Forrester research has always identified security as a major impediment to broad scale implementation for cloud, regardless of the model, SaaS, PaaS, IaaS, the adoption rate has been slowed by security concerns. Cloud providers recognize this is an impediment to selling cloud services and in response are strengthening their security controls. In Forrester’s Forrsights® research program we interview over 2000 security decision makers on a variety of security issues and topics. Cloud security tops the list of concerns regarding cloud deployments.
The appetite on the buy-side is very real for secure IT cloud infrastructures. Our research shows a lot of very strong interest in the deployment of private cloud platforms because of the elasticity, reduced cost and cycle times required to deploy solutions in these environments.
This week Amazon Web Services (AWS) announced that AWS GovCloud (U.S.) and all U.S. AWS Regions have received an Agency Authority to Operate (ATO) from the U.S. Department of Health and Human Services (HHS) under the Federal Risk and Authorization Management Program (FedRAMP) requirements.
Obtaining FISMA Moderate certification indicates AWS’ focus on providing strong security controls for its cloud offerings. Forrester assumes AWS commercial clients could benefit from this as well by AWS security processes propagating to other areas of AWS’ cloud business.
FedRAMP is a United States government-wide program that provides a standardized approach for security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that hopefully will save cost, time, and staff required to conduct redundant agency security assessments. Backers feel that FedRAMP requirements will raise the security bar for the agencies, resulting in more uniform security evaluations of a cloud providers security controls.
This is an important announcement for AWS but it is also very important for the cloud industry in general. This is a major step forward in the legitimization of cloud as a secure and capable application deployment platform.
FedRAMP certification is not easy to obtain and only two other companies currently hold this certification. These are: Autonomic Resources Cloud Platform (arc-p) and CGI Federal.
Forrester sees strong focus on the issue of information security by many cloud providers including not only AWS but also (in alphabetical order), AT&T, Century Link, CSC, IBM, Microsoft, Raskspace, and Verizon. Each of these firms have increased focus and investment on the security of their cloud offerings. Forrester expects this trend to accelerate, as security becomes a critical selling feature and a key evaluation point from the buy-side. This is very good news for companies hungry to get into the cloud.