When Salesforce brought CRM to the cloud, we revolutionized the way our customers connected with their customers – equipping them with the technology to deliver their services at scale and ease. But for federal, state, and local government agencies, the challenges of implementation on a cross-functional scale – while protecting the data of our citizens and our nation – have often limited them from taking full advantage of these advancements.
We’ve all experienced the effects of a government office using outdated technologies, neither equipped to meet the needs of modern citizens nor to produce experiences expected of modern governments. This infrastructure often overburdens the workforce, frustrates citizens, and makes it challenging to adapt this industry to our ever-evolving social, political, and technological landscape. This is why Salesforce offers a secure solution to this challenge that demonstrates compliance with numerous public sector compliance frameworks: Government Cloud Plus.
Whether you’re familiar with Government Cloud Plus or not, you might be wondering, “what exactly is a GovCloud?” I chatted with Vice President and Lead Architect, Government Cloud at Salesforce, Glenn Brunette, who breaks down what makes Salesforce Government Cloud Plus so unique (and secure). Let’s get into it.
So, Glenn, we all want to know: What is a GovCloud?
Well, in its simplest form, a GovCloud is just an internet environment dedicated to one or more government customers or contractors. Salesforce’s Government Cloud Plus instances are precisely that, although, in reality, the process involves more than just onboarding GovCloud customers into a dedicated “space.” Most importantly, we have to be compliant with a wide array of specific requirements for handling government data and workloads. So, Salesforce builds dedicated GovCloud environments for its public sector customers, enhanced with capabilities that meet these standards.
But Salesforce is committed to robust compliance for every customer, so what makes a GovCloud unique?
That’s true — our number one value is trust, and we adhere to all applicable regulations. While Salesforce’s Government Cloud Plus are not identical, they share many common characteristics in how they differ from the rest of the Customer 360 product suite. Those differences include enhanced compliance controls, restricted authorization boundaries, authorized third-party service providers, direct customer connectivity, government-approved cryptography, and restrictive administrative access.
Erm, can you translate?
Absolutely! For added security, GovCloud environments are steeped with one or more enhanced compliance controls (typically called public sector compliance baselines). In the United States, individual government agencies build upon the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF), identifying specific compliance requirements gathered into a baseline.
Such baselines can include the FedRAMP High Impact Baseline or the Department of Defense Impact Level 4 Baseline. Salesforce created its own Compliance Baseline comprising numerous frameworks to create a unified compliance strategy.
The restricted authorization boundary refers to a barrier — think of it like a security fence around your house — surrounding all components and services included in the GovCloud environment. The fence denotes what is in the GovCloud (your house, in this case) and how it interacts with other systems and services outside of the boundary. In fact, GovClouds are required to restrict incoming and outgoing communications, and various changes must be pre-vetted and approved by government officials. Kind of like a security checkpoint at the gate.
Due to that restricted authorization boundary, special considerations apply when a GovCloud wants to use or interact with a third-party cloud service provider, regardless of the data shared over the connection. These service providers are required to follow the same set of compliance authorizations as the GovCloud (and at all the same levels). For example, our GovClouds are not able to integrate with other cloud service providers that do not comply with FedRAMP High requirements.
Now, that’s not all – direct customer access from the internet, often isn’t permitted. So, products onboarded to a GovCloud environment must be capable of interacting with customers over dedicated network connections, directly established between Salesforce and the government.
And given the heavy reliance on cryptography for authentication, and the protection of data in transit and at rest, government requirements mandate that only approved algorithms, key lengths, cipher modes, and the like, can be used by GovClouds and their customers. More importantly, the government also independently certifies cryptographic devices or libraries for use.
Each of these layers of security is additionally protected by a process similar to what many know as the principle of least privilege. Since GovCloud environments store, process, and transmit government data, Government Cloud Plus imposes access restrictions on who is able to gain physical and/or logical access to systems within the authorization boundary. The restrictions vary based on the GovCloud environment, and access to more sensitive data environments requires more rigorous levels of personnel screening.
Get out that rule book
Organizations are legally required to follow cybersecurity regulatory compliance when it comes to protecting sensitive data. In this free Trailhead module, you’ll discover the key players, rules, and challenges of compliance and regulation.
Considering all of these controls, will GovClouds always be different?
Today, the answer is “yes.” Some requirements imposed upon our Salesforce Government Cloud offerings are simply not needed, recommended, or able to be implemented across our entire fleet. That said, we’re working hard to integrate stronger capabilities and controls into all of our production baselines, whenever possible.
Wow – that was a lot, but GovClouds are pretty fascinating, right? With our security and compliance controls, government customers can rest assured that their data is protected, while Salesforce technologies provide the tools for them to focus on what they do best – and optimize customer experiences throughout state, local and federal agencies across the country.
With Salesforce Government Cloud Plus our customers have access to industry-leading CRM, service, platform, analytics, public sector applications, and other industry solutions, helping government customers and contractors achieve mission success and digital transformation across the industry. To learn more about Salesforce Government Cloud offerings, contact a Government Solution Expert: 1-844-807-8829.
Glenn Brunette is Vice President and Lead Architect, Government Cloud at Salesforce. In this role, he is responsible for the development of architecture strategy, execution of architecture programs, and driving improved parity between Salesforce’s commercial and Government Cloud fleet. With over 30 years of industry experience, Glenn has served as the Public Sector GRC Lead at Salesforce, a Distinguished Architect and Cybersecurity Lead at Oracle, a Distinguished Engineer and Chief Security Architect at Sun Microsystems. Glenn has been awarded two cybersecurity patents, has co-published many books and articles, and has been awarded a Master’s and Bachelor’s of Science degree in Computer Science from St. Joseph’s University.