AWS Public Sector Blog
Approaches for creating FedRAMP high/moderate impact workloads solutions OCONUS using AWS
Cloud computing is pivotal to allow the federal government to gain operational efficiencies and drive innovation securely and cost efficiently. Amazon Web Services (AWS) GovCloud (US) operates within the United States, offering government customers and their partners the freedom to design and implement secure cloud solutions adhering to various compliance standards. These include the FedRAMP High baseline; the Department of Justice’s Criminal Justice Information Systems (CJIS) Security Policy; US International Traffic in Arms Regulations (ITAR); Export Administration Regulations (EAR); Department of Defense Cloud Computing SRG for Impact Levels 2, 4, and 5; FIPS 140-2, IRS-1075; and other relevant regulations.
The AWS GovCloud (US-East) and (US-West) Regions are operated exclusively by US citizens who work within US territory. Access to AWS GovCloud (US) is restricted to US entities and root account holders who have successfully passed a thorough screening process. To gain access, users must confirm their commitment to using only US persons, specifically green card holders or citizens as defined by the US Department of State, to manage and access root account keys for these AWS Regions.
The AWS US commercial East and West Regions also offer government customers and their partners the flexibility to design secure cloud solutions in adherence to the FedRAMP Moderate baseline and DoD Cloud Computing SRG for Impact Levels 2.
Numerous US government agencies operate missions outside of the United States. However, they often encounter challenges with limited network bandwidth and unreliable connections from these overseas locations, making it difficult to efficiently use workloads deployed on US soil. To enhance the customer experience and ensure secure access to these workloads, the overseas postings are now exploring hybrid distributed solutions that run closer to the edge.
This post delves into the details of these solutions and their potential benefits for federal agencies.
Federal agencies face challenges when operating abroad
US government agencies that operate outside of the United States face many challenges:
- High latency: Federal agencies conducting missions outside of the US experience significant delays in accessing the internet, as all internet traffic is routed through the US.
- Latency in accessing workloads: These agencies also encounter high latency when accessing their High/Moderate workloads deployed in their US on-premises locations from overseas.
- Insecure deployments: Applications deployed in overseas locations (OCONUS) by federal agencies lack proper security controls and processes for Authorization to Operate (ATO).
- Compliance limitations: Federal agencies face difficulties in achieving compliance with FedRAMP High and Moderate baseline, and DoD SRG IL5 requirements when operating outside of the US.
To address these challenges, let’s discuss two approaches:
- Deploying edge solution using AWS Modular Data Center: This approach involves implementing an edge solution using AWS Modular Data Center (AWS MDC). This strategy aims to bring critical workloads and services closer to the locations of OCONUS missions, reducing latency and enhancing performance.
- Deploying solution closer to the OCONUS Mission using TSE: This approach entails deploying the solution in proximity to the OCONUS mission, within a Trusted Secure Enclave (TSE). This setup ensures better security controls and compliance with authorization processes, providing a more secure environment for federal agency applications.
By exploring these two approaches, we can mitigate the challenges US agencies face and improve their operational efficiency and performance.
Deploy edge solutions using AWS MDC
Figure 1. Diagram showing edge solution using AWS Modular Data Center (MDC).
This approach entails implementing an edge solution using AWS MDC. The main components of this approach are AWS MDC, Zero Trust Policy Enforcement Point (PEP), and the AWS Global Infrastructure. When combined, these components enhance the user experience, strengthen security measures, and facilitate secure workload deployment at customer locations.
The AWS MDC allows federal agencies to run low-latency applications in infrastructure-limited environments for scenarios such as large-scale military operations, crisis response, and security cooperation. It also allows users to use familiar AWS services, APIs, and tools in these edge locations. It converts data centers from fixed infrastructure, which is difficult to build and manage, to a service that is direct, scalable, and responsive to temporary compute and storage needs.
With its edge computing capabilities, the AWS MDC provides government entities with a hardened mobile facility to run AWS Outposts technology, AWS Snow, and their own server racks. Moreover, the solution can be expanded by deploying additional AWS MDC units to fulfill specific user requirements. By adopting the AWS MDC, federal agencies gain the capability to operate low-latency applications from virtually any location, achieving optimized performance and efficiency. Additionally, AWS MDC ensures agencies have the highest levels of security for their operations and compliance with the FedRAMP baseline.
In this approach, OCONUS customers can deploy their high-impact applications on various compute options, as depicted in the preceding figure. To ensure secure access, they can employ a Customer Edge Networking appliance (CE SD-WAN), connecting the AWS MDC with federal agencies’ on-premises data centers in the US and access locations in OCONUS for sharing their applications. By adopting this approach, federal agencies can create a hub-and-spoke architecture, where the hub is situated in one of the OCONUS locations (Location A), and the spokes represent nearby OCONUS locations (Locations B and C). This configuration supports use cases where federal agencies run the same applications in multiple OCONUS locations, optimizing costs and streamlining operations.
Another aspect of this approach involves Zero Trust Network Access (ZTNA), providing users with secure access to high-impact applications. The Zero Trust PEP and Zero Trust Agent make sure that access is granted only after verifying users’ identity, device posture, and business context, along with enforcing policy checks. The ZTNA seamlessly integrates with leading identity providers to enforce network access policies.
With Zero Trust, the endpoints of High Impact Applications are shielded from exposure to the public internet, and access is granted only through micro-tunnels through Zero Trust PEP and Zero Trust Agent for authenticated users. ZTNA also enables secure internet access from OCONUS locations through Community ISP, eliminating the need to route internet traffic through the US, thereby enhancing user experience at access locations. This approach enhances the security of applications, provides improved and secure internet access to users at the edge, and makes sure of compliance with agency requirements.
Additionally, customers use Direct Connect (DX) locations to establish connections between their on-premises data centers, such as AWS MDC. They have a flexibility to select an AWS telco partner or locally available providers for the last-mile connectivity to the data center or access location. This arrangement makes sure of a seamless and secure data transfer to the cloud.
This solution offers secure and streamlined cloud computing choices for federal agencies conducting missions abroad. Using AWS MDC and the AWS Global Infrastructure, federal agencies can deploy High Impact workloads at edge locations, ensuring security and improved accessibility. This facilitates the sharing of workloads with other OCONUS locations. The implementation of ZTNA further strengthens security by granting access based on verified user identity and context. This approach optimizes performance, ensuring compliance, and supports efficient application sharing across OCONUS locations.
Deploy solutions closer to the OCONUS mission using TSE
Figure 2. Diagram showing OCONUS solution using AWS TSE.
This approach involves implementing a solution within AWS commercial Regions outside of the US. This comprehensive solution comprises AWS Trusted Secure Enclaves Sensitive Edition (AWS TSE-SE), Zero Trust Policy Enforcement Point (PEP), and the AWS Global Infrastructure. The integration of these components works to elevate the user experience, reinforce security measures, and meet the stringent security demands of federal agencies. It also supports secure workload deployment on the AWS commercial Regions in proximity to OCONUS locations, and facilitates seamless sharing among these locations.
The AWS TSE-SE provides a reference architecture that is a comprehensive, multi-account AWS cloud architecture targeting sensitive level workloads. The AWS TSE-SE reference architecture is designed to help users address central identity and access management, governance, data security, comprehensive logging, and network design and segmentation in alignment with security frameworks such as NIST 800-53, ITSG-33, FedRAMP Moderate, CCCS-Medium, IRAP, and other sensitive or medium level security profiles.
The AWS TSE-SE operates like a bank safety deposit box, where users possess the keys to access the contents. Similarly, in the AWS TSE-SE, users hold the keys, which are used for encrypting and decrypting data. These keys are securely stored in a user’s dedicated Hardware Security Module (HSM), ensuring maximum security. The AWS TSE-SE adopts a multi-account approach that is implemented using the Landing Zone Accelerator. The user’s workloads are hosted in a dedicated Trusted Workload Account. This setup creates a strong and isolated environment, delivering heightened security for data and operations.
The Trusted Workload account is subject to strict limitations, ensuring access to only a validated set of services at a higher level or services on par with those offered in AWS GovCloud Regions. Organizational-level service control policies are implemented to enforce compliance with FedRAMP-level services, providing a secure and compliant environment.
Regarding data protection, the AWS Nitro System serves as the baseline for the instances, ensuring a secure foundation. Additionally, operational access does not include root or console access, enhancing the overall security measures in place.
From a data access perspective, the TSE employs AWS Key Management Service (AWS KMS) with an external HSM, making sure that keys are never stored within AWS. Access to the Trusted Workload is facilitated through VPC Transit Gateway. Moreover, the user fully manages the identity for controlling access to AWS services, contributing to a secure environment.
The AWS Global Infrastructure and Zero Trust Network Access aspects discussed in the first approach also apply in this approach. This helps ensure secure connections and enhances security by granting access based on verified user identity and context.
Overall, the solution is designed to meet the stringent security requirements of sensitive workloads and complies with various security frameworks and standards. By using AWS TSE-SE and the other mentioned components, the architecture aims to provide users with a robust, isolated, and secure environment for their sensitive data and operations.
Conclusion
In this post, two distinct solutions are proposed to address the challenges faced by federal agencies operating outside of the US.
The first solution focuses on deploying edge solutions using AWS MDC. It aims to reduce network latency and enhance performance by bringing critical workloads closer to OCONUS mission locations. This approach uses AWS MDC, Zero Trust Network Access (ZTNA), and Direct Connect (DX) to create a hub-and-spoke architecture, optimizing costs and streamlining operations. It is particularly well-suited for scenarios where low-latency applications are crucial, such as large-scale military operations, and State Department locations overseas.
The second solution, deploying solutions closer to OCONUS missions using AWS TSE-SE, focuses on providing a highly secure and compliant environment for sensitive-level workloads. This approach involves deploying solutions within AWS commercial Regions outside of the US, using AWS TSE-SE, AWS KMS with HSM, Zero Trust Network Access (ZTNA), and AWS Global Infrastructure. It’s ideal for missions that need strict security measures and compliance with various security frameworks.
Both solutions offer federal agencies the flexibility to choose the one that best aligns with their specific mission requirements, whether it’s optimizing performance, making sure of security and compliance, or a combination of both.