Date post: | 16-Aug-2015 |
Category: |
Technology |
Upload: | ray-potter |
View: | 276 times |
Download: | 0 times |
Amped for FedRAMPCloud Security World, New Orleans
Ray PotterCEO
SafeLogic
David GerendasGroup Product ManagerIntel Security
Takeaways
• What FedRAMP compliance entails• Advantages of using a validated cryptographic
module in the cloud• How encryption modules become validated and
the pitfalls of the process• Meaning of FedRAMP compliance claims and how
to confirm• Right questions to ask vendors about their
encryption and FedRAMP compliance 2
Assurance
• A measure of confidence and trust (usually via a third party) that a product, product component, or system meets its claims or meets a specified set of requirements
• Applies to products and to systems
3
Systems Assurance / FedRAMP
Systems Assurance
• Using evaluated products does not provide an appropriate level of assurance by default
• Need to look at overall functionality of the system
• Risk mitigation / due diligence
5
FedRAMP
• December 9, 2010• Office of Management and Budget (OMB) released the 25 Point
Implementation Plan To Reform Federal Information Technology Management
• Cloud First policy was enacted -- requiring agencies to use cloud-based solutions whenever a secure, reliable, cost-effective cloud option exists.
• December 8, 2011• OMB FedRAMP Policy Memo: Security Authorization of Information
Systems in Cloud Computing Environments• Establishes the Federal Risk and Authorization Management Program
(FedRAMP)• Requires all Federal agencies to meet FedRAMP requirements by
June 2014
Purpose
• Ensure that cloud based services have adequate information security
• Eliminate duplication of effort and reduce risk management costs
• Enable rapid and cost-effective procurement of information systems/services
Applicable Standards and Guidance
FIPS Publication 140-2: Security Requirements for Cryptographic Modules FIPS Publication 199: Standards for Security Categorization of Federal
Information and Information Systems FIPS Publication 200: Minimum Security Requirements for Federal
Information and Information Systems NIST SP 800-37, Rev 1: Guide for Developing the Risk Management
Framework to Federal Information Systems: A Security Life Cycle Approach NIST SP 800-53, Rev 4: Recommended Security Controls for Federal
Information Systems NIST SP 800-53A: Guide for Assessing the Security Controls in Federal
Information Systems NIST SP 800-137: Information Security Continuous Monitoring for Federal
Information Systems and Organizations
Goals
• Standardize security requirements• Accredit qualified third-party assessors• Provide repository of authorized secure cloud
packages• Standardize on-going assessment
methodologies• Standardize contract language
Key Stakeholders
• Federal agency customer – has a requirement for cloud technology that will be deployed into their security environment and is responsible for ensuring FISMA compliance
• Cloud Service Provider (CSP) – is willing and able to fulfill agency requirements and to meet security requirements
• Joint Authorization Board (JAB) – reviews the security package submitted by the CSP and grants a provisional Authority to Operate (ATO)
• Third Party Assessor (3PAO) – validates and attests to the quality and compliance of the CSP provided security package
• FedRAMP Program Management Office (PMO) – manages the process assessment, authorization, and continuous monitoring process
Executive Sponsorship & Governance
Security Assessment Packages
• JAB Provisional ATO• may take 18+ months; requires broader reviews/approvals• more widely accepted (government wide)
• Agency ATO• May take 12+ months; only requires sponsoring Agency ATO• Agency reputation and experience matters
• CSP Supplied• Package “in-waiting”• May not meet all acquiring agency requirements
Category Assessed By Authorizing Authority
FedRAMP Provisional Authorization Accredited 3PAO JAB
Agency ATO w/ FedRAMP 3PAO Accredited 3PAO Agency
CSP Supplied Accredited 3PAO None
Security Testing
• Systems Security Plan• Security Assessment Plan• Security Test Cases• Security Assessment Report• Scanning / Continuous Monitoring
Authorization Process and Timeline
Authorize
CSP Addresses
JAB Concerns
JAB Review
ISSO & CSP
Review SSP
3PAO Creates
SAP/ ISSO Reviews
SAP
JAB Review
Final JAB Review /
P-ATO Sign Off
3PAO Tests & Creates
SAR
System Security Plan Security Assessment Plan SAR & POA&M Review Testing
ϲŵŽŶƚŚƐн
JAB Review
ISSO / CSP
Reviews SAR
CSP Addresses
Jab Concerns Creates
POA&M
CSP Addresses
JAB Concerns
CSP Addresses
Agency Concerns
Agency Review
CSP Implements
Control Delta
Agency Review
SAP
Address Agency Notes
Final Agency ATO Sign Off
3PAO Tests & Creates
SAR
System Security Plan Security Assessment Plan SAR & POA&M Review Testing
ϰŵŽŶƚŚƐн
Authorize
CSP Addresses Concerns
Agency Reviews
SAR
CSP Creates POA&M
Quality of documentation will determine length of time and possible cycles throughout the entire process
: W-dK
ŐĞŶĐLJ dK
AWS – Shared Security Model
AWS – Shared Security Model (Cont.)
Product Assurance / FIPS 140
Product Assurance
• Certification or evaluation of a product or product functionality against a set of requirements
• Required for product procurement in government and commercial industry
• Sets a barrier to entry
18
FIPS 140-2
• Federal Information Processing Standard 140• Specifies requirements for cryptographic
hardware and software modules • Published by US (NIST) and Canadian
Governments• Tested by independent laboratories• Offers 4 levels of validation
19
Areas of Validation
• Module Definition• Ports and Interfaces• Roles, Services, and Authentication• Finite State Model• Physical Security• Operating Environment• Key Management• Self Tests 20
Why FIPS 140-2?
• Required for Federal and industry procurement
• Provides a level of confidence that encryption functions are implemented correctly and to a benchmark
• FIPS Compliant– Embedding a module that already has a FIPS validation– Uses proven crypto functions
• FIPS Validated– Getting your own certificate– Reassures buyers
21
Challenges of a Typical FIPS 140-2 Validation
• Definition of the Module• HW & OS platform support• Use of approved algorithms• Development of appropriate documentation• Algorithm testing• Lengthy validation process• Significant time and resource requirements
22
Where Does FIPS 140 Fit?
• Encrypt Data in Motion
• Encrypt Data at Rest
The Role of FIPS 140-2 in FedRAMP
• Validated crypto is required for government– FedRAMP– FISMA– SP800-53
• If crypto isn’t validated, it might as well be plaintext
Do Your Due Diligence
• Where is your FIPS 140 Certificate?• Is the product / module FIPS-tested on a
current platform?• For consumers / developers, is your CSP doing
the right things?• Did you go through the FedRAMP process?