As Aumentum transitions to a cloud hosted SaaS product, the conversation about "public cloud" vs. "government cloud" is of interest to customers. This session will review some cloud computing definitions, discuss what is commonly referred to as "government cloud," and provide a preview of the Aumentum cloud strategy.
Kevin Hakanson is a Sr. Software Architect in Thomson Reuters Tax and
Accounting Professionals Government Technology based in Minneapolis, MN.
Kevin has over 25 years of professional experience in software development. He
started at Thomson Reuters in 2002 and joined Government Technology in 2018 to
execute on the public-cloud strategy. He is an expert at building cost-effective,
secure, web applications in the cloud and presents on security topics at industry
Kevin holds an MS in Software Engineering and a BA in Computer Science and
Mathematics. His certifications include AWS Certified Solution Architect -
Professional and AWS Certified Security – Specialty.
Discussion on Government and Public
cloud solutions for Aumentum.
(Note: some slides have a lot of words)
– Government Cloud
4:45 Q & A
– (or ask questions anytime)
5:00 Start enjoying your free time
– (or earlier if nobody asks questions)
NIST Cloud Computing Definitions
• Cloud Consumer - A person or organization that maintains a business
relationship with, and uses service from, Cloud Providers.
• Cloud Provider - A person, organization, or entity responsible for making a
service available to interested parties.
• Cloud Broker - An entity that manages the use, performance and delivery of
cloud services, and negotiates relationships between Cloud Providers and Cloud
• Public Cloud - The cloud infrastructure is made available to the general public or
a large industry group and is owned by an organization selling cloud services.
NIST Cloud Computing Definitions
• Infrastructure as a Service (IaaS) - The capability provided to the consumer is to provision processing,
storage, networks, and other fundamental computing resources where the consumer is able to deploy and
run arbitrary software, which can include operating systems and applications. The consumer does not
manage or control the underlying cloud infrastructure but has control over operating systems, storage,
deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
• Platform as a Service (PaaS) - The capability provided to the consumer is to deploy onto the cloud
infrastructure consumer-created or acquired applications created using programming languages and tools
supported by the provider. The consumer does not manage or control the underlying cloud infrastructure
including network, servers, operating systems, or storage, but has control over the deployed applications and
possibly application hosting environment configurations.
• Software as a Service (SaaS) - The capability provided to the consumer is to use the provider’s applications
running on a cloud infrastructure. The applications are accessible from various client devices through a thin
client interface such as a web browser (e.g., web-based email). The consumer does not manage or control
the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual
application capabilities, with the possible exception of limited user-specific application configuration settings.
• IaaS – Infrastructure as a Service provides vendor supported data center where
customer must specify and provision all required compute resources: machines,
networks, storage, etc. “Your mess for less.”
• PaaS – Platform as a Service eliminates infrastructure management of compute
resources, which are managed automatically. “Move and improve.”
• SaaS – Software as a Service provides centrally hosted applications licensed via
subscription model. SaaS solutions use IaaS and/or PaaS compute resources.
• Hosting – Licensed or owned software deployed on-premise or in the cloud
directly or by a 3rd-party provider. Hosted cloud solutions use IaaS and/or PaaS
compute resources. Hosted solutions may be offered in a SaaS model.
Software as a service (SaaS) allows users to connect to and use cloud-based apps
over the Internet. Common examples are email, calendaring, and office tools (such
as Microsoft Office 365).
Hosted applications/apps Development tools,
Operating systems Servers and storage Networking
Data center physical
Example Usage Scenario
A cloud consumer may request service from a cloud broker instead of
contacting a cloud provider directly. The cloud broker may create a new
service by combining multiple services or by enhancing an existing
service. In this example, the actual cloud providers are invisible to the
cloud consumer and the cloud consumer interacts directly with the
• In some scenarios “you” (as a cloud consumer) are moving your entire data
center to a cloud provider and responsible for:
‒ Choosing a cloud provider like AWS, GCP, or Microsoft Azure
‒ Understanding and selecting between IaaS and PaaS
‒ Managing the underlying cloud infrastructure
‒ and lots more …
• In other scenarios “you” (as a cloud consumer) are moving an application (like
Thomson Reuters Aumentum) to a cloud provider who is responsible for:
‒ Offering the application as a SaaS capability
‒ Choosing cloud provider, understanding IaaS & PaaS, managing infrastructure, …
• In all scenarios “you” are concerned about the availability and security of your
application and its data.
Government Cloud or “Gov Cloud”
“Gov Cloud” is a generic term for a commercial government cloud regardless of
vendor. These are subject to government compliance certifications for location and
personnel. Non-certified 3rd-party software can run in “Gov Cloud”.
• AWS GovCloud (US)
Amazon's cloud regions designed to host sensitive data, regulated workloads, and address the most
stringent U.S. government security and compliance requirements.
• Azure Government
Choose from six government-only datacenter regions, all granted an Impacted Level 5 Provisional
Authorization. And, Azure Government offers the most compliance certifications of any cloud provider.
• Google Cloud Government
Help improve citizen services, increase operational effectiveness, and deliver proven innovation at your
government agency with our highly secured, powerful technology.
• Criminal Justice Information Services (CJIS)
• Committee on National Security Systems
Instruction No. 1253 (CNSSI 1253)
• Defense Federal Acquisition Regulation
• US Department of Defense (DoD) Provisional
Authorization (DoD DISA L2, L3, L5)
• Department of Energy 10 CFR Part 810
• EAR (US Export Administration Regulations)
• Federal Risk and Authorization Management
• Federal Information Processing Standard (FIPS)
• US Internal Revenue Service Publication 1075
• International Traffic in Arms Regulations (ITAR)
• NIST Special Publication (SP) 800-171
• NIST Cybersecurity Framework (CSF)
• Section 508 VPATS
US Government Compliance Examples
The Federal Risk and Authorization Management
Program (FedRAMP) is a government-wide program
that provides a standardized approach to security
assessment, authorization, and continuous monitoring
for cloud products and services.
FedRAMP's Applicability to State and Local Entities
Given that FedRAMP is a rigorous cloud security program, there is increased
interest from state and local governments in leveraging or requiring FedRAMP for
their own cloud-based information systems.
Due to FedRAMP’s specificity to federal information, non-federal government
organizations (e.g., state, local, tribal, territorial, etc.) are not able to partner with
CSPs for FedRAMP Authorization.
Some cloud service deployments are available for non-federal government use,
specifically Public Cloud and some Government-Only Community Clouds.
Shared Responsibilities for Cloud Computing
As organizations consider and evaluate public cloud services, it is
essential to explore how different cloud service models will affect cost,
ease of use, privacy, security and compliance.
The importance of understanding this shared responsibility model is
essential for customers who are moving to the cloud. Cloud providers
offer considerable advantages for security and compliance efforts, but
these advantages do not absolve the customer from protecting their
users, applications, and service offerings.
Government Cloud and Aumentum
• Customers inquire about Government Cloud because they are concerned about
security, which is often aligned with a compliance standard.
• All Azure Commercial Cloud regions are FedRAMP High. However, this only
covers the cloud infrastructure Microsoft provides.
• Software like Aumentum requires its own compliance certification. Since
FedRAMP is only applicable to federal use, the question pivots to what specific
compliance standards are required of Aumentum?
Aumentum Virtual Network
Web Browser and API Layer
only – no direct access to
WAF and IP Restriction at
Aumentum Government Users
Public Access Users
Aumentum 360 Marketplace
Managed Encryption Keys
• …employ more than 3,500 cybersecurity professionals and spend $1 billion
annually on security…
• …experience from monitoring more than one million databases over the past few
years to offer Advanced Data Security for SQL Database…
• …continuously monitors your database for suspicious activities like SQL injection
and provides alerts on anomalous database access patterns…
Azure SQL Database
The best destination for fully managed SQL in the cloud
• Frictionless database migration with no code changes at an industry leading
• Built-in machine learning for peak database performance and durability that
optimizes performance and security for you
• Unmatched scale and high availability for compute and storage without
• Advanced data security including data discovery and classification, vulnerability
assessment, and advanced threat detection all in a single pane of glass
Azure Application Gateway
• Scalable, highly available web application delivery
‒ Get application-level load-balancing services and routing to build a scalable and highly
available web front end in Azure.
• Web application firewall
‒ Protect your applications from common web vulnerabilities such as SQL injection and cross-
• End-to-end SSL
‒ Strong encryption from front end to back end helps to secure your data.
• Tight integration with Azure
‒ Azure Monitor and Azure Security Center provide centralized monitoring and alerting, and an
application health dashboard. Key Vault offers central management and automatic renewal of
SaaS Application Challenges
Customers expect availability and security from Aumentum as a SaaS application.
• The only access is via Web Browser or an API layer.
• No direct access to the “database” to make schema changes or use reporting
(Attend the Aumentum 360 Marketplace session tomorrow at 9:45)