Cybersecurity, FedRAMP

The Advantages of a Risk-Based Approach to Security in Government


When the US government started the Federal Cloud Computing Initiative in 2009, the US Government had a perimeter-based, traditional on-prem approach to security. It was largely focused on securing hardware and meeting compliance requirements. The US Government knew its approach for cloud had to be different so they created FedRAMP. FedRAMP’s focus on securing multi-tenant cloud environments transitioned security from a hardware focused mentality to one of embracing an approach focused on data security and managed risk.

FedRAMP’s use of NIST’s Risk Management Framework has continued to expand how the government can use cloud services. When FedRAMP launched, it was predicted that only 25% of Federal IT systems would be suited for cloud computing. By using a risk-based approach to security, FedRAMP has introduced additional security guidelines to now enable more than 75% of Federal data to be suitable for cloud computing.

Benefiting from a Risk-Based Approach

The NIST Risk Management Framework allows Federal agencies to focus on a risk-based approach by focusing on data as the first element of security. In this approach, before determining any security requirements of a system, agencies must first determine the data they will be putting into a system. Then you match the security requirements to the data itself.

By starting with the data, this allows agencies to better understand the risk of that data being manipulated, seen by the wrong person, or unavailable, because ultimately that is what securing a system is meant to protect against. The security process now allows the government to look at a system holistically in how it protects against those threats, not from a component to component approach.

GovForward Blog Series - Salesforce Embedded ImageDefense in Depth Enables Risk Management

FedRAMP’s risk based approach uses a concept called defense in depth. This approach leverages protecting data in different ways across multiple components within a system collectively. When you focus on the system as a whole, it allows you to have more adaptable security even if certain components of a system have known weaknesses.

A simplified way of thinking of defense in depth is the swiss cheese model which is used in other industries like healthcare, aviation, and engineering. The concept is that each individual piece might have holes in it (like swiss cheese), but when you layer each piece on top of each other, you create a solid piece with no holes (imagine putting multiple pieces of swiss cheese together).

Expanding the Risk Based Approach

The Federal government, to its credit, is working to enable a risk based approach to many of their cybersecurity programs in addition to FedRAMP. DHS’s CDM program took this to heart with a phased roll out of capabilities. The Trusted Internet Connection 3.0’s trust zones approach undoes the “all of nothing” approach of previous iterations and focuses on data classifications and type of service being used. Not to mention both of these programs have focused on ensuring they are compatible with FedRAMP and the NIST Risk Management Framework.

One of the newer concepts related to risk management is Zero Trust. In short, anytime data is accessed, there’s a check that whoever is accessing that data is supposed to see that data – and this happens constantly while using any system. Basically, there is zero trust whenever data is accessed – the trust has to be proven from component to component. How is this risk based and also fit the swiss cheese model? Because instead of allowing access to an entire system, you create segmentation that allows many people within the same system, all with different levels of access to data based on their unique need. It allows security teams to match data access with risk all within a singular system or interconnected systems.

Salesforce and Risk Based Security

At Salesforce, we have invested heavily in adopting FedRAMP’s risk based approach to security. We have two offerings meeting the strict FedRAMP moderate and FedRAMP high security requirements. When Federal agencies use Salesforce’s #1 CRM, agencies get to leverage the best of the risk management framework allowing them to innovate at speeds 2020 demands, scale to unprecedented levels, all while ensuring government data is secure.

Visit our website to learn more about the GovForward: Multicloud Series and FedRAMP through our additional resources.

Related Articles