It’s an all-too-familiar story: A vulnerability was discovered in a widely used software solution (both cloud and on-premises), and the vulnerability was exploited in dozens of systems before they could be patched. The result will be very costly for a large number of corporations that are now subject to ransomware. But it is even more costly for the many government organizations subject to “wiperware”, the practice of simply erasing all data with no option for the organization to pay something to get it back. According to a CNN report, the hackers posted the following on a dark web site: “If you are a government, city or police service do not worry, we erased all your data. You do not need to contact us.”
How can you avoid this fate? The best way is to keep patches relentlessly up to date. But who has the time and resources for that? Apparently, not many government organizations that had their data “wiped” due to an unpatched MOVEit vulnerability.
That’s where cloud compliance comes into play. To reduce this risk, leading federal, state, and local government agencies as well as healthcare organizations are moving to the cloud, but only after demanding that the cloud services they use adhere to strict security compliance standards such as:
- The Federal Risk and Authorization Management Program (FedRAMP).
- The State Risk and Authorization Management Program (StateRAMP).
- DoD Impact Levels 2, 4, and 5.
- The Health Information Trust Alliance Common Security Framework (HITRUST CSF).
By only authorizing cloud services that strictly adhere to these standards, organizations can be confident that the systems they use have the best possible security, with patching that is always up to date.
The last MOVEit cyberattack is part of a growing trend. Hackers know how valuable sensitive data is. Cyber attacks increased 38% globally in 2022, according to a new report from Check Point Research. The U.S. was the most targeted country, experiencing a 57% escalation compared to 2021.
Implementing and maintaining industry-leading security and compliance is not easy for cloud service providers (CSPs). The IT landscape is constantly shifting, compliance controls keep changing, and many CSPs struggle to keep up. Maintaining a FedRAMP, HITRUST, StateRAMP, or DoD IL-4/5 authorization is just as difficult as obtaining it in the first place. Not only do those compliance standards require CSPs to implement hundreds of security controls, but they also require continuous monitoring and timely vulnerability remediation. This process can be a heavy burden on IT departments. Many teams are understaffed, and even if they do have the resources available, the complexity of continuous monitoring and compliance navigation may be outside their expertise. Of course, the authorization journey is also costly and difficult. Depending on the required cloud security framework, CSPs may spend multiple years and millions of dollars in achieving authorization.
One alternative to avoid these challenges is to outsource the work to a third-party that specializes in it. Take Project Hosts’ Cloud Compliance as-a-Service, for example. The three pillars of our 100% turnkey solution are:
Compliance Inheritance – Many of the security controls required for full compliance are common across a wide range of SaaS solutions. For this reason, Project Hosts developed its GSS One Platform-as-a-Service (PaaS) solution, which is authorized (and certified) for FedRAMP, StateRAMP, HITRUST, and DoD Impact Levels 2, 4, and 5. When a SaaS solution deployed on AWS or Azure ties into GSS One, it simply inherits the majority of controls required for full compliance with those standards.
Compliance Management – For the remaining controls, our engineers and compliance experts work with organizations to understand their SaaS solution, ensure that controls are implemented, and write up a System Security Plan (SSP), Policies and Procedures, and all other required documents.
Compliance Certification – The ultimate goal of most of Project Hosts’ customers is to obtain Authorization (or Certification) for their SaaS solution. This requires passing a security audit, obtaining an Authority-To-Operate (ATO) from a federal agency, and passing an oversight review (e.g. by FedRAMP or DISA). This process is very difficult to navigate for the first time, but when an organization works with Project Hosts, it is dramatically faster and easier. Due to Project Hosts’ pre-authorized PaaS, auditors, agencies, and oversight organizations only have to assess the controls not inherited by the platform, specific to the software application.
Take the FasTrack:
Building on its three pillars, Project Hosts has developed a FasTrack process that enables organizations to get fully authorized (or certified) in 9-12 months. More information about Project Hosts’ Cloud Compliance-as-a-Service solution and FasTrack are available by emailing info@projecthosts.com
