NOTE: This was originally posted on LinkedIn.
When an information security analyst performs a risk assessment, the analyst is supposed to look at the full systems architecture in order to determine whether the required confidentiality of the data can be maintained, the integrity of that data can be proven, and the data is made available in a manner consistent with the business requirement. The analysis should also take into account the impact of the availability of the system.
The information security risk analyst is not supposed to assess the risk based on “best practice.”
In recent days I have been asked to assess the risks of systems being built within Amazon’s AWS cloud environment certified using the FedRAMP process. This assessment not only has to analyze the C-I-A (confidentiality-integrity-availability) aspects of the system but how that system complies with the Federal Information Security Management Act (FISMA) of 2002 because this is being done for a government agency. FedRAMP is supposed to extend FISMA requirements in a way that commercial cloud service providers could serve government computing needs while allowing them to meet their FISMA compliance requirements.
Amazon built their AWS service based on their commercial model to support their business requirements, not one that would comply with FISMA. Although Amazon was analyzed by a FedRAMP certified third-party assessment organization (3PAO), they opted for being granted their authority to operate (ATO) on an agency-by-agency basis rather than being certified by the FedRAMP Joint Accreditation Board (JAB).
The difference between obtaining an agency ATO and a JAB ATO is that Amazon will have to work with each agency to maintain the authority. As a result, they work with each agency that has various tolerances and abilities to assess risks and provide risk management and the necessary operations security infrastructure. This way, they can advertise they have a FedRAMP ATO without having to undergo the scrutiny of the more attentive JAB.
One risk in the way that Amazon handles their service is that under FISMA the platform and software services added within the boundaries of the services that have a FedRAMP agency ATO changes the baseline of the system’s ATO, therefore, requiring a recertification.
Introducing services into their FedRAMP certified boundary is not how it works under the FISMA requirements. It is also dangerous for a commercial environment that has had problems especially when federal agencies are required to continuously monitor these systems (see OMB Memorandum M-15-01 [PDF]).
Using their position in the market, Amazon has created a narrative of “best practice” for architecting and operating systems on their AWS service. Best practice is a euphemism for how Amazon has engineered their systems to work in their environment for their purposes. It is not how the government is supposed to be doing business under the law.
Best practice is not an answer but an excuse. Best practice is an excuse that system architects are using to build systems without trying to understand the consequence of the decisions. Best practice is an excuse not to think.
Amazon has made it easy for system architects not to think. They wave their hands that their systems are safe because they are FedRAMP certified without letting anyone read the fine print and that only the infrastructure, the systems, and networks are certified. The platform and software services are not certified.
Amazon has not made it easy for those of us who grew up in this industry from the days of punch cards to analyze what they are pushing on their clients so that we can make an appropriate risk analysis of the architecture the government is trying to build on Amazon’s infrastructure. Then when risks as discussed, including the risk of FISMA compliance that every federal executive branch agency is supposed to follow, the excuse used for not being able to comply is that the proposed mitigations are not best practice.
While Amazon is not the Corvair† of the cloud computing industry, their service and attitudes are bordering on the chutzpah of the GM side-saddle gas tank or the Ford Pinto exploding gas tanks. Both were best practices based on the engineering of costs over safety that both companies paid for in lawsuits and reduced business because of the lack of trust.
If this essay is read by Amazon someone in Seattle will try to discredit it rather than take the risks seriously and figure out what can be mitigated. I would not put it past them to request that this is removed from this site. But like the automobile industry of the 1960s, they will rest on their best practices and opt to discredit the messenger rather than mitigate their risks.
Remember, USIS, the company that provided background investigation for the Office of Personnel Management was following what they thought was best practices. How is that working out for them?