US Public Sector regulatory compliance with Ubuntu Pro and AWS GovCloud

Co-authors: Massimiliano Gori , Product Manager, Canonical & Mark Thomas, Solutions Architect, AWS 

Federal government organisations that either collect, store, share, transfer, or process sensitive data, as well as all federal agencies, their contractors, and service providers, are required to operate in high-security environments to ensure the safety of sensitive data such as Personally Identifiable Information or confidential information.

Developing applications for regulated federal and high-security environments can be a challenging task due to the overwhelming number of compliance requirements developers need to conform to, like FIPS, FedRAMP, ITAR, DFARS, and many more.

Making sure your physical and virtual infrastructure meets all these requirements is a difficult, time-consuming endeavor. Therefore, AWS GovCloud and Ubuntu Pro have been engineered to help take that complexity away so that you can increase developer productivity, concentrate on delivering great applications and take them to market more quickly.

What is AWS GovCloud?

Organizations with workloads that store and process Controlled Unclassified Information (CUI), Personally Identifiable Information (PII), sensitive medical records, financial data, laws enforcement data, or other export-controlled data need to ensure that they meet appropriate compliance requirements at all levels of the stack. A secure, compliant workload starts with a physical and network infrastructure. For FIPS compliance, for example, this means that all VPN endpoints and other endpoints need to be encrypted by FIPS-certified cryptographic algorithms, and physical access to the infrastructure is restricted to vetted personnel. 

AWS GovCloud is specifically designed for US Government agencies and contractors that are staffed exclusively by vetted U.S. citizens. AWS GovCloud builds on the security controls and services offered by AWS, and is only accessible to U.S. Citizens using FIPS 140-2 compliant service endpoints. 

AWS GovCloud data centers are physically and logically distinct from the rest of AWS, staffed only by vetted U.S. citizens, and only accessible by U.S. citizens. 

AWS regularly achieves third-party validation for thousands of global compliance requirements to help customers meet the compliance requirements of their workloads. AWS offers FIPS endpoints for accessing many of its services, using a minimum of TLS 1.2 encryption. 

Having a resilient, secure and compliant infrastructure is not sufficient to meet all necessary requirements. Ubuntu Pro complements the solid foundation of AWS GovCloud to make sure organizations can focus on building applications, knowing that even at the operating system level patching and compliance are handled automatically in the background.

Why use AWS GovCloud

AWS GovCloud relieves the burden of “undifferentiated heavy lifting” of securing physical access to customers’ compute environments, so they can focus on the security of their compute instances and applications. AWS GovCloud, like standard AWS regions, provides customers with a scalable infrastructure, allowing customers access to the capacity they need while paying only for what they use. 

Customers choose AWS GovCloud for the following reasons:

• AWS GovCloud provides two geographically-distinct regions in the U.S., each consisting of three geographically-distinct availability zones, enabling fault-tolerant infrastructure at a fraction of the cost of building and operating your own private datacenters.
• AWS GovCloud users can utilize AWS CloudTrail, Amazon Inspector, AWS Config, and Amazon GuardDuty for additional monitoring and control of access to sensitive data.
• Customers who need to run FIPS compliant workloads without the requirements for U.S. access requirements can achieve compliance with standard AWS regions and Ubuntu Pro.

How Ubuntu Pro and AWS GovCloud help you meet your compliance requirements

Ubuntu is the most popular Linux distribution in the public cloud, running over 50% of Linux workloads globally due to its reliability, stability and ease of use. In order to address the enterprise and public sector compliance requirements, we developed a premium Ubuntu Pro image in partnership with public cloud providers. 

Ubuntu Pro is a full-featured open-source platform for cloud innovators. Ubuntu Pro is available for AWS GovCloud, where it combines comprehensive open-source security with the aforementioned AWS compliance features. 

Ubuntu Pro offers the following key features:

• FIPS validated components – all Ubuntu Pro images offer FIPS 140 validated cryptographic packages, which allow you to comply with the public sector cryptographic requirements
• CIS and DISA STIG – For companies looking to leverage industry benchmarks for hardening, Ubuntu Pro makes two leading implementation guides available through the Ubuntu Security Guide, our compliance as code tool. With Ubuntu pro auditing and hardening your VMs is as easy as running a single command line command.
• Extended Security Maintenance (ESM) – Ubuntu Pro adds security maintenance for over 27,000 packages, including the most important open source applications like Apache Kafka, NGINX, MongoDB, Redis and PostgreSQL. This means that you will receive timely updates which have been tested by our security team every time a new fix is released upstream.
• 10-year lifetime – Canonical backs Ubuntu Pro for 10 years, ensuring that the platform is stable and reliable for a long time and that security updates are available throughout, with a guaranteed upgrade path.
• Optional 24/7 support – Additional enterprise-grade support available through private offer for Ubuntu Pro. This allows you to directly engage our expert technical team to discuss complex or critical deployments. No matter what your mission compliance requirements and SLAs are, we can find a way to meet them together.

Ubuntu Pro builds on the AWS GovCloud features to deliver high security and flexibility for your Linux workloads. The cryptographic compliance, coupled with easy to consume security and kernel updates, make sure that your applications not only get compliant, but also stay compliant for the entire duration of your mission, and can be easily audited by third parties.