A guide to evaluating FedRAMP cloud data protection vendors

Subha Rama, Sr. Product Marketing Manager, SaaS Apps

The year 2020 will be remembered for many things. No, I am not talking about the global pandemic, but rather something of comparable dimension in cybersecurity — the SolarWinds breach carried out by a nation-state bad actor, which unleashed the “worst nightmare cyberattack,” as NPR called it. The attack compromised about 100 companies and a dozen federal agencies.

The attack triggered a conversation about how the product that was breached, SolarWinds Orion, was an on-premises solution, with experts weighing in about the security risks associated with such products. With software-as-a-service (SaaS), customers decide what data they want to send to the cloud, and there is no need for any complex, third-party software installations locally. I tend to agree with all of these. Cloud migrations and deployments have evolved significantly since the United States introduced the Federal Cloud Computing Strategy in 2011. 

Safeguarding from data breaches is an arduous, complex process. Like in the case of SolarWinds, malware could reside in your systems for months before they are detected. Attacks are getting increasingly innovative and better at identifying the weakest link. To counter such threats, the U.S. Government developed the Federal Risk and Authorization Management Program (FedRAMP), a mandatory certification required for any government agency making the migration from on-premises to cloud infrastructure. FedRAMP provides a framework for security assessment, authorization, and the ongoing security monitoring of cloud service providers (CSPs). It is a rigorous certification program aimed at assessing the risk levels of CSPs.

Not all cloud providers are created equal

There are two types of CSPs out there — vendors that go through the complex and intensive process of getting their cloud platforms and services FedRAMP certified, and vendors that claim that they are FedRAMP certified because their cloud host, say AWS or Azure, is FedRAMP accredited. There is simply no way that a CSP can be FedRAMP certified just because their infrastructure as a service (IaaS) provider is.

Equally important, federal agencies need to ensure their CSP’s subcontractors are also FedRAMP certified or they could be exposing themselves to potential risk. There needs to be a clear understanding as to what services are provided by the hosting IaaS platform, the CSP, and the subcontracting firm, and if each of these are FedRAMP compliant.

Here are five critical capabilities that federal agencies need to consider when evaluating their CSPs against the FedRAMP framework.

1. Proven track record as a federal CSP

Does your CSP have a flawless track record of protecting critical federal data over a period of time? Getting the FedRAMP certification is one thing, but the ability to provide a consistent level of high-quality services that meet the unique requirements of each of the agencies is an entirely different proposition. Before choosing a cloud data protection vendor, evaluate how long your CSP has had the certification and delivered services critical to customers. Do not just evaluate the vendor on their cloud data protection capabilities, but how they can help you realize strategic value from the data that is stored. Unless your data is immutable, critical intelligence and insights that drive policy decisions can be impacted by the health of the data.

2. Adopt a cloud-first model to deliver value

Your CSP must be able to deliver all the key benefits of a software as a service (SaaS) platform, such as the ability to eliminate risky and antiquated hardware, deliver elasticity to meet the ever-expanding data storage needs of agencies, best-in-class reliability, zero management costs, and an overall reduction in your total cost of ownership (TCO). In order to do this, they need to have a solution that is built ground-up for the cloud on the cloud. As many vendors hastily re-engineer legacy, on-premises data protection solutions for the cloud, agencies must be aware that this type of product transition can cause serious issues from an operational and security perspective. 

A cloud-native data protection platform offers enormous value especially for eDiscovery and legal hold, oversight and compliance, device refresh, long-term data retention, and defensible deletion. 

3. Feature breadth and depth

SaaS applications are inherently complex to manage and protect, which is why a number of vendors tend to have narrower capabilities, typically focusing on just a single workload such as Microsoft 365 or Salesforce. Even within a given SaaS platform, features, administrative modules, and user experience tend to vary by its different application building blocks. For example, across Microsoft Exchange Online, Teams, and SharePoint. Complete end-to-end protection across multiple SaaS platforms and applications, a single pane of glass for central administration, and a unified user experience that is consistent across all applications is a rare find. 

4. Robust and transparent security operating model

Remember that when you are moving your workloads to the cloud, you are also moving critical data under the custodianship of a third-party, your CSP. However, this data can be protected if your vendor offers the right steps and tools such as data encryption, granular access controls, bidirectional integration with tools that support FedRAMP, Cybersecurity Maturity Model Certification (CMMC) controls for data protection, and a single point of policy enforcement. Each of these help ensure government data stays protected from corruption, accidental deletion, ransomware, and elevation of privileges attacks.

5. Future-proofing compliance

The evolving regulatory landscape and the inter-dependencies across a number of regulations dictates that your CSP should stay ahead of the game. The best example here is the CMMC, which combines a selection of security controls from NIST SP 800-171A, SP 800-181B, and others such as NIST SP 800-53 and ISO 27001. The DFARS 7012 compliance (Paragraph D for clouds) will also be part of the CMMC [level 3] assessment process. If your CSP is going to be ready to meet the CMMC, there is a fair chance that they have already achieved the other compliance mandates as well.

Key takeaways

To sum up, federal agencies need to ensure that when their controlled unclassified information (CUI) moves to the cloud, it is a FedRAMP Moderate or equivalent. If the agency is not 100% confident that their CSP and their partners meet the requirements for protecting their CUI data, they have the option to look for alternative vendors. 

The public cloud and SaaS applications have become an indispensable part of the federal government’s modernization and digital transformation initiative. As we saw, there are several considerations that need to go into this process, especially when it comes to SaaS application data storage and protection — types of data stored, storage capacity, WAN optimization, global dedupe and incremental backups, central visibility and audit, platform independence, and most importantly, predictable and transparent costs. 

As a FedRAMP certified, established data security provider for government agencies, Druva can manage a broad spectrum of SaaS data in the cloud, while also enhancing security and mitigating identified risks. Download our new solution brief to discover how Druva is responding to the new Cybersecurity Maturity Model Certification and other government security projects.