Ring of Fire : Achieving a FISMA Compliant Transition to Office 365. Matthew Maes, INL Cyber Security

Transcription

1 Ring of Fire : Achieving a FISMA Compliant Transition to Office 365 Matthew Maes, INL Cyber Security

2 Sharing Our Lessons Learned From A Cyber Security Prospective What went well Wish we would have known that We should have done that different

3 Office 365 Project Timeline Planning & Discovery We Are Here Testing Pilot Migration Implementation Tasks IATT Signed Implementation Work Starts AO Approval/ Pilot Begins Migration Ends MAY 2017 SEP 2017 FEB 2018 APR 2018 MAY 2018 JUN 2018 AUG 2018 SEP 2018 Office 365 Discovery Cyber Risk Presentation to AO Migration Begins Project Completion O365 Cyber Risk Assessment Migration Tool Security Review Implement and Validate Security Controls

4 Early Cyber Security Project Involvement Get the Authorizing Official on board as soon possible Determine what services the organization wants to use Determine what services are off limits Define cyber security objectives Develop the control baseline IATT Signed Implementation Work Starts AO Approval/ Pilot Begins Migration Ends Office 365 Discovery Cyber Risk Presentation to AO Migration Begins Project Completion

5 Identify the Migration Tool Early Tool was chosen within 3 months of implementation NDA timeline delayed security review of tool and the project timeline Migration Tool Identified IATT Signed Implementation Work Starts AO Approval/ Pilot Begins Migration Ends Office 365 Discovery Cyber Risk Presentation to AO Migration Begins Project Completion O365 Cyber Risk Assessment Migration Tool Security Review Migration Tool Security Review

6 Picking a Migration Tool DIY, FastTrack or Procure INL leveraged Gartner to evaluate capabilities of products on the market Operational challenges: How to normalize data between G Suite and Office 365 Gartner Representative Vendors AvePoint Simflofy Binary Tree SkyKick BitTitan SkySync CodeTwo Tervela Metalogix Transend Quest Xillio Sharegate Maintain folder (label) structure and tags Cyber security challenges: Most tools are cloud based Lack of FedRAMP authorized tools

7 Office 365 Government Community Cloud (GCC) Servers are physically isolated from non-government customers Only screened US citizens have logical administrative access Additional background screening

8 Where to Get Information FedRAMP Package Microsoft Office 365 (MT & GCC) Government Compliance Considerations Office 365 US Government TechNet Page Office 365 Trust Center FedRAMP Page Trust documents in the Office 365 administrator portal Other important documents: Auditing and Reporting in Office 365 Compliance Framework for Industry Standards and Regulations for Office 365 and related Microsoft services Encryption in the Microsoft Cloud *Self-Service Handling of Data Spills in Office 365 Security Incident Management in Microsoft Office 365 Tenant Isolation in Microsoft Office 365 Underlined Titles are Hyperlinked, download presentation *Available in your Office 365 Security & Compliance Portal

9 Trust Documents Available in the Portal Security & Compliance >> Service Assurance >> Trust Documents

10 What Services Are Covered By FedRAMP?

11 Encryption in Office 365 Data protected in transit and at rest Customer implemented technologies Secure Multipurpose Internet Mail Extension (S/MIME) Azure Rights Management (Azure RMS) Office 365 Message Encryption Which technologies will be used? Integrating Entrust?

12 Preparing for Mandatory TLS 1.2 in Office 365 Currently Microsoft allows TLS 1.0, TLS 1.2 and TLS 1.2 O365 always uses opportunistic TLS; The highest available protocol will automatically be used But If you don t enforce TLS 1.2 and/or allow less then TLS 1.2 you are at risk October 31, 2018, Microsoft Office 365 will no longer support TLS 1.0 and 1.1 Customer Network If you have devices that do not support TLS 1.2 you may experience connectivity issues Browser based Connection TLS 1.2 TLS 1.1 TLS Browser based Connection (VPN)

13 ADFS is Required to be FedRAMP Compliant -What does that look like? Customer Network Azure AD Connect AD DS AD FS Customer Workstation

14 ADFS Syncing Identities 1 Customer Network Azure AD Connect 1. Azure AD Connect reads AD DS for mail enabled accounts 2. Azure AD Connect Syncs those identities into Azure Active Directory *requires a one-way trust *sync occurs over mutually authenticated TLS connection AD DS AD FS 2 Customer Workstation

15 ADFS User Access Customer Network Azure AD Connect 1. User attempts to access O365 & is redirected to customer ADFS Server 2. ADFS validates user identity with AD DS & issues a ticket 3. O365 validates the ticket and the user gains access AD DS AD FS 2 Customer Workstation 1 3

16 ADFS Remote User Access AD DS 3 Customer Network Azure AD Connect AD FS 1. *User can t authenticate without VPN 2. User attempts to access O365 & is redirected to customer ADFS Server 3. ADFS validates user identity with AD DS & issues a ticket 4. O365 validates the ticket and the user gains access 5. *User can access O365 without VPN for the life of the session 5* 2 4 Laptop 1*

17 Customer Implemented Security Controls 109 Security Controls with customer responsibilities A large percentage can be inherited from common controls Identity and Access Management (IAM) handled through AD DS Scoped in CM controls to ensure: O365 configuration is reviewed and updated at least annually Changes to O365 go through the INL Release Advisory Board/Change Control Process Configuration reviews when Microsoft makes a major O365 change Maintain a copy of all O365 power-shell scripts to enable a rollback Maintain a test environment to complete security impact analysis

18 Documenting Customer Security Controls with ServiceNow GRC

19 Documenting Customer Security Controls with ServiceNow GRC

20 Assessing Customer Security Controls with ServiceNow GRC

21 Assessing Customer Security Controls with ServiceNow GRC

22