Hi. I'm Chris and I'm an AWS addict. <Crowd>Hi Chris</Crowd>
That's right, I am using an EC2 as a development platform for RedSpartan as a code repository, wiki and issue tracker (in the form of a RedMine instance). I am also using a Windows instance to host the development and alpha instances of the tool itself. *gasp*
I am telling you this because I am totally confident in my ability to encrypt the sensitive information in the database and on the file system. I also feel that I have created an environment for my application to run where (if even Amazon were to fail at protecting my instance) that an attacker would have limited success in capturing any data.
I use AWS because the VM is mine to manage. I deploy patches. I install software. I configure the firewall. I take images when I want. When I want a restore, I get one. I want a reboot, the box is rebooted.
The downside: It is mine to screw up. But I do not fear because I have been managing servers for nearly 15 years.
I don't want this to end up sounding like a sales pitch for RedSpartan, my professional services or AWS. However, virtual machines, cloud and XaaS is the future of enterprise computing. As a result, I feel that applications need to be built in a robust manner. Does this mean that I spent extra time on reducing my vulnerability count? Yes. Does it mean that I scrapped many, many lines of code because I architected it incorrectly? Yes. Does it mean that I am a paranoid, crazy person? Perhaps.
The point I am trying to make is that you can put your data and applications anywhere (like AWS) but it still needs to be protected. As part of Amazon's recent announcement that they can comply with FISMA in their new government region, there is still significant work to ensure that data is protected. I don't know anything about the controls in place at Amazon, but I will say that nowhere is 800-53 mentioned in their press release or the baseline they expect to meet. They also mention SAS 70, which to my knowledge is being sunset in favor of SSAE 16. This tells me that Amazon is not wholly up to date on what is happening in the compliance space. Given that ITAR is mentioned 3 times, I think that this is more about ensuring that the government's data is in Northern Virginia or California (or both).
A friend of mine said that he recently worked on an authorization package that was not in the GovCloud region but that was hosted with Amazon. His words where something like: Amazon's crap is wired and their kung fu is strong. I believe him. But I would also not document controls for Amazon, I would mark them as inherited and put them on the hook via their own SSP. I expect by now that Amazon would have a standard SSP with the controls they are providing with all the usual things that go into an SSP. That way they aren't reinventing the wheel for each new Federal customer.
So I say: Cloud it up govies. But do it in a way that protects the government, citizens and whoever you are keeping files on.