Security is already of high-importance for all organizations, especially given the rise of cyber crime in recent years. For government organizations and their contractors, keeping their data protected isn’t limited to just their organization, it’s a matter of national security. For governments and contractors looking to store their information in a secure but convenient manner, Amazon Web Services GovCloud is the ideal solution.
Moving to the Cloud can seem daunting, especially for organizations that need to store particularly sensitive data. Understanding the Cloud, its benefits, and the important differences between Amazon Web Services’ commercial Cloud and GovCloud. Many of these organizations still host their data on-premise on out-of-date servers, putting their sensitive information at-risk to malicious actors.
By moving to the AWS GovCloud, these same organizations can keep their data secure without excessive spending and additional work for their IT teams. We’ll explain the differences between AWS commercial Cloud and GovCloud.
Quick Refresher - What is the Cloud?
Cloud Computing is the practice of using a network of remote network servers hosted via the Internet to store, manage, and process data. In simple terms, the Cloud is a group of data centers that are available to users over the internet.
For organizations that are still remote or hybrid, the Cloud can help maintain a streamlined work environment, no matter where your employees work. When data is stored completely on-premise, it’s inaccessible to employees who aren’t on your network. This can cause processes to slow down with employees needing to download and send files back and forth, or wait until they’re in the office to access certain data. Users can access their files anywhere they have an internet or LTE connection and on any type of device (desktop, laptop, tablet, smartphone, etc). This means your organization can provide flexibility to your employees to work from anywhere.
Amazon Web Services (AWS) is one of the largest providers of Cloud computing services in the world, with over 90% of Fortune 100 companies working with an AWS Partner. Many of PiF’s customers have moved to the AWS Cloud in recent years, with that number continuing to grow as organizations see the value of a secure, flexible Cloud infrastructure.
Unlike other Cloud providers who define a region as a single data center, AWS Regions consist of multiple Availability Zones consisting of discrete data centers with identical power, networking, and connectivity abilities, and each housed in separate facilities to ensure the Cloud is always secure. This means that even if one data center is compromised, your data is backed up to other data centers and still protected.
What does it mean to host “on-premise”?
On-prem is short for on-premise which can also be defined as self-hosted, on-site, or locally operated. On-premise simply refers to hosting your document management system and files on the servers currently running in your offices. Most of the time, your staff can only access these servers when they are physically in the building. This can sometimes create trouble if someone is working remotely or traveling for work, creating unintentional limitations on how easily they can access their work files. On-premise systems do not require the user to be linked to the Internet to access files as they are often hosted locally on the individual’s computers.
What is the AWS GovCloud?
Within the Amazon Web Services Cloud, AWS GovCloud are isolated AWS Regions designed to allow U.S. government agencies and customers to store sensitive data in the Cloud by addressing their specific regulatory and compliance requirements. The AWS GovCloud is made up of AWS GovCloud East and West Regions and services and is an isolated cloud environment where accounts are only granted to United States-based persons working for U.S. Organizations.
Some regulatory and compliance requirements include:
- FedRAMP – Federal Risk and Authorization Management Program
- DoD SRG -Department of Defense Security Requirements Guide Impact Level 5
- CJIS – Criminal Justice Services
- ITAR – International Traffic in Arms Regulations
- EAR – Export Administration Regulations
AWS GovCloud uses FIPS 140-2 approved cryptographic modules (the set of hardware or software that implements approved security functions) for all AWS service API endpoints, and is logically and physically administered exclusively by U.S. citizens who do not have visibility into what customers are uploading to the network; all customer data within AWS GovCloud is treated as regulated.
AWS GovCloud can be utilized for all types of Controlled Unclassified Information (CUI) and unclassified data.
What is the AWS GovCloud vs. the AWS Commercial Cloud?
The two main types of Cloud services offered by Amazon Web Services are the commercial Cloud and the GovCloud. The Commercial Cloud, also known as AWS Global, is the standard AWS Cloud platform that is available to all customers worldwide. This is designed for general use and is the default option for most Cloud customers.
On the other hand, the AWS GovCloud is a specific region designed to host sensitive data and workloads in the cloud for customers with U.S. government compliance requirements. While both Clouds rely on regions built by Amazon Web Services, the AWS GovCloud Regions are physically isolated and do not have any physical connectivity to any other AWS Region.
The GovCloud is designed to meet the specific needs of government agencies and government contractors, and provides additional controls and compliance measures that are not available in the commercial Cloud. It offers services that can be used for building, deploying and managing the applications for various use cases within federal, state, and local governments, education and research, critical national infrastructure, and others.
It is only available to customers that are U.S. persons, and provides additional security and compliance controls to meet specific regulatory requirements such as the Federal Risk and Authorization Management Program (FedRAMP) and International Traffic in Arms Regulations (ITAR).
In summary, the main difference between the commercial cloud and the GovCloud is that the GovCloud is specifically designed to meet the compliance and security requirements of government customers, while the commercial cloud is available to all customers and is designed to meet the needs of a wide range of users.
Key Differences between AWS Global and AWS GovCloud
Sign up
During the sign-up process, each customer is reviewed to determine if they are a U.S. entity (such as a government body, contracting company, or educational organization) where account credentials will be managed by a U.S. Person.
Endpoints
AWS GovCloud uses endpoints that are specific to AWS GovCloud and are publicly available from the Internet but are accessible only to AWS GovCloud customers.
Credentials
You can access AWS GovCloud only with GovCloud credentials. You cannot access AWS GovCloud with standard AWS credentials. Likewise, you cannot access standard AWS Regions using AWS GovCloud credentials.
Multi-factor authentication
Due to the separate authentication stack, the hardware MFA tokens used with standard AWS accounts are not compatible with AWS GovCloud accounts. AWS GovCloud only supports MFA devices listed on the Multi-Factor Authentication page.
Billing, account activity, and usage reports
An AWS GovCloud account is always associated with a single standard AWS account for billing and payment purposes. All AWS GovCloud billing is billed or invoiced to the associated standard AWS account. You can view the AWS GovCloud account activity and usage reports through the associated AWS standard account only.
Services
Services in the AWS GovCloud Regions might have different capabilities compared to services in standard AWS Regions. For example, in GovCloud, you must launch all Amazon EC2 instances in an Amazon Virtual Private Cloud (Amazon VPC).
AWS Management Console for the AWS GovCloud Region
You sign in to the AWS GovCloud console by using an IAM (Identity and Access Management) username and password. This requirement is different from the standard AWS Management Console, where you can sign in using your account credentials (email address and password). You cannot use your AWS GovCloud account access keys to sign in to the AWS GovCloud console.
How to determine which AWS Cloud Region you need
There are multiple variables in selecting the Cloud Region that fits your organizational needs as well as compliance requirements. The figure below highlights these differences.
Learn more about AWS GovCloud (US) and AWS for commercial entities
Do you have questions about which Cloud is right for your organization? Or are you looking to migrate your data to the GovCloud due to compliance requirements? PiF Technologies has the knowledge and experience to help your organization understand if you need AWS Global or GovCloud and help you move your data to the Cloud that fits your needs.