A Brief Catch-Up Ahead of the AWS Public Sector Summit

Tom Atkins Miniatura
Tom Atkins
Published June 19, 2018

Each year, Washington D.C. plays host to one of the largest cloud-oriented public sector gatherings on the planet – AWS’ suitably dubbed Public Sector SummitAnd this year is no different, with IT leaders from countless government and educational agencies descending upon the U.S. capital on June 20th to observe the latest and greatest happenings in this space. As the leading public cloud provider it’s unsurprising to note that AWS has the lion’s share of this market, boasting over 2000 active government agencies currently utilizing its cloud platform. Many of these have also implemented F5 solutions in some way across their application architectures, whether that be in their on-premises data centers, private clouds, or – more recently – their AWS environments. And it is in the latter that F5 has made significant investments over the past year to better support both new and existing public sector customers making their transitions to the AWS Cloud. In this article we’ll take a brief look at a number of these developments…

FIPS 140-2 Level 1 Validation for BIG-IP VE on AWS

FIPS 140-2 is the mandatory security standard required by all U.S. government systems that use cryptography to encrypt sensitive, but unclassified information. There are, however, different levels of FIPS 140-2 certifications ranging from Level 1 (which can be achieved through implementation of software cryptographic modules), all the way through to Level 4 (which require the use of physical security measures such as HSMs to enable the automated destruction of encryption keys upon interference), depending on the degree of security provided.

Following extensive and thorough validation procedures, the National Institute of Standards and Technology (NIST) has recently verified that the software cryptographic module within BIG-IP virtual editions (VEs) meets all FIPS 140-2 Level 1 compliance requirements when operating in both AWS (and Azure) cloud environments. Excitingly, this makes F5 the first, and only ADC vendor to offer a FIPS 140-2 L1 validated software solution in the public cloud. Federal government agencies, U.S. military organizations, contractors, and financial services companies can now take advantage of the industry’s leading application services, coupled with the best-of-breed security associated with this FIPS-certified cryptographic module.

Facilitation of DISA Secure Cloud Computing Architectures (SCCA) for DoD Users

As a DoD agency, ensuring the security of data is of paramount importance both in the cloud, and on-premises. As such, the Defense Information Systems Agency (DISA) recently released an extensive set of recommendations for securing cloud architectures up to the same standard as those found in DISA’s physical data centers – enabling the hosting of impact level 4 and 5 data in the cloud. These strict requirements cover various categories; including the security of the cloud access points, protection of applications and their data, and enforcement of role-based access control (RBAC).

F5 has recently verified and documented that most, if not all, of the SCCA requirements stipulated can be met or optimized by employing F5 virtual solutions on AWS – delivering key capabilities such as the separation of user and management traffic, and reverse proxy capabilities for handing access requests from client systems. By implementing F5 solutions in accordance with SCCA guidelines, DoD agencies can now ensure high availability of cloud resources, gain unparalleled visibility into all traffic, all while delivering robust security for their cloud network, applications and data.

BIG-IP VE Availability for the AWS GovCloud (US) Region and Marketplace

For those of you unfamiliar with AWS GovCloud (US) and the purpose it serves, it essentially allows organizations who are responsible for highly sensitive data and IT workloads to proceed in concert with federal, state, and local government compliance requirements (such as FedRAMP, ITAR, and HIPAA) by providing an isolated and dedicated region of AWS infrastructure to securely deploy applications. This enables IT organizations within these agencies to reap the same benefits of public cloud computing as all other AWS users: enhanced agility and scalability, and greater alignment of costs-to-usage within an OpEx budget model.

Workloads within this region still required the same advanced traffic management and security services as those on the AWS commercial cloud, leading to F5 extensively tested and verifying support for its BIG-IP VEs within the AWS GovCoud (US) region. In doing so, customers are now able to seamlessly migrate full application stacks (inclusive of their existing F5 solutions and policies) to this region of AWS. And not only that, but through complete integration with the GovCloud (US) Marketplace, customers are also able to effortlessly deploy these pre-vetted F5 solutions directly into their VPC’s at the click of a few buttons; drastically reducing time to market. Click here to visit these listings on the GovCloud (US) Marketplace.

CloudFormation Template Support for the AWS GovCloud (US) Region

Over the past year, F5 has doubled down its efforts towards developing and enhancing new and existing CloudFormation Templates (CFT). These templates leverage AWS’ native resource management service to automate the instantiation of BIG-IP VE architectures in a matter of minutes. With little to no experience of BIG-IP, or even the AWS Cloud, users can execute these templates to configure simple and complex BIG-IP topologies with the confidence and precision of an F5 expert; diminishing the potential impact of human error. A few examples of deployment types that are possible using these templates include:

Originally these templates could only be used for deployments on the AWS commercial cloud. However, following the appropriate testing, F5 recently authorized and now fully supports the use of its entire CFT portfolio in the AWS GovCloud (US) Region too. All templates are housed in F5’s CloudFormation repository on GitHub (so go and test them out – they’re completely free and opensource), and for more information refer to this solution overview.

…And finally, see you at AWS Public Sector Summit!

If you’re attending the summit this week and have questions or queries about anything covered here, or about F5 solutions on AWS in general, do stop by our booth (#220) and chat to some of our solution architects and engineers – we’ll be more than happy to help.

Additional Resources