Need the flexibility of cloud services in a highly secure environment?

It’s common knowledge that enterprises value the flexibility and quick deployment provided by cloud-resident tools and services. It’s also common to ask, “but are they secure enough for me?” This question can be even more pertinent if you work in a U.S. federal agency or in a U.S.-based regulated industry that might require a higher stated level of security to protect your most sensitive unclassified data. Therein lies a dilemma: How much do I limit myself by avoiding cloud-resident tools in favor of older-style, environmentally isolated solutions that don’t live in, rely on, or use the cloud? And is that trade-off worth it? The answers to those questions are straightforward. There’s no need for isolation as long as you can be confident that (a) the most stringent security requirements are met, and (b) required security controls are in place. For some services, an isolated product or service might meet those requirements. On the other hand, the flexibility provided by cloud offerings for operational workloads such as data backup and infrastructure monitoring better serves operational needs.

For U.S. federal agencies and other U.S.-based regulated industries, there is a way to address these security requirements. The first “gate” is for the cloud-based service or tool to be hosted on a highly secure government-approved cloud, such as GovCloud. Then each product or service must follow the standardized qualification process through the Federal Risk and Authorization Management Program (FedRAMP). In this program, there are three impact levels with defined requirements for each level that a vendor has the option to comply with: Low, Moderate, and High impact levels.

FedRAMP authorization signifies that the solution complies with certain security controls between the service itself and the site in question. The higher the impact level need, the greater the number of security controls required and the tighter the security controls must be in order to protect sensitive data. Although some FedRAMP environments may require only Low or Moderate impact level protections, all environments benefit from the added security offered by the next level or levels.

How does FedRAMP compliance bring the cloud file services to highly secure environments such as U.S. governmental agencies? Let’s start with the main issue: “What can cloud storage do for me?” In short, cloud storage gives you the flexibility to build, deploy, and manage storage resources for mission-critical applications, databases, containers, and user files in the cloud. Compliance of these services with FedRAMP means that your chosen storage service can maintain the high level of security you need. This compliance results in reduced management costs by tapping into the same industry-wide benefits provided by commercial or private clouds, and it also simplifies operational support.

Examples of cloud-resident storage services that meet these stringent requirements include Azure NetApp Files (in Azure) and Amazon FSx for NetApp ONTAP (in AWS). Both are based on NetApp^® ONTAP^®, the industry-leading data management software, leveraging storage efficiency technologies, data protection capabilities, security, and ransomware threat protection, along with low-latency performance. Another offering, NetApp Cloud Volumes ONTAP for AWS, is not a FedRAMP option at this time, but it has just been released for availability through the AWS U.S. Intelligence Community Marketplace.

When you’re confident that your data is securely stored, the next question is how to operationally manage these resources in a way that complies with highly regulated industry or governmental agency environments. This question also has a straightforward answer: by deploying storage management services that meet the requirements for use in restricted and private clouds. New NetApp BlueXP™ restricted and private deployment modes ​let you use BlueXP to manage both NetApp on-premises and cloud storage in restricted, secure, sovereign hyperscaler, or totally air-gapped networks.

In restricted mode, BlueXP enables you to discover, deploy, and manage cloud storage and certain data services within secure clouds. With this deployment mode, the BlueXP control plane/UI can run directly from the BlueXP Connector or by using secure connection to the BlueXP software-as-a-service layer.

In private mode, the BlueXP Connector is deployed on premises and lets you discover and manage ONTAP systems and certain data services in either a secure/isolated on-premises or isolated cloud environment, such as AWS Secret Regions. Both private mode deployment options are isolated and air-gapped from the public internet, with the BlueXP control plane/UI running directly from the local connector.

Even these secure sites need monitoring and observability to keep their availability and performance levels high. Full-stack observability is crucial in maintaining operational awareness and health of these high-impact systems. With these requirements in mind, NetApp Cloud Insights Federal Edition now provides a SaaS-based service hosted on GovCloud. At the time of writing, NetApp is the only observability vendor able to deploy in accord with the FedRAMP High Impact level designation, protecting the most sensitive data from exposure.

Of course, environments that require only moderate impact level protection are also covered—just with a little extra protection (and who doesn’t need that these days?). These highly secure environments need full-stack monitoring to inform admins about the performance and health of infrastructure as they identify potential conditions of failure. Observability takes it a step further, seeking to determine why devices, systems, or applications are behaving in certain ways and generating intelligent insights, which enable IT teams to quickly remediate problems before they affect customer satisfaction. These regulated environments always seem to be budget governed and budget sensitive. An additional benefit of Cloud Insights is the ability to reduce cloud spending by using artificial intelligence and machine learning to speed the identification of idle, underused, or stressed resources so they can be reprovisioned. This use of AIOps to reduce spending makes it easy to optimize the cost and performance equation of cloud-based or hybrid multicloud infrastructure.

FedRAMP provides government and civilian agencies, as well as other regulated industries, a strong blueprint for building a high-confidence security environment. NetApp Cloud Insights, BlueXP, Cloud Volumes ONTAP, and ONTAP based cloud storage from our partners such as AWS and Azure are essential in delivering the flexibility promised by cloud-based services and tools, without compromising these customers’ security. Even if your organization is not a federal or civilian agency, it’s a good idea to consider the use of technologies that comply with these requirements as you design the optimum cost/benefit equation to fit your hybrid cloud environment.

Learn more about how NetApp supports cloud flexibility for highly secure environments.