Cloud Security for U.S. Military Agencies
-
Upload
njvc-llc -
Category
Technology
-
view
350 -
download
1
description
Transcript of Cloud Security for U.S. Military Agencies
Cloud Security
NJVC, LLC Proprietary Data. Do Not Distribute
NJVC® is an IT contractor supporting the Intelligence Community and Department of Defense (DoD), and specializes in providing IT solutions to customers with highly secure requirements.
NJVC has designed/implemented/maintained multiple data centers for an IC agency for more than a decade, including modernizing the data center environment from a legacy stove-piped set of physical servers to a modernized cloud architecture with a managed service framework.
NJVC has hosted/migrated/transitioned more than 300 distinct mission systems or production entities over the past five years. This continued work within the area of transition systems between data center environments has provided NJVC unique experience, and allowed us to establish a proven, standard, scalable process to support any system migrating between architectures.
Steven R. Thomas, PMP NJVC Director, Technical Operations Chief Engineer on a large program for an IC agency Chair of the Engineering Review Board
2
Background
NJVC, LLC Proprietary Data. Do Not Distribute
3
Cloud security is an evolving area within the larger arena of cyber security.
Refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud architectures and cloud environments
Cloud Security
The extensive use of virtualization in implementing cloud infrastructure brings unique security concerns for missions, applications, or tenants hosted within a cloud environment.
NJVC, LLC Proprietary Data. Do Not Distribute
Strategic Framework for Cloud Security
4
Assess
Strategic Objective 1
Plan
Strategic Objective 2
Transition
Strategic Objective 3
Sustain
Strategic Objective 4
Provide a strategic framework for secure mission operations within a cloud environment
Assess the current security state of your environment and each mission system
Understand cloud services and what they provide
Understand the security issues/risks present in the cloud
Assess the level of change that you are facing moving to the cloud
Gather and analyze the security requirements for each mission system against cloud services
Draw clear lines of responsibilities for security within the cloud
Identify and document how each mission will use cloud services, including security services
Develop a transition plan for moving to the cloud that includes security
Maintain security posture during transition
Verify all data is secure and properly accessible
Test and verify all security functions, tools, and services are in place and performing as expected
Establish a mechanism to periodically audit all security services
Monitor and report against security related SLAs, metrics, and performance measurements
Maintain certification and accreditation of all systems
Require cloud service providers to maintain all DoD and FedRAMP security requirements
Mature
Strategic Objective 7
Establish a total security framework that provides “defense in depth”
Data consolidation
Automation of security
Correlation and aggregation of all data
Generates actionable intelligence
Real-time view of enterprise
Ensuring the cloud is secure
As of 09 Mar 2014
NJVC, LLC Proprietary Data. Do Not Distribute
Many of the same security risks present in non-cloud IT deployments are still in play.
Several new ones are introduced. Greater number of entry points and
input/output paths A single organization, department,
user, or application can threaten the entire cloud
Compromise the virtualization software or "hypervisor”
Increase in brute force attacks Insider threats now include outsiders
in multi-tenant clouds
5
The Non-Secure Cloud
Just because a cloud is built inside a secure facility, operates behind a firewall, and traverse encrypted networks doesn't mean it is secure.
AssessStrategic Objective 1
NJVC, LLC Proprietary Data. Do Not Distribute
Transitioning from a legacy physical, distributed IT environment to a cloud environment fundamentally changes your security threats, security exposure, security risk, and security posture.
Understanding the shared security model is one of the biggest hurdles with securing cloud environments.
6
Changes in Security
A vulnerable service in a cloud presents greater exposure and risk than the same service in a standard server farm due to the shared nature of cloud resources.
The bank robber Willie Sutton is reputed with replying to a reporter's inquiry as to why he robs banks by saying:
“Because that's where the money is."
Assess
Strategic Objective 1
NJVC, LLC Proprietary Data. Do Not Distribute
Security responsibilities for a cloud architecture fall into two broad categories 1. Responsibility for the cloud architecture or cloud service provider (CSP) (providing software,
platform, or infrastructure as a service) CSPs generally assume the responsibility to maintain/patch the foundational services,
networks, and operating systems (OS).2. Responsibility for the data and mission systems/applications within the cloud
Customers and/or consumers are often responsible for securing and patching the application and data layers.
7
Cloud Security Responsibilities
Questions you should be asking Is security a stated service offering(s) and if so, what does that
service(s) provide? Is security embedded/included with other service offerings? What security-related DoD policies, directives, or processes are
followed and how are they implemented? Can service level agreements (SLAs) be established based on security
performance measurements? Is security-focused monitoring and reporting offered?
Plan
Strategic Objective 2
NJVC, LLC Proprietary Data. Do Not Distribute
Proper security services and functions must be part of your planning to ensure the security of the missions systems within the cloud.
8
Cloud Security Services
Identity management/privacy – Ensures all sensitive data is encrypted, and controls access to information and resources
Physical and personnel security – Ensures physical machines are adequately secure and access to machines and data is restricted and tracked
Application security – Provides testing/acceptance procedures and ensures patch management of applications/tools
Business continuity/data recovery – Ensures services can be maintained in case of a disaster and that any lost data can be recovered
Logs/audit trails – Ensures logs and audit trails are produced, secured, and maintained for purposes accreditation, security audits (CCRI), root cause analysis, or forensic investigation
PlanStrategic Objective 2
NJVC, LLC Proprietary Data. Do Not Distribute
Moving to a cloud environment is similar to moving from one house to another.
As such, many of the same best practices should be applied. Stop hoarding and de-clutter
Do not move unnecessary applications or missions to the cloud—decommission them
Do not move things that are broken or damaged Do not move applications that have known
security problems. Fix your CAT 1 and CAT 2 security issues
Change your locks once you move in Change all the default passwords and admin
passwords provided in the cloud
9
Transitioning to the CloudTransition
Strategic Objective 3
NJVC, LLC Proprietary Data. Do Not Distribute
Determine if you can bring existing security system to your new home
Determine if existing and proven security systems, tools, and processes can be used within or integrated with the cloud
Understand the crime in your new area Understand the known security threats
posed by your new cloud environment Do not leave anything unsecure while being
moved Do not drop or lessen your security posture
while applications or systems are transitioning to the cloud
Verify everything is safe once the move is completed
Make sure all your data and applications are secure and functional once the transition to the cloud is complete 10
Transitioning to the CloudTransition
Strategic Objective 3
NJVC, LLC Proprietary Data. Do Not Distribute
Detection capabilities need to be cloud-specific and provide near real time data to consumers.
Authentication/authorization must be robust and integrate with DoD identity management models (CAC, PKI, etc.).
Security sensors need to monitor both the interior/exterior of the cloud and send alerts to both the CSP and mission system owners.
Operational capabilities, such as patch management, must be constantly maintained and allow for agile rapid deployments.
11
Government Clouds
Cloud environments should improve overall security levels and establish an enhanced security posture that leverages agility and technology.
Sustain
Strategic Objective 4
NJVC, LLC Proprietary Data. Do Not Distribute
Agreements must be established between the CSP and consumer, such as contracts, SLAs, and operation support agreements.
Agreements between the CSP and customer must address a number of areas.
12
Cloud Agreements
Ownership/privacy of data – Multiple tenants, organizations or commands may reside in the same cloud
Compliance – With all appropriate DoD and federal regulations and directives
Performance – Establish performance levels for uptime, access, reporting, outages, etc.
Recovery – Applications and/or tenant data recovery times
Security – Define all security at each level (access, data, database, application, infrastructure, etc.)
Sustain
Strategic Objective 4
NJVC, LLC Proprietary Data. Do Not Distribute
All organizations and departments operating within a cloud should
Leverage the DoD and FedRAMP processes and approved security authorization requirements as a baseline when initiating, reviewing, granting, and revoking security authorizations for cloud services
Require CSPs to meet DoD and FedRAMP requirements via contractual provisions
Identify and report on cloud services being used that do not meet DoD and FedRAMP requirements
13
Cloud Certification & Accreditation
The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
The DoD is going beyond FedRAMP.
Computer network defense service provider will manage the security data reporting between DoD organizations and oversight agencies, like Cyber Command and DISA.
Sustain
Strategic Objective 4
NJVC, LLC Proprietary Data. Do Not Distribute
Cloud Security Maturity
Consolidation – Data consolidation to improve efficiency and unify security information provided across the cloud
Automation – Automation of security processes, services, and tools to require less manpower; increase response times to threats; and improve efficiency to provide better service
Collaboration – Remove the barriers of data, software, or IT architecture to facilitate correlation and aggregation of all data feeds to support defense in depth
Intelligence – Generates easy to understand actionable intelligence: to spur decisions by administrators and operators
Visibility – Maintain real-time view of enterprise, including all connected devices and provide continuous monitoring to meet continuous threats
14
Target to move here
USE CLOUD TECHNOLOGY TO DRIVE SECURITY
Mature
Strategic Objective 7
Security measures and security services provided by the cloud should NEVER constitute the totality of your security model.
Approach security from a holistic point of view with a layered security “defense in depth” posture against cyber threats
NJVC, LLC Proprietary Data. Do Not Distribute
Government as a Platform
Government business model changes from isolated systems to integrated services.
Data ownership, service agreements, and governance of service processes are key issues.
Cloud implementation requires the most focus on information assurance and security.
Need exists for better integrated security and threat sharing across the cloud boundaries.
Security is the worst inhibitor of cloud integration and deployment.
Think government as a platform—big-data-accessible, mission events, and streaming service integration to serve mission needs
NJVC, LLC Proprietary Data. Do Not Distribute
15
NJVC, LLC Proprietary Data. Do Not Distribute
www.njvc.com
16