Determining If Cloud Services Are Secure Enough: What Would FedRAMP Do? John Pescatore, SANS

Transcription

1 Determining If Cloud Services Are Secure Enough: What Would FedRAMP Do? John Pescatore, SANS 1

2 Hierarchy of Security Needs CYA Audit/certification Someone else is using it Visibility Address lack of control and abundance of promises/claims Early warning if something is going wrong Extension of existing security controls Testing of new approaches Go back to CYA 2

3 Overcoming Challenges 3

4 4

5 Realistic View of Cloud Risks Many, not all, cloud services are run more securely than many enterprise data centers The loss of transparency and visibility is an immediate impact of all cloud use Separation of duties, change control and data leakage are the major risk areas Security controls and policies (and skills!) need to be extended to include cloud services. The biggest risk is the need to change business/mission processes to match. 5 5

6 Best Practices in Security Sensitive Sectors Security architecture for VMware/virtualized data centers (skills!) 3 rd party trust processes updated (or created ) to deal with SaaS SaaS and CRM SaaS usually the camel s nose under the tent Achieve visibility and control parity with DIY/data center services When Dev/Test tries IaaS, security architecture adapted to cover hybrid cloud Address new threat vectors/exploit new control capabilities Where are you on BYOD CYOIT and IoT? 6

7 Realistic Approach Have a framework to assess security levels of SaaS and IaaS Cloud Security Alliance NIST Framework CIS Critical Security Controls Make sure security is involved in cloud services selection process Where possible, drive selection from FedRAMP approved list Make sure your security processes can scale to more than one CSP 7

8 NIST Reference Architecture 8

9 CSA Reference Architecture 9

10 Start With the Most Secure Cloud Service Providers There is a big difference between commodity and enterprise class CSPs Make sure security team is part of CSP selection/evaluation FedRAMP list is a good starting point Security team skills may need to be plussed up Think Basic Security Hygiene for Cloud Use Critical Security Controls 10

11 FedRAMP Assessment Process The FedRAMP Agency ATO authorization process should follow the FedRAMP Security Assessment Framework (SAF) The FedRAMP SAF is based on the NIST Risk Management Framework (RMF) The FedRAMP SAF is available on FedRAMP.gov by navigating to the Resources - > Program Documents webpage 11 11

12 FedRAMP Continuous Monitoring Requirements 12 12

13 FedRAMP Continuous Monitoring Mapping Frequency Control Critical Security Control Continuous and Ongoing Auditable Events (14) Maint, Mon, Analysis of Logs Component Inventory (1) Inventory of Devices Incident Reporting Vulnerability Scanning (18) Incident Resp and Mgmt (4) Continuous VA and Remediation Weekly Audit Review, Report (14) Maint, Mon, Analysis of Logs Monthly Vulnerability Scanning (4) Continuous VA and Remediation Sec State Monitoring Flaw Remediation Software/Info Integrity (14) Maint, Mon, Analysis of Logs (3) Secure Configurations (2) Software Inventory 13 13

14 Focus on These Key Security Processes Strong authentication/access monitoring on admin accounts Extending configuration monitoring/vulnerability assessment to CSPs Incident response processes across multiple CSPs Data Security Do you need a Cloud Access Security Broker? 14

15 Encryption is not penicillin but Encryption at rest is hard to do well Fear of self inflicted wounds Hard to prove whether done well or not Encryption done perfectly does not solve all risks See phishing, Heartbleed, etc. Small percentage worried about physical security at Amazon and Google Until user ID problem is solved, access control will not be solved completely by encryption 15

16 Security as a Service Good Old Data Center Nontraditional Application Ecosystems 16

17 Security from the Cloud Major Areas Already In Use DDoS mitigation 45% delivered by ISPs 45% by cloud-based DDoS mitigation MITM security as a Service Already more than 45% anti-spam/ AV delivered from cloud Vulnerability Assessment 30% VA scans delivered from the cloud 20% application vulnerability testing delivered from cloud Web Security Gateway 25% delivered from the cloud today. 17

18 Security as a Service: Cloud Access Security Broker Source: Gartner

19 Bottom Line There are no immovable objects for business use of cloud services Security built into virtualization and cloud is a key piece of solution, not entirety There is no such thing as using only one cloud service Mobile and IoT are cloud first How far are you from encrypting stored data? 19

20 Resources SANS 2017 Incident Response Survey: What Works: SANS SOC Summit 20