Successfully reported this slideshow.
Your SlideShare is downloading. ×

Using Cisco’s Vmdc to Facilitate FISMA Compliance

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Using Cisco’s VMDC to Facilitate FISMA Compliance
Using Cisco’s
VMDC to
Facilitate FISMA
Compliance
July 23, 2014
Jason P....
Using Cisco’s VMDC to Facilitate FISMA Compliance
2
Synopsis
This whitepaper discusses how Cisco’s Virtualized Multiservic...
Using Cisco’s VMDC to Facilitate FISMA Compliance
Introduction
Cisco’s Virtualized Multiservice Data Center (VMDC) is a sc...
Advertisement
Advertisement
Loading in …3
×

Check these out next

1 of 10 Ad

Using Cisco’s Vmdc to Facilitate FISMA Compliance

Download to read offline

Cisco’s Virtualized Multiservice Data Center (VMDC) is a scalable network topology that service providers and large organizations can implement in order to provide a secure multi-tenant solution to their clients. The architecture that VMDC utilizes greatly assists service providers in creating a network which meets the various security needs of clients.
In order to evaluate the ability of Cisco’s VMDC network topology to facilitate Federal Information Security Management
Act (FISMA) compliance on behalf of the clients that implement this blueprint, Cisco requested SecureState analyze the
VDMC topology against the NIST 800-53 Revision 4 control set. Previously, SecureState evaluated earlier versions of the
VMDC topology against NIST 800-53 Revision 3. Cisco’s VMDC architecture provides a number of controls which can be implemented in order to help fulfill a particular component of the overall control.
VMDC
The Cisco VMDC is a tested and validated reference architecture for the Cisco Unified Data Center. It provides a set of guidelines and best practices for the creation and deployment of a scalable, secure, and resilient infrastructure in the data center. The Cisco VMDC architecture demonstrates how to bring together the latest Cisco routing and switching technologies, network services, data center and cloud security, automation, and integrated solutions with those of Cisco's ecosystem of partners to develop a trusted approach to data center transformation. Specific benefits include:
 Demonstrated solutions to critical technology-related problems in evolving IT infrastructure: Provides support for cloud computing, applications, desktop virtualization, consolidation and virtualization, and business continuance
 Reduced time to deployment: Provides best-practice recommendations based on a fully tested and validated architecture, helping enable technology adoption and rapid deployment
 Reduced risk: Enables enterprises and service providers to deploy new architectures and technologies with confidence
 Increased flexibility: Enables rapid, on-demand, workload deployment in a multitenant environment using a
comprehensive automation framework with portal-based resource provisioning and management capabilities
 Improved operating efficiency: Integrates automation with a multitenant pool of computing, networking, and storage
resources to improve asset use, reduce operation overhead, and mitigate operation configuration errors
The Cisco VMDC architecture, consisting of the Cisco Unified Data Center and Cisco Data Center Interconnect (DCI) together with other architectural components such as infrastructure abstraction, orchestration and automation, assurance, and integrated services and applications, as shown below, provide comprehensive guidelines for deployment of cloud infrastructure and services at multiple levels.

Cisco’s Virtualized Multiservice Data Center (VMDC) is a scalable network topology that service providers and large organizations can implement in order to provide a secure multi-tenant solution to their clients. The architecture that VMDC utilizes greatly assists service providers in creating a network which meets the various security needs of clients.
In order to evaluate the ability of Cisco’s VMDC network topology to facilitate Federal Information Security Management
Act (FISMA) compliance on behalf of the clients that implement this blueprint, Cisco requested SecureState analyze the
VDMC topology against the NIST 800-53 Revision 4 control set. Previously, SecureState evaluated earlier versions of the
VMDC topology against NIST 800-53 Revision 3. Cisco’s VMDC architecture provides a number of controls which can be implemented in order to help fulfill a particular component of the overall control.
VMDC
The Cisco VMDC is a tested and validated reference architecture for the Cisco Unified Data Center. It provides a set of guidelines and best practices for the creation and deployment of a scalable, secure, and resilient infrastructure in the data center. The Cisco VMDC architecture demonstrates how to bring together the latest Cisco routing and switching technologies, network services, data center and cloud security, automation, and integrated solutions with those of Cisco's ecosystem of partners to develop a trusted approach to data center transformation. Specific benefits include:
 Demonstrated solutions to critical technology-related problems in evolving IT infrastructure: Provides support for cloud computing, applications, desktop virtualization, consolidation and virtualization, and business continuance
 Reduced time to deployment: Provides best-practice recommendations based on a fully tested and validated architecture, helping enable technology adoption and rapid deployment
 Reduced risk: Enables enterprises and service providers to deploy new architectures and technologies with confidence
 Increased flexibility: Enables rapid, on-demand, workload deployment in a multitenant environment using a
comprehensive automation framework with portal-based resource provisioning and management capabilities
 Improved operating efficiency: Integrates automation with a multitenant pool of computing, networking, and storage
resources to improve asset use, reduce operation overhead, and mitigate operation configuration errors
The Cisco VMDC architecture, consisting of the Cisco Unified Data Center and Cisco Data Center Interconnect (DCI) together with other architectural components such as infrastructure abstraction, orchestration and automation, assurance, and integrated services and applications, as shown below, provide comprehensive guidelines for deployment of cloud infrastructure and services at multiple levels.

Advertisement
Advertisement

More Related Content

More from Cisco Service Provider (20)

Recently uploaded (20)

Advertisement

Using Cisco’s Vmdc to Facilitate FISMA Compliance

  1. 1. Using Cisco’s VMDC to Facilitate FISMA Compliance Using Cisco’s VMDC to Facilitate FISMA Compliance July 23, 2014 Jason P. Broz 1
  2. 2. Using Cisco’s VMDC to Facilitate FISMA Compliance 2 Synopsis This whitepaper discusses how Cisco’s Virtualized Multiservice Data Center (VMDC) validated architecture can facilitate compliance with the Federal Information Security Management Act (FISMA) (NIST 800-53 Revision 4 moderate control set). Table of Contents Introduction..............................................................................................................................................3 VMDC ................................................................................................................................................................3 SecureState........................................................................................................................................................4 Who Needs to be FISMA Compliant? .........................................................................................................4 What are the Current Challenges?.............................................................................................................5 FISMA Control Areas .................................................................................................................................6 How VMDC Can Help.................................................................................................................................7 Access Control (AC) ............................................................................................................................................7 Audit and Accountability (AU).............................................................................................................................7 Security Assessment and Authorization (CA) .......................................................................................................7 Configuration Management (CM)........................................................................................................................7 Identification and Authentication (IA).................................................................................................................8 Media Protection (MP) .......................................................................................................................................8 Personnel Security (PS).......................................................................................................................................8 Risk Assessment (RA)..........................................................................................................................................8 System and Services Acquisition (SA) ..................................................................................................................8 System and Communications Protection (SC) ......................................................................................................9 System and Information Integrity (SI)..................................................................................................................9 Achieving FISMA Compliance ..................................................................................................................10
  3. 3. Using Cisco’s VMDC to Facilitate FISMA Compliance Introduction Cisco’s Virtualized Multiservice Data Center (VMDC) is a scalable network topology that service providers and large organizations can implement in order to provide a secure multi-tenant solution to their clients. The architecture that VMDC utilizes greatly assists service providers in creating a network which meets the various security needs of clients. In order to evaluate the ability of Cisco’s VMDC network topology to facilitate Federal Information Security Management Act (FISMA) compliance on behalf of the clients that implement this blueprint, Cisco requested SecureState analyze the VDMC topology against the NIST 800-53 Revision 4 control set. Previously, SecureState evaluated earlier versions of the VMDC topology against NIST 800-53 Revision 3. Cisco’s VMDC architecture provides a number of controls which can be implemented in order to help fulfill a particular component of the overall control. VMDC The Cisco VMDC is a tested and validated reference architecture for the Cisco Unified Data Center. It provides a set of guidelines and best practices for the creation and deployment of a scalable, secure, and resilient infrastructure in the data center. The Cisco VMDC architecture demonstrates how to bring together the latest Cisco routing and switching technologies, network services, data center and cloud security, automation, and integrated solutions with those of Cisco's ecosystem of partners to develop a trusted approach to data center transformation. Specific benefits include:  Demonstrated solutions to critical technology-related problems in evolving IT infrastructure: Provides support for cloud computing, applications, desktop virtualization, consolidation and virtualization, and business continuance  Reduced time to deployment: Provides best-practice recommendations based on a fully tested and validated architecture, helping enable technology adoption and rapid deployment  Reduced risk: Enables enterprises and service providers to deploy new architectures and technologies with confidence  Increased flexibility: Enables rapid, on-demand, workload deployment in a multitenant environment using a comprehensive automation framework with portal-based resource provisioning and management capabilities  Improved operating efficiency: Integrates automation with a multitenant pool of computing, networking, and storage resources to improve asset use, reduce operation overhead, and mitigate operation configuration errors The Cisco VMDC architecture, consisting of the Cisco Unified Data Center and Cisco Data Center Interconnect (DCI) together with other architectural components such as infrastructure abstraction, orchestration and automation, assurance, and integrated services and applications, as shown below, provide comprehensive guidelines for deployment of cloud infrastructure and services at multiple levels. 3
  4. 4. Using Cisco’s VMDC to Facilitate FISMA Compliance 4 SecureState SecureState is a management consulting company specializing in information security and compliance services. We believe in a different approach to security which guides our clients as partners, from their CurrentState (CS) to their DesiredState (DS) and ultimately their SecureState. As shown in the graph below, SecureState begins working with clients at the CS, performing assessments to understand the security posture of the organization as it is constructed today. Once SecureState identifies the CS, we then construct tactical and strategic methods to move from the CS to the DS and ultimately a managed SecureState (SS). SecureState provides services to public and private organizations that operate within the Governmental Sector, assisting organizations in identifying their CurrentState of FISMA compliance. SecureState then provides a roadmap and assistance as desired with tactical and strategic items them to achieve their DesiredState and SecureState. Types of assistance include validation of NIST 800-53 controls, secure system configuration, and policy development and strategic security solutions that align with operational goals. SecureState’s team of resources is consistently looked upon as thought leaders in information security, presenting at conferences such as InfoSec World, DefCon, BlackHat, and SecureWorld Expo. The team is also sought after by journalists for publications such as SC Magazine, InformationWeek, and Federal CIO Magazine. Who Needs to be FISMA Compliant? All federal agencies and contracted private entities who support operations such as providing protection, administration or maintenance of federal assets as they pertain to information systems security are required to comply with FISMA. Requirements vary based on the categorization level of the asset as defined in Federal Information Processing Standard (FIPS 199). The goal is to provide a holistic, risk based information security program, including implementation of administrative and technical components to support the program.
  5. 5. Using Cisco’s VMDC to Facilitate FISMA Compliance 5 What are the Current Challenges? 1. Agency Size. Based on Government Accountability Office (GAO) report 14-344, released June 2014, agency size plays a role in achieving FISMA compliance. While some controls found not to be in place are administrative, lack of assessing risk or implementing policies and procedures does not provide the structure to implement technical safeguards. As depicted in the graph below, which is included in GAO report 14-344 with data supplied by US-CERT, incidents such as unauthorized access and active or passive reconnaissance are steadily increasing. 2. Access Controls/Authentication Management. As evidenced in the graph provided in the GAO report above, many organizations are struggling with unauthorized access. Through the use of Active Directory (AD), Windows domain accounts are easily managed. Accounts such for devices that provide network infrastructure, Linux and/or Unix system accounts or local machine administrator accounts still can remain a challenge (e.g., password length and/or complexity and length, password history, session timeouts, device lockout.). Application of consistent security controls becomes time consuming and unmanageable. 3. Device Hardening. All systems and applications are required to be securely configured as defined in configuration management (CM) control area of FISMA. Common systems that must be securely configured include databases (Oracle, MS-SQL, MySQL, etc.), servers (Windows 2003, Windows 2008, Red Hat, etc.), web servers (IIS, Apache, WebLogic, etc.), and network infrastructure (firewalls, routers, switches, etc.). If there are not standard operating procedures in place or baseline configurations implemented, standard hardening practices can become inconsistent. 4. Monitoring and Log aggregation-Log aggregation is easily achieved with Windows devices, however, aggregating all outlying devices such as network components can be a challenge. This requires additional resources to implement appropriate log controls and anomaly reporting from such devices.
  6. 6. Using Cisco’s VMDC to Facilitate FISMA Compliance 6 FISMA Control Areas FISMA consists of seventeen control areas that must be applied dependent upon categorization of device: 1. Access Control (AC)- Assesses processes as they pertain to account management including role based access, least priviledge, remote access, priviledged accounts and revokation processes, including wireless network and mobile device access. 2. Awareness and Training (AT)- Assesses process, frequency and methods as they pertain to security awareness and training. Additionally, controls as they pertain to role based traing (e.g., developers) and training verification and tracking are also assessed. 3. Audit and Accountability (AU)- Assesses administrative and technical controls around logging access and events, audit log storage capacity, log review and reporting and protection of audit trails from modification. Non- repudiation, log generation and log retention are also included. 4. Security Assessment and Authorization (CA)- Assesses testing of security defenses as implemented (e.g., penetration testing). Additionally, system interconnections, segmentation, continous monitoring, authorization are addressed as are remediation plans for vulnerabilities. 5. Configuration Management (CM)- Assesses processes as they pertain to system hardening standards, including authoritative and supporting documentation pertaining to configuration management. Change control methods and mechnanisms and asset inventory are also addressed. 6. Contingency Planning (CP)- Assesses processes regarding planning efforts in case of a natural disaster, continuity of operations and recovery efforts. Training, testing, after action reviews, and plan improvement are also assessed. 7. Identification and Authentication (IA)- Assesses organizational processes as they pertain to the management of users and components identity and proper authorization for access and authentication. 8. Incident Response (IR)- Assesses processes and procedures as they pertain to incident repsonse methods and mechanisms involving information system components and data, including training of individuals, testing and continual improvement of the plan. 9. Maintanance (MA)- Assesses management of system maintenance activities, documentation. Additionally, tools, remote vendor access, and maintenance personnel management are included. 10. Media Protection (MP)- Assesses protection mechanisms and management processes as they pertain to physical and electronic media throughout their lifecycle. Areas such as proper chain of custody and inventroy management are also assessed. 11. Physical and Environmental Protection (PE)- Assesses phyiscal controls and access management processes as they pertain to system components. Areas such as monitoring and visitor managment, emergency procedures and management of the environment (e.g., temperature, humidity and damage protection) are included. 12. Planning (PL)- Assesses administrative processes regarding items such as security plans and codes of conduct, as they pertain to security and privacy. 13. Personnel Security (PS)- Assesses management processes as they pertain to individuals with access to information systems. Items assessed include validity of qualifications, criminal history and termination/transfer processes, third- party access management and sanctions. 14. Risk Assessment (RA)- Assesses the risk management processes within the agency or organization including categorization rationale, risk assessment reporting and vulnerability management. 15. System and Services Acquisition (SA)- Assesses the management of the acquisition process. Additionally, Systems Development Lifecycle (SDLC), supply chain management and analysis are included. 16. System and Communications Protection (SC)- Assesses data in transit methods to ensure confidentiality and integrity. Key management , shared resources, operational security, and availability are included. 17. System and Information Integrity (SI)- Assesses data integrity management. Processes such as code flaw remediation , malicious code protection, third party security alerts, functionality testing and input validation are included.
  7. 7. 7 Using Cisco’s VMDC to Facilitate FISMA Compliance How VMDC Can Help While FISMA is a holistic governance model addressing administrative and technical controls, VMDC can be utilized to facilitate compliance in several control areas. Keeping in mind, control families contain both administrative and technical controls, VMDC facilitates an overall eighty six (86) controls with the balance being administrative controls that would need to be implemented by the agency or organization. Four control areas not addressed, Awareness and Training, Maintenance, Physical and Environmental Protection, and Planning are the responsibility of the organization to implement as they are process driven. Access Control (AC) Cisco’s Access Control Server (ACS) provides capability to integrate with RADIUS/TACACS or LDAP servers such as Active Directory (AD) providing strong access controls for data store devices and network components within the VMDC solution. While performing the review of the VMDC network architecture, SecureState verified that ACS is capable of integrating each of the core pieces of network infrastructure into AD. Roles can be configured in ACS, which limit the types of commands a particular account can run on a particular device. Furthermore, roles can be created which grant access to only a subset of network devices in the network. The VMDC solution facilitates nineteen (19) applicable controls, with the balance being the responsibility of the organization. Audit and Accountability (AU) Introduction of Splunk into the VMDC solution provides an agency or organization with the ability to aggregate logging into a powerful Security Information and Event Management (SIEM). Splunk facilitates many of the attributes required for compliance (e.g., date/time stamp, source, user identity). Additionally, VMDC allows organizations to not only input Windows logs, but also logs from network components in order to continuously monitor all systems. Anomaly alerting can also be configured to report from one central source. Lancope StealthWatch provides additional audit information from a network monitoring perspective. Sourcefire provides the capability to provide intrusion detection, adding another layer of security and provide early detection of irregularities. VMDC facilitates ten (10) applicable controls required for FISMA compliance in this control area. Security Assessment and Authorization (CA) Incorporating Sourcefire, Splunk, and Lancope StealthWatch into the overall VMDC solution facilitates continuous monitoring requirements from a systems and network infrastructure perspective. VMDC provides robust network infrastructure which can be used in order to segment operational areas from areas containing confidential data thereby maintaining confidentiality of information. These technologies include ACLs, VLANs, and virtual firewalls. . VMDC facilitates two (2) applicable controls, with the balance being the responsibility of the organization. Configuration Management (CM) The BMC configuration tool can be incorporated into the VMDC architecture to streamline configuration management. This powerful tool drives efficiency as hardening baselines can be implemented using this tool. Additionally, features of the BMC tool facilitate synchronization of devices, and provides the ability to update or rollback configurations as needed. Use of Cisco’s ASA firewalls permits organizations the ability to implement restrictions as needed to meet operational requirements while still maintaining a secure posture. Cisco has developed configuration guides for each
  8. 8. 8 Using Cisco’s VMDC to Facilitate FISMA Compliance component which can be used be used to apply specific controls. SecureState reviewed each device in order to verify that they could be hardened in such a way as to meet FISMA compliance requirements. The VMDC solution facilitates seven (7) applicable controls, with the balance being the responsibility of the organization. Contingency Planning (CP) VMDC cannot directly meet FISMA controls pertaining to contingency planning as these are administrative in nature. The VMDC solution can provide agencies or organizations with the ability to implement as a Disaster Recovery site maintained in an off-site facility at a Cisco or other data center of their choice. Identification and Authentication (IA) As with the AC control area, Cisco’s Access Control Server can be integrated with RADIUS/TACACS or LDAP servers such as Active Directory (AD) to facilitate authentication controls, applying them to both systems and network components within the VMDC solution; driving efficiency and reducing the amount of time required for administrative tasks. Additionally, capability to incorporate two-factor authentication as required by FISMA is available. The VMDC solution facilitates thirteen (13) applicable controls, with the balance being the responsibility of the organization. Incident Response (IR) Anomaly Reporting provided by Splunk, Sourcefire, and Lancope StealthWatch can be used to detect incidents and force activation of the Incident Response Plan in the early stages of the incident. This can save time resources and limit the severity of the incident. Additionally, if alerts are acted upon early enough, data confidentiality and integrity potentially maintained and system downtime can potentially be minimized. Media Protection (MP) Cisco can provide disk level encryption as an added service incorporated into the VMDC architecture as a way to provide data confidentiality when stored on electronic media. One (1) applicable FISMA control can be facilitated using the VMDC solution. Personnel Security (PS) Splunk can provide logical access control review as a part of the VMDC solution. This would facilitate one (1) applicable control required for FISMA compliance. Risk Assessment (RA) The use of Cisco’s ACS integrated into RADIUS/TACACS or LDAP servers facilitate role based access and elevated privileges as they pertain to this control area. The VMDC solution facilitates one (1) applicable control in this control area. System and Services Acquisition (SA) This control area covers many process and administrative controls as they pertain to the management of the Systems Development Lifecycle (SDLC). While VMDC can only facilitate one (1) applicable control in this control area, secure areas can be configured to logically separated environments (e.g., development, test, sandbox, production) and through use of Cisco’s ACS separation of duties can be facilitated, providing technical support for administrative controls.
  9. 9. 9 Using Cisco’s VMDC to Facilitate FISMA Compliance System and Communications Protection (SC) Integration of Lancope StealthWatch network monitoring can provide early detection of potential denial of service attacks and send alerts to resources in order to preserve system availability. Information leakage can be minimized through VMDC’s solution of VLANs and virtual firewalls to logically segment business units into separate containers. ASA firewalls, routers and switches provide defense against external leakage in conjunction with the BMC configuration tool, which can be used to properly configure all components securely. Sourcefire Intrusion Prevention provides an added layer of defense alerting on suspicious activity within the internal network. Disk level encryption is available as an additional service, which would further facilitate controls in this control family. Data in transit is also secured through the use of the VMDC solution and the ability to provide secure communication channels (e.g,. SSL, SSH) and support the use of key certificates. Cisco’s ACS provides strong access controls and use of virtual firewalls and VLANS for segmentation provides several layers of protection for data at rest. The VMDC facilitates seventeen (17) applicable controls in this control area. System and Information Integrity (SI) Through the integration of Splunk SIEM, Sourcefire IPS, and Lancope StealthWatch network performance tool into the overall VMDC solution, agencies and organizations are provided with the ability to monitor activities from several different perspectives, providing a more complete view into network events and performance; providing the ability to adjust fire as needed and continually improve, maintaining confidentiality and integrity of data, while maintaining the high levels of availability and network performance. Additionally, Sourcefire’s ability to provide real-time alerting of events allows for quicker response times and potential incident resolution; allowing organizations to potentially meet or exceed recovery time objectives (RTO). All Cisco devices contained within the VMDC solution have gone through security testing to protect memory from unauthorized code execution. The VMDC solution facilitates eight (8) applicable controls, with the balance being the responsibility of the organization.
  10. 10. 1 0 Using Cisco’s VMDC to Facilitate FISMA Compliance Achieving FISMA Compliance As FISMA is a holistic governance approach based on risk. Administrative documentation, processes, and device categorization is required prior to selection and implementation and assessment of technical controls. Additionally, continued monitoring of the administrative and technical controls is required to ensure consistency of process as it pertains to confidentiality, integrity, and availability of data stored on federal information systems. The process starts with NIST SP 800-30 Revision 1 Guide for Conducting Risk Assessments as defined in NIST SP 800-37 Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems. This enables an agency or supporting organization accurately categorize and information system in accordance with FIPS 199 Standards for Security Categorization of Federal Information and Information Systems. NIST 800-37 Rev 1 provides guidance for in the specific areas as they pertain to federal information systems to include activities such as “security categorization, security control selection, and implementation, security control assessment, information system authorization and security control monitoring.” per the documented definition. It addresses risk from three levels, the organization, business process, and information system level. FIPS 199 requires information to be categorized based on potential impact to the agency or organization if confidentiality, integrity or availability is lost. Low impact is defined as having a limited adverse effect, where moderate impact would be defined as a serious effect, and high would be defined as severe or catastrophic effect. NIST SP 800-30 provides risk management framework for assessing the risks associated with federal information systems in order to provide appropriate levels in accordance with FIPS 199. NIST SP 800-37 Rev 1 Guide for Applying the Risk Management Framework to Federal Information Systems is the guidance document for assessing associated risks. After implementation of administrative and technical safeguards, a NIST SP 800-53 assessment is performed, as defined by category, in accordance with FIPS 200 Minimum Security Requirements for Federal Information and Information Systems in order to assess compliance NIST SP 800-53 Revision 4 is the most current control framework used to assess administrative and technical safeguards implemented in order to authorize an information system as being FISMA compliant. Upon achievement of FISMA compliance, authorization to operate is granted from a Certifying Authority (agency official). NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations provides guidance on implementation and management of an overall continuous monitoring program. For further information, refer to the VMDC Cloud Security 1.0 Design guide at: http://www.cisco.com/c/en/us/solutions/enterprise/data-center-designs-cloud-computing/landing_vmdc.html

×