David Slater G-Cloud Meet Up

163 views

Published on

Presentation from David Slater at our G-Cloud Meet Up

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
163
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

David Slater G-Cloud Meet Up

  1. 1. David Slater, CLAS Consultant
  2. 2. Security in G-Cloud Services at Restricted dd-mm-yyyy
  3. 3. Introduction • Achieving Restricted (IL3) accreditation of service is not easy • Presentation covers experiences gained from achieving accreditation of Restricted (IL3) services for Atos • Not an exhaustive list – just the highlights | Identity, Security and Risk Management from Atos Consulting
  4. 4. Before You Start … • Review your solution against: • • • • CESG Architectural Patters CESG Good Practice Guides IS Standards Check that your ISO 27001 Certification is: • • • Current Suitably scoped UKAS Certified (recognized) CESG like compliancy matrices against the relevant GPG’s Read the PSN Code | Identity, Security and Risk Management from Atos Consulting
  5. 5. Key Security Controls • Make sure applications: • • • Address the OWASP Top Ten Think about limiting concurrent logins Think about defense in depth • Input Validation • Parameterized Stored Procedures • Output Validation • Manage Out-of-Bands • Separate Interface • Not via the Internet • Lock everything down against Industry Guides (Centre for Internet Security) • Use CPA approved or Common Criteria Approved products | Identity, Security and Risk Management from Atos Consulting
  6. 6. Support • Keep it in the UK at Restricted (IL3) • Use secure protocols • SSH • HTTPS • Use dedicated support terminals • CESG approved encryption across insecure networks • Issue with approved products • Support from the office – not via Internet/Remote Access • Cleared staff • Another issue 6 | Identity, Security and Risk Management from Atos Consulting
  7. 7. Consider hosting in a pre-accredited Service A number of accredited ‘hosting’ environments: • • • • • Atos Skyscape Lockheed Martin SCC • Not all the same, each has its strengths and weaknesses • Look at what you get against your needs: • Internet Connection • PSN Connection • Support Connections • Monitoring • Patching • Disaster Recovery • Protective Monitoring 7 | Identity, Security and Risk Management from Atos Consulting
  8. 8. Things that catch you out …. • Staff Clearances • Cabinet Office will clear small number • SC for privileged users • Key Material for CAPS products • No easy route to gain • No real alternative • Penetration Tests • Recent – many month old test is no good • Single vulnerability allowing inter-network connection • CESG Design Review 8 | Identity, Security and Risk Management from Atos Consulting
  9. 9. The PGA is …. • Risk adverse • Well briefed • Has a lot of backup • Aligned with CESG Guidance 9 | Identity, Security and Risk Management from Atos Consulting
  10. 10. Thank You 10 | Identity, Security and Risk Management from Atos Consulting

×