Making Cloud Software Jive with FedRAMP Requirements

Making Cloud Software Jive with FedRAMP Requirements

By Erik Linask, Group Editorial Director  |  March 07, 2018

It was never in doubt that cloud computing would eventually play a major role in business technology.  In fact, today, the question is not if, or even when, to start using moving towards cloud technologies, but how much to put in the cloud.  The proof is in the statistics:

The government sector is no exception to the rule, and continues to increase its use of cloud technologies at all levels.  Forbes also notes that the government sector has the highest rate of private cloud adoption at 29 percent.

Federal agencies are subject to significantly more stringent security requirements and different general concerns around architecture and controls than typical commercial businesses.  As such, most host their software in their own on-premises data centers.  But, the numbers speak for themselves, and the

recognition that cloud is not only a viable, but in many cases, a better option, resulted in the Federal government developing its FedRAMP program – to literally provide guidelines to help vendors ramp up their government deployments.

“The world, it’s safe to say, is moving away from the on-premises model,” notes Matt Willman, Principal Architect at Jive Software (News - Alert) and the lead on the company’s FedRAMP certification process.  “Most companies, including Federal agencies, are interested in having third-party providers or the software vendors themselves host products for them and consuming them in a SaaS (News - Alert) model.”

Recognizing the opportunity, Jive hired Willman to head its FedRAMP initiative, which included re-architecting its collaboration platform from the ground up to meet FedRAMp guidelines, but also moving to the AWS GoVCloud to leverage its FedRAMP-certified architecture.

“The architecture was designed from the ground up with the goal of achieving FedRAMP certification,” Willman explained.  “We also spent a good amount of time making changes to our code base, adding functionality required to meet some of the controls we didn’t previously have available in the product.”

Understanding the nuances of a FedRAMP certification, Jive recognized it would need to new tools that would allow for better intrusion detection and network-based protection, beyond what its commercial customers required. 

“It's not like you can call up AWS and tell ask them to put a new network tap in, or to install a new network sensor box – that just isn’t something that's going to happen,” said Willman.  “We needed to look for solutions that fit the cloud model, yet offered the same functionalities we could deploy in our own data center.”

Jive ultimately found its solution in ProtectWise, which offered a scalable network IDS solution that was deployable in the cloud framework.  It even delivered capabilities Jive had not explored previously but would prove to be an asset, including its network DVR functionality.  Now, in the final phases of certification, Willman says ProtectWise has more that delivered on expectations, even providing several instances of network traffic insight that allowed Jive to adjust its platform to operate more efficiently and cost-effectively in the AWS cloud.

“With ProtectWise, we can see exactly how much traffic is passing back and forth between nodes and it's alerted us to some misconfigurations that were generating a significant amount of extra traffic that we were able to resolve and bring traffic loads down to what we had expected,” said Willman.

As for the Jive solution itself, the initial FedRAMP-ready design included a set of functionalities Jive felt would be most appealing to a maximum number of Federal customers, and will continue to certify and enable additional functionalities in subsequent releases.

That includes the use of plug-in technology to allow customers to modify the platform’s code to meet their unique models.  The challenge with FedRAMP, of course, is the idea is to keep systems as closed and locked down as possible, so Jive has been working diligently to enable that level of customization while remaining in compliance with the program.  Willman believes the company is close to delivering that capability.

Even then, though, their work isn’t done.  Keeping up with new standards, requirements, and security threats is an ongoing task that takes ongoing commitment and diligence.

“I don't think absolute security is achievable, but it’s about doing everything you can to make sure you are as secure as you can be and, if something does happen, that you can detect it, report it, remediate it, recover from it,” Willman adds.

The requirements aren’t easy to achieve, and it’s taken Jive two years to reach the final stage of the process.  But, considering the customer base, the standards also aren’t unreasonable.

For Jive, it means having access to a large Federal government customer base that has a mandate to leverage more cloud services.  It also means increased access to certain commercial markets which, while not necessarily requiring the same documentation FedRAMP customers do, but are very interested in the higher security model.  With the base architecture in place, Jive will be able to extend the same product to commercial customers in healthcare, financial, and other sectors.

Edited by Mandi Nowitz