Cloud Security for U.S. Military Agencies


Published on

Published in: Technology, Business
  • Be the first to comment

Cloud Security for U.S. Military Agencies

  1. 1. Cloud Security NJVC, LLC Proprietary Data. Do Not Distribute
  2. 2.  NJVC® is an IT contractor supporting the Intelligence Community and Department of Defense (DoD), and specializes in providing IT solutions to customers with highly secure requirements.  NJVC has designed/implemented/maintained multiple data centers for an IC agency for more than a decade, including modernizing the data center environment from a legacy stove-piped set of physical servers to a modernized cloud architecture with a managed service framework.  NJVC has hosted/migrated/transitioned more than 300 distinct mission systems or production entities over the past five years. This continued work within the area of transition systems between data center environments has provided NJVC unique experience, and allowed us to establish a proven, standard, scalable process to support any system migrating between architectures.  Steven R. Thomas, PMP  NJVC Director, Technical Operations  Chief Engineer on a large program for an IC agency  Chair of the Engineering Review Board 2 Background NJVC, LLC Proprietary Data. Do Not Distribute
  3. 3. 3 Cloud security is an evolving area within the larger arena of cyber security. Refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud architectures and cloud environments Cloud Security The extensive use of virtualization in implementing cloud infrastructure brings unique security concerns for missions, applications, or tenants hosted within a cloud environment. NJVC, LLC Proprietary Data. Do Not Distribute
  4. 4. Strategic Framework for Cloud Security 4 Assess Strategic Objective 1 Plan Strategic Objective 2 Transition Strategic Objective 3 Sustain Strategic Objective 4 Provide a strategic framework for secure mission operations within a cloud environment  Assess the current security state of your environment and each mission system  Understand cloud services and what they provide  Understand the security issues/risks present in the cloud  Assess the level of change that you are facing moving to the cloud  Gather and analyze the security requirements for each mission system against cloud services  Draw clear lines of responsibilities for security within the cloud  Identify and document how each mission will use cloud services, including security services  Develop a transition plan for moving to the cloud that includes security  Maintain security posture during transition  Verify all data is secure and properly accessible  Test and verify all security functions, tools, and services are in place and performing as expected  Establish a mechanism to periodically audit all security services  Monitor and report against security related SLAs, metrics, and performance measurements  Maintain certification and accreditation of all systems  Require cloud service providers to maintain all DoD and FedRAMP security requirements Mature Strategic Objective 7  Establish a total security framework that provides “defense in depth”  Data consolidation  Automation of security  Correlation and aggregation of all data  Generates actionable intelligence  Real-time view of enterprise Ensuring the cloud is secure As of 09 Mar 2014 NJVC, LLC Proprietary Data. Do Not Distribute
  5. 5.  Many of the same security risks present in non-cloud IT deployments are still in play.  Several new ones are introduced.  Greater number of entry points and input/output paths  A single organization, department, user, or application can threaten the entire cloud  Compromise the virtualization software or "hypervisor”  Increase in brute force attacks  Insider threats now include outsiders in multi-tenant clouds 5 The Non-Secure Cloud Just because a cloud is built inside a secure facility, operates behind a firewall, and traverse encrypted networks doesn't mean it is secure. Assess Strategic Objective 1 NJVC, LLC Proprietary Data. Do Not Distribute
  6. 6. Transitioning from a legacy physical, distributed IT environment to a cloud environment fundamentally changes your security threats, security exposure, security risk, and security posture. Understanding the shared security model is one of the biggest hurdles with securing cloud environments. 6 Changes in Security A vulnerable service in a cloud presents greater exposure and risk than the same service in a standard server farm due to the shared nature of cloud resources. The bank robber Willie Sutton is reputed with replying to a reporter's inquiry as to why he robs banks by saying: “Because that's where the money is." Assess Strategic Objective 1 NJVC, LLC Proprietary Data. Do Not Distribute
  7. 7. Security responsibilities for a cloud architecture fall into two broad categories 1. Responsibility for the cloud architecture or cloud service provider (CSP) (providing software, platform, or infrastructure as a service)  CSPs generally assume the responsibility to maintain/patch the foundational services, networks, and operating systems (OS). 2. Responsibility for the data and mission systems/applications within the cloud  Customers and/or consumers are often responsible for securing and patching the application and data layers. 7 Cloud Security Responsibilities Questions you should be asking  Is security a stated service offering(s) and if so, what does that service(s) provide?  Is security embedded/included with other service offerings?  What security-related DoD policies, directives, or processes are followed and how are they implemented?  Can service level agreements (SLAs) be established based on security performance measurements?  Is security-focused monitoring and reporting offered? Plan Strategic Objective 2 NJVC, LLC Proprietary Data. Do Not Distribute
  8. 8. Proper security services and functions must be part of your planning to ensure the security of the missions systems within the cloud. 8 Cloud Security Services  Identity management/privacy – Ensures all sensitive data is encrypted, and controls access to information and resources  Physical and personnel security – Ensures physical machines are adequately secure and access to machines and data is restricted and tracked  Application security – Provides testing/acceptance procedures and ensures patch management of applications/tools  Business continuity/data recovery – Ensures services can be maintained in case of a disaster and that any lost data can be recovered  Logs/audit trails – Ensures logs and audit trails are produced, secured, and maintained for purposes accreditation, security audits (CCRI), root cause analysis, or forensic investigation Plan Strategic Objective 2 NJVC, LLC Proprietary Data. Do Not Distribute
  9. 9. Moving to a cloud environment is similar to moving from one house to another. As such, many of the same best practices should be applied.  Stop hoarding and de-clutter  Do not move unnecessary applications or missions to the cloud—decommission them  Do not move things that are broken or damaged  Do not move applications that have known security problems. Fix your CAT 1 and CAT 2 security issues  Change your locks once you move in  Change all the default passwords and admin passwords provided in the cloud 9 Transitioning to the Cloud Transition Strategic Objective 3 NJVC, LLC Proprietary Data. Do Not Distribute
  10. 10.  Determine if you can bring existing security system to your new home  Determine if existing and proven security systems, tools, and processes can be used within or integrated with the cloud  Understand the crime in your new area  Understand the known security threats posed by your new cloud environment  Do not leave anything unsecure while being moved  Do not drop or lessen your security posture while applications or systems are transitioning to the cloud  Verify everything is safe once the move is completed  Make sure all your data and applications are secure and functional once the transition to the cloud is complete 10 Transitioning to the Cloud Transition Strategic Objective 3 NJVC, LLC Proprietary Data. Do Not Distribute
  11. 11.  Detection capabilities need to be cloud-specific and provide near real time data to consumers.  Authentication/authorization must be robust and integrate with DoD identity management models (CAC, PKI, etc.).  Security sensors need to monitor both the interior/exterior of the cloud and send alerts to both the CSP and mission system owners.  Operational capabilities, such as patch management, must be constantly maintained and allow for agile rapid deployments. 11 Government Clouds Cloud environments should improve overall security levels and establish an enhanced security posture that leverages agility and technology. Sustain Strategic Objective 4 NJVC, LLC Proprietary Data. Do Not Distribute
  12. 12. Agreements must be established between the CSP and consumer, such as contracts, SLAs, and operation support agreements. Agreements between the CSP and customer must address a number of areas. 12 Cloud Agreements  Ownership/privacy of data – Multiple tenants, organizations or commands may reside in the same cloud  Compliance – With all appropriate DoD and federal regulations and directives  Performance – Establish performance levels for uptime, access, reporting, outages, etc.  Recovery – Applications and/or tenant data recovery times  Security – Define all security at each level (access, data, database, application, infrastructure, etc.) Sustain Strategic Objective 4 NJVC, LLC Proprietary Data. Do Not Distribute
  13. 13. All organizations and departments operating within a cloud should  Leverage the DoD and FedRAMP processes and approved security authorization requirements as a baseline when initiating, reviewing, granting, and revoking security authorizations for cloud services  Require CSPs to meet DoD and FedRAMP requirements via contractual provisions  Identify and report on cloud services being used that do not meet DoD and FedRAMP requirements 13 Cloud Certification & Accreditation The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The DoD is going beyond FedRAMP. Computer network defense service provider will manage the security data reporting between DoD organizations and oversight agencies, like Cyber Command and DISA. Sustain Strategic Objective 4 NJVC, LLC Proprietary Data. Do Not Distribute
  14. 14. Cloud Security Maturity  Consolidation – Data consolidation to improve efficiency and unify security information provided across the cloud  Automation – Automation of security processes, services, and tools to require less manpower; increase response times to threats; and improve efficiency to provide better service  Collaboration – Remove the barriers of data, software, or IT architecture to facilitate correlation and aggregation of all data feeds to support defense in depth  Intelligence – Generates easy to understand actionable intelligence: to spur decisions by administrators and operators  Visibility – Maintain real-time view of enterprise, including all connected devices and provide continuous monitoring to meet continuous threats 14 Target to move here Mature Strategic Objective 7 Security measures and security services provided by the cloud should NEVER constitute the totality of your security model. Approach security from a holistic point of view with a layered security “defense in depth” posture against cyber threats NJVC, LLC Proprietary Data. Do Not Distribute
  15. 15. Government as a Platform  Government business model changes from isolated systems to integrated services.  Data ownership, service agreements, and governance of service processes are key issues.  Cloud implementation requires the most focus on information assurance and security.  Need exists for better integrated security and threat sharing across the cloud boundaries.  Security is the worst inhibitor of cloud integration and deployment. Think government as a platform—big-data-accessible, mission events, and streaming service integration to serve mission needs NJVC, LLC Proprietary Data. Do Not Distribute 15
  16. 16. NJVC, LLC Proprietary Data. Do Not Distribute 16