Windows Azure cloud services achieve critical federal security milestone

The following is a post from Susie Adams, chief technology officer for Microsoft Federal.

Starting Monday, it will be easier for government organizations to realize the benefits of secure cloud computing.

Microsoft received notice that Windows Azure was granted the FedRAMP Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO). Windows Azure is the first public cloud platform, with infrastructure services and platform services, to receive a JAB P-ATO.

The Federal government is moving to the cloud, and early on it recognized that, although each agency by law must still authorize and approve the mandated security controls, a streamlined process would be ideal so that individual agencies would know which cloud vendors and services had already been vetted by a central “board” of key agencies. This is what the JAB is. The FedRAMP JAB is comprised of representatives from the Department of Defense, the Department of Homeland Security and the U.S. General Services Administration (GSA).

Securing a P-ATO from the JAB ensures that when government agencies have a need for an Infrastructure as a Service (IaaS) or Platform as a Service (PaaS), they know that Windows Azure has successfully met the necessary security assessments. This not only opens the door for faster cloud adoption, but helps agencies move to the cloud in a more streamlined, cost-effective way.

Additionally, since Microsoft datacenters were also evaluated as part of the JAB review process, other Microsoft cloud services are ultimately better aligned to meet these security controls as well.

You may be wondering why this is important. For years, the IT systems purchased by Federal government agencies have had to comply with complicated federally mandated security requirements like the Federal Information Security Act (FISMA). These security guidelines, which are really just a set of policies and security controls, were designed as risk-based frameworks to guide agencies in their security evaluations of the IT systems they used. The challenge with these compliance mandates was that there was no standardized approach used across the federal government when applying them, which resulted in redundant and costly security assessments by each agency. This means that even if the Department of Education approved an IT solution, that same solution would have to go through a second, third and fourth evaluation by every other agency that wanted to use it, making it difficult for agencies to adopt innovative, cost-effective solutions.

The FedRAMP process, now mandated for all federal cloud services, makes huge strides to improve this process. FedRAMP builds upon the existing baseline security controls in place today, adding a standardized approach to security assessment, authorization and continuous monitoring for cloud services. This approach uses a “do once, use many times” framework which reduces the costs, time and staff required to conduct redundant security assessments.

As you can tell, I’m very excited about the authorization. The FedRAMP process for this type of approval is very rigorous and the JAB authorization is a big step forward for Microsoft. It also speak volumes to the pragmatic, holistic approach that Microsoft has taken for its cloud services offerings. Our government customers are ultimately the beneficiaries.