Modern Infrastructure

The problem with private cloud


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

AWS cloud security compliance beats on-premises

Despite continuing concerns about cloud security, AWS proves its cloud security compliance with FedRAMP is better and easier than on-premises.

I tend to be pro-private data center. Some have compared my views to those of the Luddites, the 19th-century textile artisans who protested the mechanization of the textile industry by destroying the machinery itself. I don't advocate destruction, but I do believe there is tremendous value in on-premises data centers in the face of issues in the public cloud -- issues like control, transparency and even affordable secure connectivity.

Ironically, one area where the public cloud is rapidly emerging as the winner is in secure computing, specifically in environments that must comply with regulations like PCI guidelines, or even worse, comply with the U.S. Federal Risk Authorization Management Program (FedRAMP). These are areas that are troublesome for on-premises data centers, especially if most of the workloads are not secure. The secured environments require enormous amounts of duplicate infrastructure (including separate data centers), physical security and infrastructure controls that most organizations are completely unprepared for.

Companies and universities that do certain types of research funded through federal grants may not have a choice but to comply, as the Federal Information Security Management Act (FISMA) mandates compliance with particular standards. As a result, many organizations see the economics of continuing their research becoming very unfavorable. Many of them have stopped their work altogether, and their researchers have gone elsewhere, including to foreign countries where the controls are less strict.

Security at scale

Amazon Web Services (AWS) recently announced that it has been deemed compliant with FedRAMP guidelines, for FISMA "low" and "moderate" levels, corresponding to the same levels in the United States' National Institute of Standards and Technology (NIST) SP800-53 guidelines, the federally mandated rule book when it comes to implementing these sorts of things. These rule books are enormous, though, and they are often just guidelines, which complicates matters. In security, the idea of "compensating controls" means that it's OK to avoid a mandated type of security control, as long as there are other methods in place to achieve the underlying goal. This makes certification of environments difficult, and makes the process very subjective. Being able to automatically pass a large part of the subjective certification process through the use of commodity services saves enormous time and money.

Amazon's announcement is huge because of the scale of AWS cloud, too. The ability to buy FISMA-compliant Infrastructure as a Service that scales and is interoperable with all sorts of management tools is a giant step forward. Previously there were only two certified cloud providers: CGI Federal and Autonomic Resources LLC. Eighty more providers have applied for certification, but they face a serious competitive challenge because Amazon Web Services is a de facto standard in cloud computing. But the big impact of this move can be found in AWS' frequently asked questions: "Will compliance with FedRAMP increase AWS service costs?"

Their answer is "No, there are no additional costs." And with that answer, on-premises, secure private and hybrid clouds have died, to be replaced on their next refresh cycle with the public cloud.

About the author
Bob Plankers is a virtualization and cloud architect at a major Midwestern university. He is also the author of
The Lone Sysadmin blog. Let us know what you think. Write to us at

Article 13 of 14

Dig Deeper on Cloud security tools

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

AWS received Agency ATO with FedRAMP 3PAO assessment, however there was no independent adjudication of the results of that assessment by the FedRAMP PMO or JAB P-ATO was provided.

Regardless of whether an agency leverages a CSP’s Agency ATO or JAB P-ATO, each individual agency must still make their own accreditation determination based on the FedRAMP standardized assessment stored in the repository.

This is not an insignificant determination to make, and requires a detailed understanding of an individual agency's system and the security requirements for the system.

The upshot is that perhaps announcing the death of the on-premises system and the need for their security assessments is premature.
Your data still needs to be secured using a strong form of encryption and you need be in possession of your encryption keys to satisfy compliance, especially for FIPS-140 and HIPAA. Our military grade encryption provides the flexibility to secure your sensitive data in any public cloud, protecting it from any unwanted access. Tell us what you think in the comment box below or at our website
AWS has solid encryption capabilities via Unisys Stealth technologies. Find out more at There is a link to request more information on this capability. Join AWS in deploying an unbreakable bit splitting encryption technology within your public or private cloud service.

Get More Modern Infrastructure

Access to all of our back issues View All