Meeting government security mandates can be challenging to say the least. It’s often a laborious and confusing process. A myriad of controls all need to be addressed and proven to assessors.
The NIST 800-53 (https://nvd.nist.gov/800-53) is one of the most frequently used security guidelines for Federal agencies seeking Authority to Operate (ATO) for a system. NIST 800-53 is divided into multiple sections such as Access Control, Auditing, Configuration Management, and Physical Environment among others.
The public Cloud adds another layer of complexity since customers have limited access to the inner workings of the cloud provider’s environment. As the saying goes, “Cloud is just someone else’s computer.” As such, customers do not have control over, or even visibility into certain settings.
The FedRAMP (https://www.fedramp.gov/) program helps in some ways, as it allows agencies to see who has already been vetted for providing cloud services to the Federal Government. It’s useful to know that another Federal Government Agency has spent time assessing the cloud provider’s controls and determined them to meet Federal security standards. The customer inherits a percentage of controls from the cloud provider. It’s important to note, however, that a vendor being on the FedRAMP list doesn’t tell an agency how many security controls are their responsibility, nor which ones for that matter.
Microsoft’s has attempted to make the process easier for Azure customers by publishing several guides that delineate the responsibilities between Microsoft and the customer. The Azure Security and Compliance FedRAMP Blueprint (https://servicetrust.microsoft.com/ViewPage/FedRAMPBlueprint) answers a lot of customer questions via documented Customer Responsibility Matrices.
An example of the type of coverage is in the image below courtesy of Microsoft.