Amazon Launches 'AWS GovCloud' 26
wiredmikey writes "Amazon Web Services today announced 'AWS GovCloud,' a new AWS Region designed to allow U.S. government agencies and contractors to move IT applications and systems into the cloud by addressing their specific regulatory and compliance requirements. Previously, government agencies with data subject to Compliance regulations such as the International Trade and Arms Regulation (ITAR), which governs how organizations manage and store defense-related data, were unable to process and store data in the cloud that the federal government mandated be accessible only by U.S. persons. AWS said that it will screen customers prior to providing access to the AWS GovCloud, helping to ensure customers are 'U.S. Persons,' not subject to export restrictions."
Coming soon... (Score:1)
No FISMA. (Score:2)
Despite the vague phrasing of the article, AWS GovCloud hasn't yet received any FISMA certification which means they're going to have a very hard time getting anyone in gov't to use them seriously.
Re: (Score:3)
According to Amazon Web Services, and as mentioned in the article, GovCloud "supports existing AWS security controls and certifications such as FISMA, SAS-70, ISO 27001" -- So it seems as though you are incorrect on the fact that GovCloud hasn't received FIMSA certification.
Re: (Score:2)
Not sure. But I do know that "supports" != "has".
Re: (Score:2)
Re: (Score:2)
Not true. As defined by NIST 800-60 and FIPS 199, you aren't talking about an application, but rather an "information system". NIST 800-53 defines minimum security requirement.
The system includes physical security, physical computers, etc. and not just a software application. The equipment, location and methods used by AWS would need to be evaluated as part of these information systems.
While that can't be done without the application, there are parts of 800-53's minimum security requirements that would appl
Re: (Score:2)
FISMA AWS enables U.S. government agency customers to achieve and sustain compliance with the Federal Information Security Management Act (FISMA). AWS has been certified and accredited to operate at the FISMA-Low level. AWS has also completed the control implementation and successfully passed the independent security testing and evaluation required to operate at the FISMA-Moderate level. AWS is currently pursuing a certification and accreditation to operate at the FISMA-Moderate level from government agencies.
--Amazon Web Services: Risk and Compliance [cloudfront.net]
Re: (Score:2)
Thanks. I had only read the parent to that [amazon.com] and hadn't yet dug into the whitepaper.
Your quote confirms what I suspected might be the case: FISMA low with medium being pursued. Interesting...
As for regular US citizens wanting such... (Score:2)
This would be nice if this was available to US citizens as well. It would provide some certainty to where one's own data resides, and that they're not outside the US's jurisdiction. That, and you wouldn't have much more than geographic placement.
Re: (Score:3)
For S3, you have to specify the home region of your storage. As far as I know, your storage is not copied in the other regions, that's what CloudFront is for. I believe EC2 is also setup in regions and your VM stays where you created it.
Why do you think that signing up for Amazon's cloud means your data will go overseas?
Re: (Score:2)
> This would be nice if this was available to US citizens as well
No need. I can already kick the power cord out of the wall on my own stuff, any time I want.
Re: (Score:2)
This isn't something unique to GovCloud; you can (must?) set your s3 buckets/ec2 instances up in a specific availability zone, which determines the location of your data.
For the government.... (Score:2)
That wants downtime and lost data in the EC2 cloud.
And Then ... (Score:4, Insightful)
... Outsource support and system management to Mumbai. What could possibly go wrong?
How Amusing! (Score:1)
Honeypot or target painter? You decide.
C&A - NIST SP800-53 (Score:2)
No, what is stopping the government from moving to the cloud is crazy NIST requirements in some of the archaic parts of NIST SP800-53. If they can give me a fully certified compliant system you would seem movement in droves.