 6-12 months obtaining security approval. As Applegate says, the federal government has got to get more into the spirit of the thing to get the benefits. Good advice on launching a hardened, secure Amazon Machine Image.

 

 
WKash
50%
50%
WKash,
User Rank: Author
2/18/2014 | 6:08:57 PM
Good suggestion
Sean Applegate makes a good suggestion here.  As he notes above: "It does no good to be able to spin up creative cloud services quickly if the security approval process requires 6-12 months of cumbersome, expensive security paperwork -- possibly costing more than the actual monetary savings of the cloud project itself."

Certainly taking a DevOps approach to streamlining and automating repeatable security processes makes a lot of sense.  Whether the FedRAMP Program Office is able to support that is an important question. It'll be interesting to get their take on it.

 
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 24, 2014
Start improving branch office support by tapping public and private cloud resources to boost performance, increase worker productivity, and cut costs.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.