Using AWS for Fast ATO Approvals
Using Amazon for Optimized Authority to Operate Clearances
Team Bluedog attended an Amazon workshop on standardized architectures for NIST-based Assurance Frameworks based on Amazon cloud infrastructure. The all-day affair discussed architectural considerations and steps for deploying security-focused baseline environments on the Amazon Web Services (AWS) cloud.
The moderators went step by step through the process optimized for getting an Authority to Operate (ATO) quickly: choosing an AWS region that fits the impact level of your project; choosing standardized reference architecture to use as a base; making it friendly and recognizable for the people who will be reviewing the ATO proposal (which replaces many aspects of the former A&A/C&A process).
Of note were the anecdotes about the early days of AWS with improperly configured budgets/alerts. Or researchers who spin up a massive amount of computational power on a Friday afternoon and then leave it running for the whole weekend. Apparently, they often forgive accidental expenditures like that if you're an important enough client.
Skepticism abounds about those who try to play the cloud computing providers like the stock market, running their stuff on whatever service happens to be cheapest at a particular time. We theorize this means you can only easily use the controls common to every service provider if you go that route.
A number of the speakers placed a large emphasis on compatibility with common standards like NIST, HIPAA, etc. A handy security controls matrix (provided as a Microsoft Excel spreadsheet) maps architecture decisions, components, and configurations to security requirements within NIST, TIC, and DoD Cloud SRG publications; indicates which AWS CloudFormation templates and stacks affect the controls implementation; and, specifies the associated AWS resources within the templates and stacks.
Contact our team for more information on how we can help with an AWS / FedRAMP-compliant migration strategy.
Click for larger version: