While all organizations are bent on preserving and securing their intellectual property, none may be more protective of their data than the U.S. military. It’s no wonder military personnel or defense contractors are not permitted to use the same cloud services as businesses and the public. The cloud, to the military specifically and the government in general, sees the cloud as no physically specific place, no place that is easily locked down and defensible, and is therefore a sitting duck to bad actors and naked to prying eyes.
Cloud service vendors, while trying to keep computing and data as near to the user centers (metropolitan areas) as space and energy requirements allow, had made no guarantees of where backups (made to recover data loss) are kept. Might the backup data sets be in regions where land is cheap, remote regions, or even foreign countries? Why not.
And so it was to no surprise that cloud services, cut off from the enormous spending of the federal government and all its suppliers, decided to create secure clouds.
Enter Amazon
Amazon, which practically invented the cloud and is to this day, the biggest vendor of cloud services with AWS (Amazon Web Services), launched AWS GovCloud in August 2011 to provide a secure cloud environment for U.S. government agencies and contractors to handle sensitive workloads in compliance with regulations like the International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR).
Notable GovCloud users include NASA’s Jet Propulsion Laboratory (JPL), U.S. Department of the Treasury.
GovCloud supports compliance with various standards, including FedRAMP High, ITAR, DoD SRG Levels 4 and 5, CJIS, and HIPAA.
Also, GovCloud does end-to-end encryption with FIPS 140-2 validated cryptographic modules.
Securing the Cloud for CAD
Government clouds are the answer to concerns by a vast contingent of agencies and companies that feel the cloud vendors’ storage location is a concern. The federal government, which may be the biggest single user of CAD, is just one of those organizations. Others include state and local governments, government agencies, aerospace companies, educational institutions, health care, and public-sector organizations — and all the companies that do business with them.
For a company that is entirely based on the cloud, like Onshape, which runs on and stores data on AWS servers, this was a big problem. The company had done everything right, creating the first professional, robust MCAD program in this century, and still, it had no hope of luring hundreds of thousands of CAD users from their archaic workstation-based CAD programs.
The US government places strict regulations on where the data is stored and who has access to the data and takes a dim view of it being housed in other countries and being visible to foreigners.
With Amazon GovCloud, Onshape has found a cloud service provider with servers within the U.S. in facilities kept free of foreigners.
In a manner similar to cloud-based CAD relieving companies of the IT burden of on-premise CAD, Onshape Enterprise Government relieves companies of an audit burden. Federal agencies can demand an audit to ensure compliance.
“The customer does not have to run an audit on the way their data flows within the cloud environment,” says Henry. “We have done all that heavy lifting. We handle the backend infrastructure so that when they get audited, they can show they have been compliant.”
Onshoring the Data
Since the cloud, by its nature, is in data centers all over the world, Onshape controls which AWS data centers it uses and where they are. The issue was that data centers be run by “U.S. persons.” Onshape has, since its inception in 2013, been all about the cloud. It simply can’t function without it. But CAD on the cloud also has big-time advantages like common access to a single model (single source of truth) from anywhere, database structure (vs. file-based), and the ability to operate on any device using only a browser — no expensive workstation needed.
Onshape users in the U.S. should be able to run an instance of Onshape and have their data reasonably close by in order to minimize response time. Latency, or high response time, is the bane of server-based applications. CAD is a highly interactive application, and CAD users tolerate high latency as one would a conversation with someone who takes long pauses before responding. It’s maddening.
AWS had allowed customers (including Onshape) to select regional server locations to store data in specific countries or regions. Amazon defines 36 regions all over the world. Smaller countries or sparsely populated countries could be grouped in the same region, but U.S. users were able to enjoy no border crossings for their data. However, there was no guarantee that the data would never cross international borders. Data backup sets, made for recovery from primary data loss, can be stored in servers far away and even on random servers.
Watching the Parade
Looking across the road to their competitors, some of which had 20% of their customers in the federal government or government contractors, was too much to bear for Onshape.
It was lucky for Onshape that Amazon, with whom Onshape has been joined at the hip since birth, was sensitive to U.S. security needs and created GovCloud. With GovCloud, U.S. regions have even stricter rules:
- They are physically located in the U.S.
- They are operated exclusively by U.S. citizens.
- They meet special compliance standards like ITAR and FedRAMP.
That doesn’t mean U.S. firms cannot back up their data in remote areas, if they think that is keeping their data out of harm’s way. It only means that Amazon won’t do it automatically. For U.S. firms that choose to replicate their data to another region (for disaster recovery, etc.), AWS offers services like S3 Cross-Region Replication — but that is a conscious, manual action. It is never automatic or hidden.
More or Less Secure
Does this make Onshape Government Enterprise more secure than the other versions? It is not more secure; it is just different, says Darren Henry, SVP General Operations, Onshape by PTC.
“We’re encrypting data for both [commercial and government] systems,” says Henry. “The encryption for the Government is different. It’s adhering to a government standard. Plus, the people who have access to the systems and administer the systems have to meet certain nationality requirements. So it’s not necessarily more secure than commercial Onshape; it just meets the rigorous requirements of the U.S. government.
Is there extra security around GovCloud servers in the data center, like guards around it? We ask.
“There’s no extra guards, just what’s being guarded,” says David Katzman – General Manager, Onshape and Arena. “Think of guarding a company’s headquarters vs guarding the U.S. embassy.”
Making Onshape Run on AWS GovCloud
PTC’s development of Onshape Government involved a substantial engineering effort to adapt its cloud-native CAD and PDM platform to the stringent requirements of AWS GovCloud. This initiative was essential to meet the compliance standards mandated by U.S. federal regulations, such as the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR).
Key Engineering Efforts Undertaken by PTC
- Deployment on AWS GovCloud (US): Onshape Government operates as a completely separate instance running exclusively on AWS GovCloud. This environment is designed to host sensitive data and regulated workloads, ensuring compliance with ITAR and EAR by restricting access to U.S. persons and maintaining data within U.S. borders.)
- Implementation of Advanced Security Controls. The platform incorporates FIPS 140-3 validated cryptographic algorithms to protect data at rest and in transit. This level of encryption is crucial for safeguarding Controlled Unclassified Information (CUI) and aligns with federal security standards.
- Compliance with NIST 800-171 R3 Standards. Onshape Government adheres to the NIST 800-171 R3 guidelines, which outline the necessary security requirements for protecting CUI in non-federal systems. This compliance ensures that the platform meets the cybersecurity standards expected by government agencies.
- Granular Access Control and Monitoring. The system features role-based authorization controls with detailed permission management capabilities. All access attempts and actions are comprehensively logged, creating an auditable record of system interactions. This level of monitoring is essential for maintaining accountability and ensuring that only authorized personnel can access sensitive data.
- Separation from Commercial Environment. To prevent inadvertent data migration between environments, Onshape Government is completely isolated from the commercial Onshape platform. This separation ensures that data subject to ITAR and EAR remains within the compliant environment, preventing unauthorized access or data leakage.
- Internal Process Changes to Restrict Customer Data Access to U.S. Persons. Onshape made substantial internal process and tooling changes to preventing unauthorized employees from accessing sensitive data.
Ramping Up
While the mood of the current administration tends toward fewer regulations, it is expected that regulations that affect national security will not be affected, assuring the continuity of the GovCloud and others like it.
Having a government-acceptable offering is just the beginning. Onshape has eyes on attaining FedRAMP Moderate authorization and certifying against CMMC 2.0 Level 2 controls. These certifications will further validate Onshape Government’s commitment to meeting federal cybersecurity requirements.
FedRAMP, or Federal Risk and Authorization Management Program, is a U.S. government security protocol meant to assure security with cloud service providers. FedRAMP standards are derived from standards developed by the National Institute of Standards and Technology, NIST SP 800-53, and cover all manner of access to servers, continuous monitoring, incident response and risk assessment by a FedRAMP-accredited firm.
FedRAMP levels are a measure of the impact of a data breach. The Moderate level, which Onshape is pursuing, is the most popular, and 80% of service providers attain this level. It does not come easily, though. The Moderate level demands 325 controls in place, three-quarters of the way to FedRAMP High, where data loss may cause death and catastrophe, with 421 controls.
The Future
Onshape Government Enterprise is a new version of Onshape and will eventually take its place next to the Enterprise version. Price of Onshape Government will not be publicly available, but since Enterprise was estimated to be $3,000 per user per year with a corporate installation with multiple users expected to cost in the $20,000 per year range[i], one would expect Onshape Government, with all its extra requirements and careful monitoring, to cost PTC more to operate than Enterprise. However, we can only speculate on whether the cost will be passed on to federal agencies.
For more detailed information, you can visit the Onshape Government page.
_________________
[i] First Look: Onshape Enterprise, Michael Alba, Engineering.com, May 23, 2018.