ASD CERTIFICATION REPORT

Transcription

1 ASD CERTIFICATION REPORT Amazon Web Services Elastic Compute Cloud (EC2), Virtual Private Cloud (VPC), Elastic Block Store (EBS) and Simple Storage Service (S3) Certification Decision ASD certifies Amazon Web Services EC2, VPC, EBS and S3 for use up to, and including, UNCLASSIFIED (DLM) as per the Australia Government security classification scheme. This certification is valid for 24 months, expiring on 20 th April Certification is based on an independent IRAP assessment and corroborating ASD certification activities. Australian Government agencies must ensure any systems deployed on Amazon Web Service are independently certified and the system wholly accredited as per the Australian Government Information Security Manual. ASD also recommends agencies deploy to the Amazon Asia Pacific (Sydney) Region. Purpose The information provided in this report is for customers of Amazon Web Services, including Australian Government agencies, and intended to inform an accreditation decision by the customer. Customers of these services should understand that cyber incidents may still occur, however ASD can confirm that AWS have taken reasonable steps to implement Australian Government recommended information security controls. The purpose of the Information Security Registered Assessment Program (IRAP) assessment and ASD certification is to assess and highlight the security posture of the cloud service. Full compliance with all security controls is not essential for certification. Certification is based on the assessed security of the cloud service, untreated risks, as well as the security posture of the company and operations staff. Both the IRAP assessment and ASD certification are based on a snapshot in time view of the security applied to the cloud service against the agreed scope of the service. Customers of this cloud service need to perform accreditation based on the proposed use of the service and the risk appetite of the customer. This certification aims to inform the accreditation authority of information security risks, however customers must also consider financial, privacy, data ownership, data sovereignty and legal risks posed by the use of this cloud service. Page 1 of 6

2 Background Mr. Nathan Joy (IRAP 1037) conducted an IRAP assessment of the AWS EC2, VPC, EBS and S3 cloud services between January and October ASD conducted certification activities for these services between November 2014 and March ASD has assessed the security of these services to be suitable for data at UNCLASSIFIED (DLM) as per the Australian Government security classification scheme. This ASD Certification expires on 20 th April 2017, or sooner should re-certification be triggered. ASD reserves the right to conduct ad-hoc certification activities inside this certification period. Reasons for re-certification inside this certification period could include, but not be limited to: Changes in information security policies, including associated risk assessments Detection of new or emerging threats to the cloud services The discovery that controls are not operating effectively or as expected The occurrence of a major cyber security incident, directly or indirectly System architectural changes Significant changes to the company profile, including company partners Changes to the cloud service. Definitions AWS defines the cloud services contained in this certification as follows: 1. Amazon Elastic Compute Cloud (EC2) is a web service that provides resizable compute capacity in the cloud, where you can obtain and configure capacity. 2. Amazon Virtual Private Cloud (VPC) enables the provision a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define. 3. Amazon Elastic Block Store (EBS) offers persistent storage for Amazon EC2 instances. 4. Amazon Simple Storage Service (S3) provides secure, durable, highly-scalable object storage. Assessment Scope The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. (Reference: The NIST Definition of Cloud Computing Special Publication ) ASD does recognise differing payment models for cloud services outside the NIST definition. IRAP Assessments and ASD Certifications are conducted passively, in partnership with the cloud provider, to fact find and provide transparency into the security functionality and controls of the cloud service. These activities do not include penetration testing, active vulnerability assessments, deep dive code review or any other active activities. Page 2 of 6

3 Out of Scope This certification does not include client-side connections to these services. The customer should ensure components outside the scope are separately assessed, certified and accredited independent of this certification. Amazon CloudWatch, Amazon CloudTrail and Amazon Config, as well as other Amazon services are not included in this certification. Agencies should consider logging services and identity management as part of their cloud procurement and conduct rigorous risk assessments, including understanding the risks of poor logging, before procuring these services. The IRAP Assessor did not find the following communications systems and devices in the AWS cloud platform and, hence, deemed them out of scope of the assessment: Radio Frequency and Infrared Devices Fax Machine and Multifunction Devices Telephones and Telephone Systems Mobile Devices Shared Security Responsibility in the Cloud Security in the cloud is reliant on both the provider and the customer. Amazon Web Services details the division of this security responsibility in the below graphic (aws.amazon.com/security/sharing-the-security-responsibility/): Page 3 of 6

4 Physical Security At the time of this certification AWS operates in 11 regions. ASD recommends Australian Government Agencies deploy to the Asia Pacific (Sydney) Region, and not transfer data between regions. Physical certification for the relevant Sydney Data Centre was sighted by the IRAP Assessor and ASD Certification Authority. IRAP Assessment Findings Application Whitelisting AWS have mitigated the risk of not implementing application whitelisting on AWS Linux hypervisor hosts as per the ASD guidance The Top 4 in a Linux Environment. Compensating security controls, including compliance with ISM control 1460 and use of a tightly controlled software deployment mechanism, are designed to protect AWS Linux hypervisor hosts from running unauthorised software. In addition, agencies have the responsibility to implement application whitelisting for their virtual machines running in the AWS cloud, as per the Shared Responsibility Model. (Reference: ISM Controls 0843, 0845, 0846, 0848, 0849, 0851, 0955, 1392, 1391, 0957, 1353, 1354, 1460) Secure Sockets Layer Amazon was found to support the use of SSL, while ASD recommends only TLS. Agencies should include this non-compliance in associated risk assessments and accreditation. (Reference: ISM Controls 0482, 1447, 1139) IT Security Framework and Change Management AWS have senior executive personnel with related security management roles and responsibilities, and a defined and effective IT security team. AWS have developed and maintain an effective information security framework and documentation suite. Most documentation can be found at amazon.com or is available under a non-disclosure agreement. This documentation is developed within AWS and is not outsourced. AWS applies a systematic approach to change management, reviewing, testing, approving and communicating changes to services which could impact customers. Incident Response AWS has a significant Incident Response Plan, which is tested regularly, updated annually and as lessons are learnt. The IRAP Assessment highlighted that in the event of a significant incident, AWS could require the involvement of external parties. Agencies should consider this in their risk assessment and accreditation process. AWS Access Management All AWS user accounts are reviewed at least quarterly and all group owners review and remove users who no longer require group membership, based on job functions and roles. Appropriate approvals for requests to establish accounts are documented and retained. Passphrase AWS should implement passphrase length controls as described in the ISM. (Reference: ISM Control 0421) Page 4 of 6

5 Secure Administration and Network Security While AWS complies with those controls relating to Secure Administration and Network Security, agencies must ensure any systems being deployed on to the Amazon cloud platform are also ISM compliant. (Reference: ISM Controls relating to Secure Administration and Network Security) Product Security The IRAP Assessment found AWS did not comply with Product Selection ISM requirements. AWS do ensure all components meet the strict Amazon functional security requirements and specifications prior to and during deployment. (Reference: ISM Controls 0279, 0280, 0282, 0289, 0293, 0294, 1168) Maintenance The IRAP Assessor validated that AWS schedules, performs, documents and reviews records of maintenance and repairs on AWS components. AWS only provides access to data centres and associated information for vendors, contractors and visitors with a legitimate business requirement. All visitors are escorted throughout the visit. Cabling Australian Data Centres hosting AWS do not comply with ISM cabling requirements. Cabling colours match the AWS Internal Cabling Procedures and do not align to the requirements in the ISM. Instead of the entire system consisting of one cabling colour for the security domain, AWS has implemented differing colours to highlight critical cabling over non-critical. Agencies should consider this a low risk for inclusion in agency risk assessment documentation, with a better security outcome achieved by Amazon s processes given the operating environment. Media Labelling AWS did not comply with ISM controls relating to Labelling Media. AWS considers all customer data as sensitive and hence all media is treated as sensitive. ASD considers this a strong security outcome. (Reference: ISM Controls 0332, 0333, 0334) Customer Responsibilities Customers connecting to this cloud service must conduct an assessment, certification and accreditation of customer-side systems connecting to the service. Customers must ensure they are aware of the scope of this assessment as described in the Cloud Service Scope, and aware of their responsibilities under the AWS Shared Responsibility Model (graphic above). In addition, agencies should ensure they implement those ISM controls which pertain to the agency, which may include, but not be limited to: Risk Assessment Australian Government agencies deploying ICT systems in the AWS platform must conduct due diligence and accreditation, including a risk assessment. Agencies should read Amazon Compliance and Security Whitepaper in conjunction with other security documentation to inform this risk assessment and understand their role in the Shared Responsibility Model. Agencies must also consider their security posture against ASD s Cloud Computing Security for Tenants. (Reference: ISM Controls 1210, 0872) Configuration and Support Page 5 of 6

6 Agencies are responsible for configuration of their AWS services. EC2 requires considerable configuration, including the patching of the guest operating system on each instance as well as any software installed. Through S3 agencies will need to configure each storage bucket and backup options. Agency IT staff should become familiar with these configuration options and make recommendations to agency staff procuring AWS, in line with agency IT policies and your organisation s needs. In addition AWS offer differing support models based on the agency s per/month purchase. There is considerable AWS training available online, including configuration demonstrations. Some security warnings will be displayed during configuration and these should be reviewed carefully. Cryptography AWS provides customers with the ability to use encryption for AWS cloud services. Agencies must ensure that data is adequately encrypted. (Reference: ISM Cryptography Chapter) Data Transfer and Content Filtering While AWS has implemented data transfer controls that detect and mitigate unauthorised or malicious activity from transiting a security boundary, agencies must note that these controls relate to the protection of AWS underlying infrastructure. Agencies must ensure they adequately protect deployed information systems. (Reference: ISM Data Transfer and Content Filtering Chapters) Access Control Agencies should comply with the Access Control requirements of the ISM. (Reference: ISM Access Control Chapter) Working Off-Site Agencies should consider the security implications before they permit staff and/or contractors to access government information on the AWS platform from outside Agency premises (Reference: ISM Working Off-Site Chapter) Incident Response Plan Agencies must develop an Incident Response Plan as per the ISM. The IRP should detail how to monitor, handle and respond to an incident regarding agency data in the cloud. In addition the IRP should consider how to conduct incident forensics, in partnership with the cloud service provider. Agencies should develop a policy to enable reporting of incidents and vulnerabilities to AWS (via the AWS Vulnerability Reporting website). Business Continuity Plan and Data Ownership Agencies must consider the ability to maintain the integrity, availability and confidentiality of agency data in the event the agency is required to move the data to a different cloud provider, or in-source data, in the future. Other Compliance Certifications Details of other compliance certifications held by Amazon Web Services can be found at aws.amazon.com/compliance/ Page 6 of 6