Amazon refutes view that federal security accreditation is no big deal

Amazon shoots back and media reports that play down the significance of its government FEDramp certification

In an unusual public relations move by market-leading cloud provider Amazon Web Services, the company is shooting back at media reports that play down the significance of the company receiving government approval for the federal departments to use its cloud.

After a thorough government review, AWS recently received an authority to operate as a provider of services for the Department of Health and Human Services under the Federal Risk and Authorization Management Program (FedRAMP). The FedRAMP certification will basically make it easier for government agencies to host workloads in Amazon’s cloud.

[MORE CLOUD: How to build a private cloud]

A report at the website Government Technology quoted Gartner IT risk assessment analyst Jay Heiser who played down the certification however, noting that the federal government is using its buying power to push public cloud providers to increase their services to a point where government agencies would be comfortable using them. “It’s nice to know that some 3PAO (Independent Third Party Assessment Organization) has decided that Amazon’s federal-specific facility is suitable for federal use, but why should any non-federal entity presume that they would get the same form of service?” Heiser told Government Technology in an e-mail.

Amazon Web Services responded to some of those claims in the company’s blog over the weekend in a post titled, “AWS FedRAMP ATO: Difficult to Achieve, Easily Misunderstood, Valuable to All AWS Customers.” Amazon does not typically respond to media reports about its services, but in the blog post AWS evangelist Jeff Barr points out that both the AWS GovCloud (which only hosts government workloads) and the US East and US West regions of its cloud all received FedRAMP certification, meaning all customers can benefit from FedRAMP certification. The FedRAMP certification process included:

-A six-month assessment

-A human and administrative process review

-Physical controls of certain facilities

-Third-party penetration testing

So how big of a deal is FedRAMP certification? For government agencies, it is significant; it opens AWS services – which are market leading in a variety of ways, including breadth of services and price - to government workloads.

But, the move to get FedRAMP should not come as a surprise; in fact it is almost to be expected from the company. AWS has an entire region of its cloud (GovCloud) dedicated only to government workloads, so of course it would try to get FedRAMP certification for that. By the way, Verizon Terremark, Dell and others have their own government cloud offerings as well.

Amazon says other customers could benefit from this certification too, but not necessarily inherently. At the company’s first-ever re: Invent user’s conference late last year, AWS Chief Security Officer Stephen Schmidt spoke about the “shared responsibility” between AWS and the customer regarding security. AWS provides a base-level of security around physical data center protections and the virtual and network infrastructure. It’s up to customers to decide how their Amazon cloud services are configured to ensure different levels of security. “It’s important to differentiate between what we do and what you choose to do,” Schmidt said at the time.

The bottom line is that AWS has a robust cloud computing offering that can pack some pretty tight security protocols with it. In that same speech Schmidt noted that Amazon Web Service’s original customer, the retail side of the business, is a massive payment card industry (PCI) compliant cloud. But the reality is that it’s up to the customer to decide how secure and fault tolerant their cloud will be. A user can give AWS a credit card and have a virtual machine up and running in minutes. That VM isn’t going to have the same security and high availability features that VMs used by government agencies for sensitive workloads though. You pay for what you get.

Network World senior writer Brandon Butler covers cloud computing and social collaboration. He can be reached at and found on Twitter at @BButlerNWW.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2013 IDG Communications, Inc.