April 3, 2019

How to Evaluate Cloud Service Providers for FedRAMP Compliance

When you partner with a cloud service provider (CSP), it’s important to know that they will keep the data and apps you use secure. Cloud security remains a top concern for businesses that use cloud services—especially since the use of cloud platforms for sensitive information is on the rise.

According to a survey by the SANS Institute, the percentage of corporations storing customers’ personal information on a cloud platform rose from 35.4% in 2016 to 40.4% in 2017. Likewise, the rate of storing health records rose from 18.9% to 21.3% and the rate of storing business intelligence information rose from 40.9% to 42.6% in that same timeframe. In the same survey, it was noted that the number of organizations claiming to have experienced breaches in cloud applications and data “went up significantly in 2017—in fact, it almost doubled [20% from 10% in 2016].”

Considering that more cybercriminals are targeting CSPs and companies using cloud services, it’s important for companies to partner with cloud service providers that have strong security. One measure of a CSP’s cloud security is their level of compliance with the Federal Risk and Authorization Management Program (FedRAMP).

Assessing FedRAMP Compliance with IBM’s Ten-Step Method

How can you evaluate cloud service providers for FedRAMP compliance? IBM’s Security Intelligence blog outlines a ten-step process for doing this:

  1. Cloud Risk Assessment. The first step in IBM’s FedRAMP compliance assessment framework is to analyze what data and resources you plan on putting in the cloud, and what your acceptable level of risk is for these assets. This helps you put the CSP’s security measures into context so you can determine if they’re appropriate to your needs.

  2. Security Policies. Create a document detailing the controls and risks that are part and parcel to the cloud service. It may be necessary to engage with an attorney specializing in data security compliance standards to verify that the CSP’s controls meet your needs.

  3. Encryption. Encryption is a basic requirement of many cybersecurity standards. However, IBM notes that “it’s crucial to consider the security of the encryption keys provided by the CSP” in addition to the strength of the encryption itself. After all, if anyone can grab the encryption key, the encryption won’t do much good.

  4. Data Backup. The ability to back up data in case of a catastrophic event is another basic requirement of FedRAMP compliance. Cloud services need to have a disaster recovery and/or business continuity plan in place to restore lost data in case something happens to the cloud servers.

  5. Authentication. Strong authentication controls are not only a major requirement for FedRAMP compliance—they’re a good cloud security control in general. Strong multifactor authentication that requires at least two of the following factors is a good starting point: Something the user knows (password), something the user has (physical authentication token), and/or something the user is (biometric identification). Multifactor authentication makes it much harder to hijack user accounts to breach cloud security.

  6. Determine CSP Capabilities. IBM calls on companies to assess the types of cloud services the CSP offers to evaluate them “according to the organization’s cloud security policy and risk assessment.” The types of services delivered may affect how data is used and accessed, which impacts data security.

  7. CSP Security Policies and Procedures. The policies and procedures used by the service provider need to be assessed to determine their strength and suitability for FedRAMP. This will involve using an independent third-party assessment organization—which the FedRAMP Security Assessment Framework document refers to as a 3PAO.

  8. Legal Implications. How will the cloud service provider’s business model and security practices affect your organization’s compliance with data security and privacy laws from around the globe? For example, will the CSP’s method of storing data allow you to comply with the EU’s General Data Protection Regulation (GDPR) if you process the personal data of European Union citizens? It’s important to have an attorney assess the legal implications of cloud services before you use them.

  9. Data Ownership. At the end of the day, who owns the data stored on the CSP’s servers? It is crucial that the ownership of the data stored on the cloud service’s servers is clearly established before entering into a contract. In fact, IBM recommends that you “establish a comprehensive data governance program and reflect it in the CSP’s contract.”

  10. Data Deletion. How does the CSP handle data deletion (and the verification that data was deleted)? This can be important not only for complying with FedRAMP data security requirements, but for other international data privacy laws—such as GDPR, which requires that people have the right to be “forgotten” upon request (meaning you have to delete their data if they ask). It’s important to ask the CSP what controls they have in place for deleting data and assess how unrecoverable deleted data would be.

Following these steps, which were paraphrased from IBM’s article, provide companies with a frame of reference for assessing a cloud service provider’s overall FedRAMP compliance.

Another Method for Checking a CSP’s FedRAMP Compliance

Aside from IBM’s ten compliance check criteria, are there any other ways to assess an organization’s FedRAMP compliance?

One fast method is to look for the FedRAMP logo in a CSP’s marketing materials—and then check with the FedRAMP.gov website to see if they’re actually authorized. As noted in the FedRAMP website’s FAQ page, “Accredited 3PAOs and CSPs who have successfully achieved FedRAMP Ready or FedRAMP Authorized may use the FedRAMP logo.” If the CSP isn’t authorized to display the logo, then they haven’t passed the FedRAMP assessment from a 3PAO or government agency.

You may find that a company is listed by FedRAMP as being “in process.” This means that the organization hasn’t cleared the FedRAMP compliance authorization process yet, but is working with authorities to earn the “authorized” designation.

This is the “quick” method of checking if a CSP is FedRAMP compliant. However, the ten-step method outlined by IBM will provide a clearer picture of the service provider’s security controls and how well they’ll mesh with your needs and goals.

Need more information about achieving FedRAMP compliance or just enhancing your security on macOS devices? Subscribe to the Kandji blog for more updates and information!

Subscribe to the Kandji Blog

kandji badge

Secure Your macOS
Fleet Today

Sign up quickly and easily using your Gmail or Microsoft Office 365 business account or a verifiable business email address.