About the customer

• A US data science and analytics company dedicated to helping organizations make data-driven decisions
• Supports customers across industries, including numerous Fortune 500 companies, government, and nonprofit organizations
• Delivers a platform for unifying diverse data sources and unlocking actionable insights

For businesses delivering cloud products and services to federal clients, FedRAMP compliance
is a critical requirement.

This data analytics leader was seeing a rapidly growing appetite for its services among government clients, which meant that the company needed to conform to federal security standards. For the smoothest path to compliance, the company turned to its trusted partners, Canonical and Amazon Web Services (AWS), to implement Ubuntu Pro FIPS across its public cloud estate.

This specially configured and optimized Ubuntu image empowers the organization with certified cryptographic modules and automated security updates directly from Canonical. The solution takes the burden of validating and updating the operating system off the company’s shoulders so it can focus on what it does best – data science.

Challenge

As the data science company’s client base continued to scale across the government sector, it became critical to achieve compliance with the Federal Risk and Authorization Management Program (FedRAMP). This program ensures that sensitive government data is stored and processed securely, and compliance is a core requirement for any cloud product or service used by federal agencies.

One of the most important elements of FedRAMP compliance is the implementation of Federal Information Processing Standards (FIPS) 140 – mandated by the National Institute of Standards and Technology (NIST) – which dictates requirements for cryptographic modules. However, validating modules for FIPS 140 is a long and expensive process, compounded by the need to continuously update modules in response to new common vulnerabilities and exposures (CVEs). This complexity was the primary barrier to FedRAMP compliance for this data analytics organization.

The company’s approach to vulnerability management was largely manual, so incorporating patches and updates was a time-consuming and labor-intensive process. A spokesperson for the organization explains: “Some packages, such as strongSwan, were a headache as we were constantly getting CVE notifications. With every update, we had to find upstream patches and rebuild the whole stack.”

FedRAMP requires adherents to address operating system vulnerabilities within specified time frames depending on the severity of the issue: 30 days for high severity, 90 days for medium, and 180 days for low. Given the scale of the work and the time pressure, tackling CVEs manually wasn’t a viable option. To ensure security measures remained robust, adaptable, and met the stringent FedRAMP requirements, the company needed an easier way to implement FIPS 140 standards and a more agile and automated vulnerability management process.

Solution

As a long-time user of Ubuntu on AWS, the company partnered with Canonical to meet its challenges in the public cloud.

The business relies on several AWS cloud soplutions, including Amazon Redshift to provide a dedicated data warehouse, Amazon EC2 to launch and manage cloud instances, and Amazon Elastic Kubernetes Service (EKS) to manage and scale client workloads. Across this AWS estate, Ubuntu is the primary operating system, and when the time came to find a solution for FedRAMP compliance, Ubuntu Pro FIPS on AWS EC2 and EKS was the natural choice.

Ubuntu Pro FIPS is a purpose-built OS image for AWS that delivers FIPS-certified modules out-of-the-box. The solution disables various disallowed algorithms and ciphers from key libraries and ensures that modules work in a FIPS-compatible mode of operation by default.

Alongside validated modules, Ubuntu Pro FIPS also solves the vulnerability management challenge. Canonical supports each Ubuntu Pro FIPS image for up to 10 years, delivering ongoing security updates to address CVEs. Better still, the company can apply these updates automatically through Canonical’s Livepatch service, significantly reducing the amount of manual intervention required to meet FedRAMP vulnerability remediation timelines.

The company now utilizes Ubuntu Pro FIPS on AWS to build its primary web infrastructure and run Kubernetes containers for client jobs.

Results

With Ubuntu Pro FIPS on AWS, the data science company has successfully achieved FedRAMP compliance, including FIPS validation, without compromising time and resources – and it has successfully transformed its vulnerability management strategy.

The project is also giving the company’s clients even greater confidence in its services, as they know that their databases are safe and compliant. In fact, Ubuntu Pro FIPS doesn’t just enable FedRAMP and FIPS compliance, it supports an array of additional regulatory standards, such as HIPAA, PCI-DSS and ISO 27001, and it enables easy implementation of DISA STIG and CIS security benchmarks. Customers can see that the company is working proactively to achieve the highest levels of security. Meanwhile, the business is well-positioned to satisfy the evolving requirements of its client base as it continues to expand across different industries.

Together with the security capabilities delivered by AWS, Ubuntu Pro FIPS is empowering the company with a compliant and high-performance data analytics environment that can handle even the most sensitive, regulated data. And with Canonical’s support, that environment will remain secure in the face of emerging threats.

The spokesperson concludes:

“With Ubuntu Pro FIPS on AWS, vulnerability management in the operating system is no longer an active challenge for our services. That’s a huge benefit.”