Cloud Security for U.S. Military Agencies

Cloud Security

NJVC, LLC Proprietary Data. Do Not Distribute

NJVC® is an IT contractor supporting the Intelligence Community and Department of Defense (DoD), and specializes in providing IT solutions to customers with highly secure requirements.

NJVC has designed/implemented/maintained multiple data centers for an IC agency for more than a decade, including modernizing the data center environment from a legacy stove-piped set of physical servers to a modernized cloud architecture with a managed service framework.

NJVC has hosted/migrated/transitioned more than 300 distinct mission systems or production entities over the past five years. This continued work within the area of transition systems between data center environments has provided NJVC unique experience, and allowed us to establish a proven, standard, scalable process to support any system migrating between architectures.

Steven R. Thomas, PMP NJVC Director, Technical Operations Chief Engineer on a large program for an IC agency Chair of the Engineering Review Board

2

Background


3

Cloud security is an evolving area within the larger arena of cyber security.

Refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud architectures and cloud environments

Cloud Security

The extensive use of virtualization in implementing cloud infrastructure brings unique security concerns for missions, applications, or tenants hosted within a cloud environment.


Strategic Framework for Cloud Security

4

Assess

Strategic Objective 1

Plan


Transition


Sustain


Provide a strategic framework for secure mission operations within a cloud environment

Assess the current security state of your environment and each mission system

Understand cloud services and what they provide

Understand the security issues/risks present in the cloud

Assess the level of change that you are facing moving to the cloud

Gather and analyze the security requirements for each mission system against cloud services

Draw clear lines of responsibilities for security within the cloud

Identify and document how each mission will use cloud services, including security services

Develop a transition plan for moving to the cloud that includes security

Maintain security posture during transition

Verify all data is secure and properly accessible

Test and verify all security functions, tools, and services are in place and performing as expected

Establish a mechanism to periodically audit all security services

Monitor and report against security related SLAs, metrics, and performance measurements

Maintain certification and accreditation of all systems

Require cloud service providers to maintain all DoD and FedRAMP security requirements

Mature


Establish a total security framework that provides “defense in depth”

Data consolidation

Automation of security

Correlation and aggregation of all data

Generates actionable intelligence

Real-time view of enterprise

Ensuring the cloud is secure

As of 09 Mar 2014


Many of the same security risks present in non-cloud IT deployments are still in play.

Several new ones are introduced. Greater number of entry points and

input/output paths A single organization, department,

user, or application can threaten the entire cloud

Compromise the virtualization software or "hypervisor”

Increase in brute force attacks Insider threats now include outsiders

in multi-tenant clouds

5

The Non-Secure Cloud

Just because a cloud is built inside a secure facility, operates behind a firewall, and traverse encrypted networks doesn't mean it is secure.

AssessStrategic Objective 1


Transitioning from a legacy physical, distributed IT environment to a cloud environment fundamentally changes your security threats, security exposure, security risk, and security posture.

Understanding the shared security model is one of the biggest hurdles with securing cloud environments.

6

Changes in Security

A vulnerable service in a cloud presents greater exposure and risk than the same service in a standard server farm due to the shared nature of cloud resources.

The bank robber Willie Sutton is reputed with replying to a reporter's inquiry as to why he robs banks by saying:

“Because that's where the money is."

Assess



Security responsibilities for a cloud architecture fall into two broad categories 1. Responsibility for the cloud architecture or cloud service provider (CSP) (providing software,

platform, or infrastructure as a service) CSPs generally assume the responsibility to maintain/patch the foundational services,

networks, and operating systems (OS).2. Responsibility for the data and mission systems/applications within the cloud

Customers and/or consumers are often responsible for securing and patching the application and data layers.

7

Cloud Security Responsibilities

Questions you should be asking Is security a stated service offering(s) and if so, what does that

service(s) provide? Is security embedded/included with other service offerings? What security-related DoD policies, directives, or processes are

followed and how are they implemented? Can service level agreements (SLAs) be established based on security

performance measurements? Is security-focused monitoring and reporting offered?

Plan



Proper security services and functions must be part of your planning to ensure the security of the missions systems within the cloud.

8

Cloud Security Services

Identity management/privacy – Ensures all sensitive data is encrypted, and controls access to information and resources

Physical and personnel security – Ensures physical machines are adequately secure and access to machines and data is restricted and tracked

Application security – Provides testing/acceptance procedures and ensures patch management of applications/tools

Business continuity/data recovery – Ensures services can be maintained in case of a disaster and that any lost data can be recovered

Logs/audit trails – Ensures logs and audit trails are produced, secured, and maintained for purposes accreditation, security audits (CCRI), root cause analysis, or forensic investigation

PlanStrategic Objective 2


Moving to a cloud environment is similar to moving from one house to another.

As such, many of the same best practices should be applied. Stop hoarding and de-clutter

Do not move unnecessary applications or missions to the cloud—decommission them

Do not move things that are broken or damaged Do not move applications that have known

security problems. Fix your CAT 1 and CAT 2 security issues

Change your locks once you move in Change all the default passwords and admin

passwords provided in the cloud

9

Transitioning to the CloudTransition



Determine if you can bring existing security system to your new home

Determine if existing and proven security systems, tools, and processes can be used within or integrated with the cloud

Understand the crime in your new area Understand the known security threats

posed by your new cloud environment Do not leave anything unsecure while being

moved Do not drop or lessen your security posture

while applications or systems are transitioning to the cloud

Verify everything is safe once the move is completed

Make sure all your data and applications are secure and functional once the transition to the cloud is complete 10

Transitioning to the CloudTransition



Detection capabilities need to be cloud-specific and provide near real time data to consumers.

Authentication/authorization must be robust and integrate with DoD identity management models (CAC, PKI, etc.).

Security sensors need to monitor both the interior/exterior of the cloud and send alerts to both the CSP and mission system owners.

Operational capabilities, such as patch management, must be constantly maintained and allow for agile rapid deployments.

11

Government Clouds

Cloud environments should improve overall security levels and establish an enhanced security posture that leverages agility and technology.

Sustain



Agreements must be established between the CSP and consumer, such as contracts, SLAs, and operation support agreements.

Agreements between the CSP and customer must address a number of areas.

12

Cloud Agreements

Ownership/privacy of data – Multiple tenants, organizations or commands may reside in the same cloud

Compliance – With all appropriate DoD and federal regulations and directives

Performance – Establish performance levels for uptime, access, reporting, outages, etc.

Recovery – Applications and/or tenant data recovery times

Security – Define all security at each level (access, data, database, application, infrastructure, etc.)

Sustain



All organizations and departments operating within a cloud should

Leverage the DoD and FedRAMP processes and approved security authorization requirements as a baseline when initiating, reviewing, granting, and revoking security authorizations for cloud services

Require CSPs to meet DoD and FedRAMP requirements via contractual provisions

Identify and report on cloud services being used that do not meet DoD and FedRAMP requirements

13

Cloud Certification & Accreditation

The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

The DoD is going beyond FedRAMP.

Computer network defense service provider will manage the security data reporting between DoD organizations and oversight agencies, like Cyber Command and DISA.

Sustain



Cloud Security Maturity

Consolidation – Data consolidation to improve efficiency and unify security information provided across the cloud

Automation – Automation of security processes, services, and tools to require less manpower; increase response times to threats; and improve efficiency to provide better service

Collaboration – Remove the barriers of data, software, or IT architecture to facilitate correlation and aggregation of all data feeds to support defense in depth

Intelligence – Generates easy to understand actionable intelligence: to spur decisions by administrators and operators

Visibility – Maintain real-time view of enterprise, including all connected devices and provide continuous monitoring to meet continuous threats

14

Target to move here

USE CLOUD TECHNOLOGY TO DRIVE SECURITY

Mature


Security measures and security services provided by the cloud should NEVER constitute the totality of your security model.

Approach security from a holistic point of view with a layered security “defense in depth” posture against cyber threats


Government as a Platform

Government business model changes from isolated systems to integrated services.

Data ownership, service agreements, and governance of service processes are key issues.

Cloud implementation requires the most focus on information assurance and security.

Need exists for better integrated security and threat sharing across the cloud boundaries.

Security is the worst inhibitor of cloud integration and deployment.

Think government as a platform—big-data-accessible, mission events, and streaming service integration to serve mission needs


15


www.njvc.com

16

Cloud Security for U.S. Military Agencies

Technology

Transcript of Cloud Security for U.S. Military Agencies