Keep Cloud Services FedRAMP Compliant and Avoid Hefty Fines

Bad actors continue targeting government organizations these days. Along with increases in targeting technology, attacks focused on government targets nearly doubled in 2019 from 2017. Most notably, this included significant jumps in both reconnaissance activity and application-specific attacks. This has been helped by an increase in internet-delivered services designed to help citizens get regional or local assistance. Unfortunately, those same internet-enabled applications have provided additional opportunities to attackers and led to large data breaches impacting federal and state agencies in the US.

Contents:

1. Unpatched Legacy Applications in the Public Sector
2. What is FedRAMP?
3. FedRAMP is Crucial for Cloud Providers Supporting Federal Agencies
4. Using KernelCare to Stay FedRAMP Compliant
5. Conclusion

Unpatched Legacy Applications in the Public Sector

Along with application attacks, local governments have experienced significant impacts from denial-of-service (DoS) and ransomware attacks. These attacks can be difficult to hide from customers, and smaller government offices rarely have the resources available to deal with significant outages.

To help governments deal with the numerous state-sponsored threats aimed at them, the cloud offers technology to run reliable and scalable services with the necessary access controls and monitoring tools necessary for compliance. The tools are available to government agencies (and other enterprise clients), but are commonly used inappropriately or configured incorrectly. These errors are considered human errors, but human errors account for some of the biggest data breaches to date. 

Compliant cloud hosting services have a shared responsibility, meaning the cloud provider gives you all the tools necessary to protect your data, but it’s your responsibility to configure these services properly. As you can imagine, administrators unfamiliar with the way cloud tools work could easily make a critical error in security configurations. A recent 2020 report showed that 30 billion records were exposed in the last two years due to cloud misconfigurations.

Not only is misconfigurations an issue for cloud administrators, but outdated software is common with government systems. Governments notoriously have legacy applications running on-premise. Many cloud providers (e.g. Google Cloud Platform) offer legacy migration services to provide better computing power on outdated software, but many agencies still use on-premise outdated technology costing billions in taxpayer dollars. A report by the US Government Accountability Office (GAO) found that some government agencies use technology decades old (e.g. floppy disk drives). Even more concerning is that the GAO found that 12 government agencies used unsupported operating systems. Outdated and unsupported software no longer receives security patches, which makes it a perfect target for cyber-criminals.

A recent example of what can happen with unpatched software is the Click2Gov payment software used as a self-service payment portal hosted locally by several US government agencies. The software was found to be vulnerable in 2017 and patches were deployed, but hackers were able to compromise several government agencies targeting unpatched versions of the Click2Gov software. In the aftermath, residents of several US counties were the victims of identity fraud as their information was sold on darknet markets.

What is FedRAMP?

The Federal Risk and Management Program (FedRAMP) was created to address concerns that government agencies were using cloud resources but improper controls in place left public data exposed to attackers. First, it states that only cloud service providers with FedRAMP approval can work with government agencies. Approval requires a long list of security controls and data privacy features must be put in place to protect personally identifiable information (PII).

A cloud provider with data centers that aren’t FedRAMP compliant cannot host federal government data, and therefore could be losing revenue. Other compliance issues could also interfere with other clients such as healthcare (HIPAA) or ecommerce (PCI-DSS), but FedRAMP security controls overlap with many of the other compliance standards important for cloud hosts.

FedRAMP is Crucial for Cloud Providers Supporting Federal Agencies

FedRAMP is a rigorous process and requires strict cybersecurity protections to stay authorized as an approved provider. Providers must follow NIST SP 800-53, which is a cybersecurity framework that defines the way providers architect and maintain infrastructure. Without the right security controls and protections in place, government agencies cannot use the provider, which could be devastating to an organization that supports several federal agencies.

A general FedRAMP requirement is that the cloud provider must have reasonable protections in place to safeguard data. Unpatched software — especially server operating systems — is not providing a secure environment for clients. Vulnerabilities found in unpatched software could be leveraged to expose PII, which could lead to hefty fines for the cloud provider and potentially result in a loss in revenue and clients.

Using KernelCare to Stay FedRAMP Compliant

Staying compliant requires updates to any vulnerable software, or you could be facing fines. FedRAMP’s flaw remediation (SI-2) requires that organizations “identify, report, and correct system flaws.” Malicious code protection (SI-3) is also a requirement where organizations must “employ malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code.” Both these requirements can be covered by employing vulnerability scanners and patching solutions. 

By scanning servers, administrators can adhere to FedRAMP requirements but patching is often an issue. Patching requires tests and reboots, which translate into downtime. KernelCare integrates into any scanning solution, patches servers with vulnerable software, and requires no reboot after patching is completed. It’s one complete patching solution that covers SI-2 and SI-3 FedRAMP requirements. 

FedRAMP isn’t the only compliant standard cloud providers must follow. For instance, SOC 2 compliance is critical for data centers hosting client applications and data. Sarbanes-Oxley, PCI-DSS, HIPAA, and other compliance standards require organizations to include cybersecurity measures that protect data proactively or face hefty fines. Using KernelCare, these data centers stay compliant for any regulatory standard overseeing data security. 

Conclusion

Cloud providers can’t afford to slip up and lose their compliance. Not only is it an expensive oversight, but it also means the loss of any government client and any others that must use hosting with backed compliance infrastructure in place. Using KernelCare, enterprise organizations, data centers, and cloud providers can ensure they follow protocols that reduce risks of threats and manage unpatched software without the need for reboots and downtime.