docSlides - Irongeek.com
download 
Report Transcription
Slides - Irongeek.com
FedRAMP Exploring the weaknesses in the Federal Cloud Security Standard :: DerbyCon 2014 1 ABOUT US VINNY TROIA • Security Consulting Firm • Compliance Consulting - PCI DSS, ISO, HIPAA, FISMA • 7 years in Federal/DOD with FISMA, DIACAP • FedRAMP with major Cloud providers (Gartner leaders) • Info at: NightLionSecurity.com • Twitter: @VinnyTroia and @NightLionSec FOUNDER & CHIEF SECURITY CONSULTANT Dissecting Federal Cloud Security - DerbyCon 2014 2 WHAT IS FEDRAMP? • • • • Federal Risk and Authorization Management Program Derivative of the NIST 800-53 (rev3) controls Required for Federal Systems using Commercial Clouds Industry standard for Cloud Compliance Dissecting Federal Cloud Security - DerbyCon 2014 3 WHAT DOES FEDRAMP COVER? K ☂ Ã Ç G POLICY MGMT RISK MGMT VULNERABILITY MGMT What Needs to be Secured? How are we going to secure it? What’s my Risk? What has been fixed? Was hasn’t been addressed? What is the operational impact? REMEDIATION AND EXCEPTION MGMT ASSET INVENTORY AND CONFIGURATION MGMT Remediate findings. Exception management supports the mitigation of noncompliance items Where and how am i Vulnerable? Which areas of the system are exposed to attack? What do I have on my Network? Is it Secure? It is compliant? Is it actively monitored? Dissecting Federal Cloud Security - DerbyCon 2014 4 WHY FEDRAMP? ∞ Poor Federal Security 2011 OMB Cloud Requirement 2014 Cloud Transition Deadline 9 Dissecting Federal Cloud Security - DerbyCon 2014 5 POOR SECURITY? • Public IRS FISMA Report from 2012 • 2012 report showed 7,329 vulnerabilities over 23 CRITICAL un-applied patches Dissecting Federal Cloud Security - DerbyCon 2014 6 IMPROVEMENT IN 2013? Dissecting Federal Cloud Security - DerbyCon 2014 7 WHY FEDRAMP? • Federal Government can not implement their own Security Program • No accountability • Cost Savings • Passing the buck on liability Dissecting Federal Cloud Security - DerbyCon 2014 8 IS IT SECURE? • Based on NIST 800-53 rev 3 • FedRAMP is a checkbox exercise • Many items are fixed with 800-53 rev 4 Dissecting Federal Cloud Security - DerbyCon 2014 9 PHASES CONTINUOUS MONITORING PRE-AUDIT AUDIT Dissecting Federal Cloud Security - DerbyCon 2014 10 PRE-AUDIT • The Information System Boundary • JAB’s Critical “28 Must Have” Controls Dissecting Federal Cloud Security - DerbyCon 2014 11 DEFINING THE BOUNDRY t # 7 " What components make up the “System”? $ l ! $ Dissecting Federal Cloud Security - DerbyCon 2014 12 THE CRITICAL 28 CA-‐7(2) Annual Penetration Testing MP-‐4 Media Storage -‐ FIPS 140-‐2 encryption of data stored on digital media CM-‐2 Baseline Configuration and System Component Inventory (build standards for all assets devices) MP-‐5 Media Transport -‐ FIPS 140-‐2 encryption of digital media transported outside of controlled areas CM-‐6 Configuration Settings (using FedRAMP defined security configuration settings (e.g., CIS, USGCB, etc.) PS-‐3 Personnel Screening, Background Investigations on all staff w/ access to Federal data CM-‐8(3) PS-‐7 Third-‐Party Personnel Security, Background Investigations on all staff w/ access to Federal data CP-‐6 Information System Component Inventory (automated tools to detect unauthorized devices & disables/alerts upon detection) Alternate Storage Site RA-‐5 Monthly Vulnerability Scanning (using specialized testing tools) CP-‐7 Alternate Processing Site RA-‐5(9) Annual Penetration Testing CP-‐8 Alternate Telecommunication Services SA-‐11(1) Code Analysis Report (submitted as part of initial package and w/ reauthorization actions) CP-‐9 Information System Backup (at least three (3) copies of system user-‐level and system-‐level backups SC-‐2 Application Partitioning -‐ Separates user functionality (including user interface services) from information system management functionality IA-‐2(1) 2FA authentication for network access to privileged accounts. SC-‐4 Information in Shared Resources -‐ prevent unauthorized and unintended information transfer via shared system resources. IA-‐2(2) 2FA authentication for network access to non-‐privileged accounts. SC-‐7 Boundary Protection -‐ Separate enclaves (DMZ/VLAN) for logical and physical devices/assets that makeup the authorization boundary IA-‐2(3) 2FA authentication for local access to privileged accounts. SC-‐8(1) Transmission Integrity -‐ employs cryptographic mechanisms to recognize changes to information during transmission IA-‐7 Cryptographic Module Authentication -‐ FIPS 140-‐2 validated crypto modules SC-‐9(1) Transmission Confidentiality -‐ employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission IR-‐4 Incident Handling/Reporting consistent with Federal Incident handing/reporting guidelines SC-‐13 Cryptographic Module Authentication -‐ FIPS 140-‐2 validated crypto modules IR-‐6 Incident Handling/Reporting consistent with Federal Incident handing/reporting guidelines SI-‐2 Flaw Remediation (remediating High Risk in 30 days; Medium in 90 days) Dissecting Federal Cloud Security - DerbyCon 2014 13 INTERCONNECTIONS # 7 What makes a system in-scope vs interconnected? • The Cloud Product must have physical and logical separation from the corporate infrastructure $ • If a system is shared, it is considered Interconnected l ! • Interconnected systems are NOT bound by the same requirements as systems within the Cloud Environment. Dissecting Federal Cloud Security - DerbyCon 2014 14 THE AUDIT • • • • Data Collection is an immense task Be prepared to live with your Auditors for at least one month Do not try to mange with a spreadsheet Penetration Test Dissecting Federal Cloud Security - DerbyCon 2014 15 PENETRATION TEST • No Discovery Scan • Will ONLY test external facing systems (networks or web apps) • No Social Engineering • INTERNAL web apps, servers, and devices are NOT in scope Dissecting Federal Cloud Security - DerbyCon 2014 16 INTERNAL THREAT IS OVERRATED • If a device or app is inside the network, then it’s already protected! • How much damage can one internal web app do, anyway? Dissecting Federal Cloud Security - DerbyCon 2014 17 RELAX!! 10 year-old custom Java password vault? It’s INTERCONNECTED! Dissecting Federal Cloud Security - DerbyCon 2014 18 CONTINUOUS MONITORING • 18 months and going strong! • Audit must complete with NO HIGH findings. No Exceptions. • Continuous Monitoring Starts Dissecting Federal Cloud Security - DerbyCon 2014 19 WHAT IS ISCM? “Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” NIST SP 800-137 Dissecting Federal Cloud Security - DerbyCon 2014 20 IT’S ALL ABOUT RISK ISCM is a framework for Risk Management Dissecting Federal Cloud Security - DerbyCon 2014 21 ITCM DELIVERABLES • Incident Reporting - as needed • Monthly vulnerability scan and patch reports • Ongoing Plan of Action & Milestone (POAM) updates • Quarterly configuration compliance reports • Annual Contingency Plan exercise test results Dissecting Federal Cloud Security - DerbyCon 2014 22 Questions? Thank you for listening! Stay in Touch! EMAIL vinny [at] Night Lion Security.com WEB TWITTER t @VinnyTroia t @NightLionSec NightLionSecurity.com Dissecting Federal Cloud Security - DerbyCon 2014 23
