Federal agencies are required to use verified Internet providers for their networks. That's not too difficult when feds are using the same trusted vendors throughout their departments. But feds need the same assurance when they put data and apps in the cloud.

To achieve that level of assurance, the Federal Risk and Authorization Management Program (FedRAMP) ran a pilot with Amazon Web Services testing how the program's security controls map to the Trusted Internet Connection (TIC) initiative, which FedRAMP is calling the TIC Overlay.

Download: TIC Readiness Whitepaper

The overlay pilot wrapped up in December and AWS just released a full whitepaper explaining their work and how the lessons-learned can be applied across the government.

"It's a very important step because the traditional way people have tried to meet the TIC requirements is to think of it terms of traffic filtering at the edge of a private federal network," AWS Public Sector Chief Solutions Architect Mark Ryland explained. "And yet the requirements are stated more generally. So what this overlay program does is show alternative ways to meet the requirements that still allow for the flexibility and scale of cloud computing."

During their review, AWS and a third-party assessment organization (3PAO) found that some 80 percent of TIC requirements were already part of AWS's current FedRAMP authorization.

Most notably, the pilot helped AWS figure out the delegation of responsibilities between the cloud service providers and the federal agencies they support.

Of the 57 capabilities defined in TIC that apply to cloud, five were determined to be the responsibility of the CSP, 16 were under the customer agency and 36 were considered a shared responsibility between the two. (Seventeen capabilities were excluded as not relevant to the pilot.)

Using the overlay as a guideline, CSPs can improve efficiency and traffic flow while still meeting the strict TIC security requirements.

"You don't have to have every packet flowing through some special edge device to still meet the security requirements," Ryland said. "In some ways you can meet them better using the horizontal scalability of the cloud."

Without the overlay, traffic has to move back and forth through the network perimeter to be tested and verified, creating lag and bottlenecks.

"People have fallen into the habit of thinking if they want to meet the TIC requirements they have to do network 'tromboning,' which means packets go out through a private connection to the cloud but when data needs to exit the cloud and go to the Internet, it has to go back to the customer premise system and then back out," Ryland said. "It's a pretty inefficient design."

For example, while the pilot did not involve Healthcare.gov, Ryland said the high-traffic site is a perfect example of where a TIC overlay will make a real difference.

"If you look at the Healthcare.gov site, at peak times of usage that's an extremely high volume site," he said. "You just couldn't move that traffic back through the private connections and out again. It has to be using the horizontal scale of the cloud. This is a validation that you can do all that and still meet the TIC requirements."

Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.

Share:
In Other News
Load More