Date post: | 23-Dec-2015 |
Category: |
Documents |
Upload: | ethelbert-chapman |
View: | 219 times |
Download: | 3 times |
#acquia
BUILDING AND SECURING GOVERNMENT DRUPAL SITES IN THE CLOUDBUILDING AND SECURING GOVERNMENT DRUPAL SITES IN THE CLOUD
Presenters
Michael LemireDirector of Information [email protected]
Chris BrownTechnical Account [email protected]
Jim SalemVice President of Cloud [email protected]
Agenda
• Review Current US Government Compliance landscape
• Learn how to achieve Federal Compliance in the Cloud
• International and Developing Compliance Standards
• Case Study - Defense Security Cooperative Agency (DSCA)
• How Acquia achieved a compliant ready hosting platform.
The Opportunity• Governments are expanding use of Drupal
• Drupal is open source• Cost effective vs proprietary licensed software• Proven secure
• Drupal facilitates shared development between agencies
• Federal Government has prioritized a Cloud First Strategy• Federal Cloud Computing Strategy by Vivek Kundra, former US Fed
CIO• Recognition of fundamental shift to cloud• Targets $20B of $80B annual federal IT spending for cloud
• Significant cost savings to governments• -more agile, and is more easier scalable
• Similar initiatives in the UK, Australia, all over
• We are at the tip of the iceberg!
Current US Government Compliance LandscapeFISMA, DIACAP and FedRAMP are standardized approaches to security assessment,
authorization, and continuous monitoring for information systems utilized by the Federal government.
FISMA - Federal Information Security Management Act of 2002. Applicable to non-DoD agencies.
DIACAP – Department of Defense Information Assurance Certification and Accreditation Process. Applicable to DoD related agencies.
With both FISMA and DIACAP each information system must be documented, reviewed by independent third party assessor and authorized by authorizing officials.
Time consuming, expensive
FedRAMP - Federal Risk and Authorization Management Program
• Establishes an “authorize once, use many times” framework for cloud computing products and services. FedRAMP is meant to supersede FISMA and DIACAP for cloud products.
• FedRAMP was established on Dec 8, 2011 via a memorandum produced by the Federal Chief Information Officer and is due to achieve Initial Operating Capacity in 2012.
• Based on the same NIST publications as FISMA with added controls pertinent to the cloud
• FedRAMP Concept of Operations – defines how the FedRAMP process will work
• http://www.gsa.gov/graphics/staffoffices/FedRAMP_CONOPS.pdf
Coming Soon - FedRAMP
FIPS 199 – Security categorization of the information system according to its Confidentiality, Availability and Integrity requirements
• What type of data?
• Importance to national security?
Determine “High water mark” (low, medium, high)
NIST 800-53 rev 3 – Security Controls documented in the SSP
All domains of security are covered and must be documented
Risk Assessment, Personnel, System Acquisition, Physical and Environmental, Contingency Planning, Configuration Management, Incident Response, Security Awareness Training, Authentication, Logging and Audit, Network Security and Encryption
Rev 4 now in draft – adds add’l mobile and cloud controls
NIST 800-30 – Risk Assessments
Defines process for assessing risk and how to apply the process to the organizational, mission and information system levels.
Important NIST Publications and Standards
FISMA, DIACAP and FedRAMP Process
Federal Compliance - High Level ProcessCategorize the System –
FIPS 199Confidentiality, Integrity,
Availability
Select the controls – NIST 800-53
Implement the controls and document them
-System Security Plan-Privacy Impact Assessment
Assess – Contract with Third Party Assessor
-3PAO reviews SSP and creates STE & POA&M
Authorize – This package of documents submitted to the
Authorizing Official who reviews, comments, asks for
revisions.-grants IATC and/or ATO
Monitor – Continuous update to SSP , continuous
mitigation of items identified in STE and POA&M
Accomplishing Federal Compliance in the Cloud
Cloud Service Providers may be responsible for the entire set of controls, or they may be shared in a Shared Responsibility ModelExamples:SaaS may be built on PaaS Ex: DrupalGardensPaaS may be built on IaaS Ex: Acquia Managed Cloud
Three primary layers in the shared responsibility model:•Application Layer (Drupal)•OS Stack Layer (Linux, Windows, Database, etc)•Infrastructure Layer (Datacenter, network)
*Each entity must document the controls for which they are responsible for.*
Example: Acquia Managed CloudAcquia Managed Cloud is a PaaS built on Amazon’s AWS IaaS
Example SSP control description:Control: (from 800-53)Control Type: Agency/Common/HybridControl Status: Implemented/Planned/Not Applicable
Application Layer:Responsibility: Customer (Agency)Implementation Detail: Describe how the control is the responsibility of the agency.
LAMP Stack Layer:Responsibility: AcquiaImplementation Detail: Describe how the control is implemented
Infrastructure:Responsibility: AmazonImplementation Detail: Refer to hosting provider’s SSP
Acquia documents its control responsibilities in its SSPAmazon documents its control responsibilities in its SSP
Example: Acquia Managed Cloud
International Compliance LandscapeISO/IEC 27002 –
-Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)
Similar to NIST800-53 controls; more flexible in that organizations may define the controls which are applicable to its environment.
Risk AssessmentSecurity PoliciesAsset ManagementHR / PersonnelCommunications and NetworksAccess ControlSystem Acquisition, developmentContinuity Planning
Two levels of ISO compliance-self evaluation based on the standards-certification by a third party auditor
Developing Cloud Compliance StandardsCloud Security Alliance (CSA) – organization which promotes best practices for security
within Cloud Computing. The CSA is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders in cloud computing field.
Two important CSA initiatives
CSA Security Guidance – Recommendations and guidance for cloud service providers to security their clouds according to best practices (SaaS, PaaS and IaaS service providers)
CSA Consensus Initiative Questionnaire –designed to help CSP’s gauge their controls against best practices as defined by the CSA
https://cloudsecurityalliance.org/
Mapping Compliance Standards to Each OtherCloud Service Providers have a number of compliance objectives, each requiring painstakingly long review of standards and gauging adherence to the specified controls. CSA’s Control Compliance Matrix helps ease the process of compliance with sometimes redundant compliance standards.
Example: achieving compliance with NIST 800-53 largely achieves ISO 27002 compliance, the BITS Shared Assessment standard, COBIT, PCI and HIPAA.
See Cloud Security Alliance Control Matrix: https://cloudsecurityalliance.org/
DSCA GlobalNET Experience
• Social Collaboration Platform for Sharing information within and across "enterprises" worldwide
• Currently has over 10 organizations deployed on the platform
• Package delivered August 2011
Components in the Accreditation Boundary
Amazon EC2
Acquia Manage Cloud (LAMP)
GlobalNET
Drupal Commons (D6)
OpenLDAP
PiwikComet Chat/APE
IaaS
PaaS
SaaS
Drupal Based Control Solutions
External Application Control Implementation
• Data between all third party applications is encrypted over SSL
• Password encryption• Use the LDAP Module to provision accounts in LDAP• Passwords in LDAP are SHA-1 (FIPS 140-2 compliant) Encrypted
• Governance• Users with elevated accounts should have a not-elevated account on system• User approval and role assignment policies• User 1 should not be used
Challenges Cloud and Drupal Accreditation
• Common Critera/NIAP for Drupal• Expensive Process that needs a sponsor• What modules would be put through the process? How would adding different
modules affect the Certification?
• Governance around user 1 account to ensure it is not used as a group account
• Multi-tenancy of the Cloud• Hardware• Software• Shared Disks
• Shared Responsibility Model• How are the swim lanes of responsibility draw between the parties involved?• SLA agreements between each of the parties• Security Responsibility
Building a Compliance-Ready Infrastructure• Drupal Stack Architecture• Robust and secure
• Server Management Architecture• Controlled access
• Standard, reproducible configurations
• Policies and Procedures• Documented and auditable
• Consistent
• Test, Test, Test
Start Early
!
Acquia Cloud’s Server Architecture
• Designed for compliance
• Built on Amazon EC2: • SAS 70, PCI, and FISMA
certified
• High availability with automatic failover
Disaster Recovery and High Availability• Split infrastructure
b/w two data centers
• Multi-region replication (not pictured)
• Active-active difficult with Drupal
• Acquia Cloud uses Tungsten for multi-master DB replication
Data Center 2Data Center 1
Acquia Cloud Management Architecture• Controlled Sysadmin Access• Two-factor auth
• No shared accounts
• Bastion host with audit trail
• Automated Backups
• Configuration Management• Centralized DB
• Puppet for s/w deploys
• Scripts for config files (e.g., apache, MySQL, etc.)
• Monitoring• Nagios
Bastion ServerBastion Server
PuppetPuppet
Backup ServerBackup Server
Config DB
Managed Cloud Server Clusters
Custom
Scripts
Custom
Scripts
Monitoring
Server
Monitoring
Server
Policies and Procedures
• Start small and build up
• Write them down and follow them
• Key Policies• Access control
• Change management
• Disaster recovery
• Security review
• Crisis management
Test, Test, Test
Anything that is not tested will not work (for long)
• Automated system tests• Verify you can continue to deploy servers consistently
• Positive and negative security tests
• On-going vulnerability scans
• Simulated failures• Untested failovers and redundancies will NOT work!
• Backup verification
• Test the processes too!