AWS cloud security compliance beats on-premises

Despite continuing concerns about cloud security, AWS proves its cloud security compliance with FedRAMP is better and easier than on-premises.

This article can also be found in the Premium Editorial Download: Modern Infrastructure: The problem with private cloud:

I tend to be pro-private data center. Some have compared my views to those of the Luddites, the 19th-century textile artisans who protested the mechanization of the textile industry by destroying the machinery itself. I don't advocate destruction, but I do believe there is tremendous value in on-premises data centers in the face of issues in the public cloud -- issues like control, transparency and even affordable secure connectivity.

Ironically, one area where the public cloud is rapidly emerging as the winner is in secure computing, specifically in environments that must comply with regulations like PCI guidelines, or even worse, comply with the U.S. Federal Risk Authorization Management Program (FedRAMP). These are areas that are troublesome for on-premises data centers, especially if most of the workloads are not secure. The secured environments require enormous amounts of duplicate infrastructure (including separate data centers), physical security and infrastructure controls that most organizations are completely unprepared for.

Companies and universities that do certain types of research funded through federal grants may not have a choice but to comply, as the Federal Information Security Management Act (FISMA) mandates compliance with particular standards. As a result, many organizations see the economics of continuing their research becoming very unfavorable. Many of them have stopped their work altogether, and their researchers have gone elsewhere, including to foreign countries where the controls are less strict.

Security at scale

Amazon Web Services (AWS) recently announced that it has been deemed compliant with FedRAMP guidelines, for FISMA "low" and "moderate" levels, corresponding to the same levels in the United States' National Institute of Standards and Technology (NIST) SP800-53 guidelines, the federally mandated rule book when it comes to implementing these sorts of things. These rule books are enormous, though, and they are often just guidelines, which complicates matters. In security, the idea of "compensating controls" means that it's OK to avoid a mandated type of security control, as long as there are other methods in place to achieve the underlying goal. This makes certification of environments difficult, and makes the process very subjective. Being able to automatically pass a large part of the subjective certification process through the use of commodity services saves enormous time and money.

Amazon's announcement is huge because of the scale of AWS cloud, too. The ability to buy FISMA-compliant Infrastructure as a Service that scales and is interoperable with all sorts of management tools is a giant step forward. Previously there were only two certified cloud providers: CGI Federal and Autonomic Resources LLC. Eighty more providers have applied for certification, but they face a serious competitive challenge because Amazon Web Services is a de facto standard in cloud computing. But the big impact of this move can be found in AWS' frequently asked questions: "Will compliance with FedRAMP increase AWS service costs?"

Their answer is "No, there are no additional costs." And with that answer, on-premises, secure private and hybrid clouds have died, to be replaced on their next refresh cycle with the public cloud.

About the author
Bob Plankers is a virtualization and cloud architect at a major Midwestern university. He is also the author of
The Lone Sysadmin blog. Let us know what you think. Write to us at

This was last published in July 2013

Dig Deeper on Cloud computing standards and compliance



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: