NLETS & CLOUD SECURITY Bill Phillips, Information Security Officer
Overview Enhancing Nlets Audit Capabilities Nova Architecture Nova Security Services
Audit
Enhancing Nlets Audits Revising the existing audit process Better Communications Enhance Onboarding Enhancing Functionality Align with Emerging Standards Ensure Consistent Scrutiny
Enhancing Nlets Audits Contracted SME for Cloud Assessments Co-Development of Assessment Standards Assess Partner Cloud Deployments Lead and Follow Nova Assessment
Architecture
Policy Reference 5.10.3.2 Virtualization Virtualization refers to a methodology of dividing the resources of a computer (hardware and software) into multiple execution environments. Virtualized environments are authorized for criminal justice and noncriminal justice activities. In addition to the security controls described in this Policy, the following additional controls shall be implemented in a virtual environment: 1. Isolate the host from the virtual machine. In other words, virtual machine users cannot access host files, firmware, etc. 2. Maintain audit logs for all virtual machines and hosts and store the logs outside the hosts virtual environment. 3. Virtual Machines that are Internet facing (web servers, portal servers, etc.) shall be physically separate from Virtual Machines (VMs) that process CJI internally or be separated by a virtual firewall. 4. Drivers that serve critical functions shall be stored within the specific VM they service. In other words, do not store these drivers within the hypervisor, or host operating system, for sharing. Each VM is to be treated as an independent system secured as independently as possible.
Policy Reference 5.10.3.2 Virtualization Virtualization refers to a methodology of dividing the resources of a computer (hardware and software) into multiple execution environments. Virtualized environments are authorized for criminal justice and noncriminal justice activities. In addition to the security controls described in this Policy, the following additional controls shall be implemented in a virtual environment: 1. Isolate the host from the virtual machine. In other words, virtual machine users cannot access host files, firmware, etc. 2. Maintain audit logs for all virtual machines and hosts and store the logs outside the hosts virtual environment. 3. Virtual Machines that are Internet facing (web servers, portal servers, etc.) shall be physically separate from Virtual Machines (VMs) that process CJI internally. 4. Drivers that serve critical functions shall be stored within the specific VM they service.
Setting the Keel
Security Services
Traffic Flow Virtual Machines Virtual Network Adapter Virtual Switch Hypervisor Host Physical Network Adapter
Security Services Properties Legacy - Traffic Between Hosts Inter VM traffic Agentless Bound to the VM
Security Services Offering SPI Firewall 5.10.1.1 Layer 2 Segregation Antimalware 5.10.4.2 Intrusion Detection System 5.10.1.3 Alert Notifications Automatic Updates
Security Services Offering
Questions?
Cloud Computing and the CJIS Security Policy Nlets Implementers Workshop August 30, 2016 Stephen Exley, CISSP Senior Consultant/Technical Analyst FBI CJIS ISO Program
Cloud Computing
What is Cloud Computing? Defined by the CJIS Security Policy as: A distributed computing model that permits on demand network access to a shared pool of configurable computing resources (i.e., networks, servers, storage, applications, and services), software, and information.
What Does the Cloud Actually Look Like?
A More Realistic Cloud Diagram On-premise environment
Benefits of Cloud Computing Reduced Budgets Improved Efficiency Disaster Recovery Service Consolidation
Delineation of Responsibility/Governance
Security Concerns with Cloud Computing Privileged user access Regulatory compliance Data location Data segregation Recovery Investigative support Long term viability
Is the CJIS Security Policy (CSP) cloud friendly? Yes! The CJIS Security Policy is solution and device agnostic; not prohibitive. Independent assessment* recommended stronger controls * (assessment results available on FBI.gov) Some LEAs already using cloud services for a variety of services
Achieving CSP Compliance Will access to Criminal Justice Information (CJI) within a cloud environment fall within the category of remote access? (5.5.6 Remote Access) Will advanced authentication (AA) be required for access to CJI within a cloud environment? (5.6.2.2 Advanced Authentication, 5.6.2.2.1 Advanced Authentication Policy and Rationale) Does/do any cloud service provider s datacenter(s) used in the transmission or storage of CJI meet all the requirements of a physically secure location? (5.9.1 Physically Secure Location)
Achieving CSP Compliance (cont.) Are the encryption requirements being met? (5.10.1.2 Encryption) Who will be providing the encryption as required in the CJIS Security Policy? (client or cloud service provider) o Note: Individuals with access to the keys can decrypt the stored files and therefore have access to unencrypted CJI. Is the data encrypted while at rest and in transit? What are the cloud service provider s incident response procedures? (5.3 Policy Area 3: Incident Response) Will the cloud subscriber be notified of any incident? If CJI is compromised, what are the notification and response procedures
Achieving CSP Compliance (cont.) Is the cloud service provider a private contractor/vendor? If so, they are subject to the same screening and agreement requirements as any other private contractors hired to handle CJI (5.1.1.5 Private Contractor User Agreements and CJIS Security Addendum; 5.12.1.2 Personnel Screening for Contractors and Vendors) How will event and content logging be handled? (5.4 Policy Area 4, Auditing and Accountability) Will the cloud service provider handle events and content logging and provide that upon request? What are the cloud service provider s responsibilities with regard to media protection and destruction? (5.8 Policy Area 8: Media Protection)
Achieving CSP Compliance (cont.) Will the cloud service provider allow the CSA and FBI to conduct audits? (5.11.1 Audits by the FBI CJIS Division; 5.11.2 Audits by the CSA)
Achieving CSP Compliance (cont.) Cloud Computing and the CJIS Security Policy Section 5.10.1.5 Cloud Computing The metadata derived from CJI shall not be used by any cloud service provider for any purposes. The cloud service provider shall be prohibited from scanning any email or data files for the purpose of building analytics, data mining, advertising, or improving the services provided. Appendix G.3 Cloud Computing White Paper
Cloud Computing Encryption Use Case #1 Agency Stores CJI in a Cloud A CJA stores encrypted CJI (Backup files and drives) in a cloud. To access CJI, the agency will extract the CJI from the cloud to its local machine, and then decrypt the CJI. The CJI is processed, re encrypted, and then re uploaded to the cloud environment for storage. In this scenario, the agency always encrypts the CJI prior to placing it in the cloud and only authorized users of the agency have access to the encryption keys. Since the agency maintains the encryption keys, the cloud service provider employees would not need to undergo fingerprint based background checks, nor have security awareness training. These requirements are negated, because only authorized personnel with access to the keys have the ability to view this CJI in an unencrypted form.
Cloud Computing Encryption Use Case #2 Agency Access CJI While in a Cloud A CJA stores CJI (files and drives) in a cloud service provider s environment, but as part of daily operations authorized users will remotely access the encrypted CJI in the cloud. The user will decrypt the CJI while it is in the cloud s virtual environment, process the data, and then re encrypt the data prior to ending the remote session. The agency maintains the keys and the cloud service provider does not have access to the encryption keys. However, since the CJI is decrypted within the cloud s virtual environment, any administrative personnel employed by the cloud provider having the ability to access the virtual environment must be identified and subjected to security awareness training and personnel security controls as described in the CJIS Security Policy.
Cloud Computing Encryption Use Case #3 CJI Impact from a Datacenter Critical Systems Crash Core Dump Recovery A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and remotely accesses the environment to process CJI. During normal operation, the cloud provider experiences systems outages within the datacenter in which CJI is processed and stored. The cloud provider s administrators need to repair the systems and restore service using data from a core dump to return to normal operations. The cloud service provider as part of the Service Level Agreement (SLA) with the CJA has been authorized to maintain the encryption keys in order respond to such an event.
Cloud Computing Encryption Use Case #3 (cont.) CJI Impact from a Datacenter Critical Systems Crash Core Dump Recovery The cloud administrators with such access have underwent fingerprintbased background checks and security awareness training. This allows the cloud administrators to decrypt CJI so that it is written to the core dump files for restoration following the system outage. CJI, however, is encrypted at all times except when part of the core dump files. As part of the SLA, the cloud service provider has agreed to treat the core dump files as CJI to ensure all protection are in place in compliance with the CJIS Security Policy.
Cloud Computing Email FAQ Question: Our city has recently been considering moving to cloud based email service covering all city departments and agencies, to include the local police department. Our question is: Are we allowed to send criminal justice information (CJI) through email? Answer: You can send e mail containing Criminal Justice Information (CJI) as long as it remains within your physically secure environment (as described in the Policy), you send the e mail along an encrypted path (FIPS 140 2 certified, 128 bit) to the recipient, or you encrypt (FIPS 140 2 certified, 128 bit) the payload of an e mail.
Questions?
CJIS ISO CONTACT INFORMATION George White FBI CJIS ISO (304) 625 5849 george.white@ic.fbi.gov John Chris Weatherly FBI CJIS ISO Program Manager (304) 625 3660 john.weatherly@ic.fbi.gov Jeff Campbell FBI CJIS Assistant ISO (304) 625 4961 jeffrey.campbell@ic.fbi.gov Steve Exley Sr. Consultant/Technical Analyst (304) 625 2670 stephen.exley@ic.fbi.gov iso@ic.fbi.gov