NLETS & CLOUD SECURITY. Bill Phillips, Information Security Officer

Similar documents
Security Control Mapping of CJIS Security Policy Version 5.3 Requirements to NIST Special Publication Revision 4 4/1/2015

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

IBM Case Manager on Cloud

Data Security and Privacy Principles IBM Cloud Services

Juniper Vendor Security Requirements

The Common Controls Framework BY ADOBE

Security policy 8/24/2012

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Oracle Data Cloud ( ODC ) Inbound Security Policies

MAIL AUDIT QUESTIONNAIRE

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

Agency Responsibilities

IBM Security Intelligence on Cloud

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

SLED Certification of 3 rd Party NCIC/SCIC Applications Overview February 2, 2004

1 Data Center Requirements

IBM Case Manager on Cloud

IBM Cloud Service Description: Watson Analytics

NS2 Cloud Overview The Cloud Built for Federal Security and Export Controlled Environments. Hunter Downey, Cloud Solution Director

SECURITY & PRIVACY DOCUMENTATION

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

WHITE PAPER- Managed Services Security Practices

CTS performs nightly backups of the Church360 production databases and retains these backups for one month.

Requirements and Tiering Document FBI CJIS Security Policy Version /01/2016

Building Cloud Trust. Ioannis Stavrinides. Technical Evangelist MS Cyprus

SOARING THROUGH THE CLOUDS IT S A BREEZE

Virginia Commonwealth University School of Medicine Information Security Standard

Computerized Central Records System

Business continuity management and cyber resiliency

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

ADIENT VENDOR SECURITY STANDARD

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

The simplified guide to. HIPAA compliance

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

AUTHORITY FOR ELECTRICITY REGULATION

MEETING ISO STANDARDS

IBM Content Manager OnDemand on Cloud

VMware EUC Product Applicability Guide for Criminal Justice Information Systems (CJIS) Security Policy 5.3

Version 1/2018. GDPR Processor Security Controls

General Data Protection Regulation

Cisco Meraki Privacy and Security Practices. List of Technical and Organizational Measures

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Afilias DNSSEC Practice Statement (DPS) Version

Florida State University Center for Transportation and Public Safety

HIPAA Technical Safeguards and (a)(7)(ii) Administrative Safeguards

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Criminal Justice Information Services (CJIS) Security Policy

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

EU Data Protection Agreement

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

TECHNICAL SECURITY QUESTIONNAIRE

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Securing Your Cloud Introduction Presentation

QuickBooks Online Security White Paper July 2017

Cloud Security Whitepaper

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Compliance & Security in Azure. April 21, 2018

Riverbed Xirrus Cloud Processes and Data Privacy June 19, 2018

Vendor Security Questionnaire

Data Security: Public Contracts and the Cloud

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

TSC Business Continuity & Disaster Recovery Session

Access to University Data Policy

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017

SECURITY STRATEGY & POLICIES. Understanding How Swift Digital Protects Your Data

BEYOND CJIS: ENHANCED SECURITY, NOT JUST COMPLIANCE

Managed Security Services - Endpoint Managed Security on Cloud

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

COMPLIANCE IN THE CLOUD

HIPAA Cloud Computing Guidance

Managed NIDS Care Services

Daxko s PCI DSS Responsibilities

RADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Layer Security White Paper

CLOUD FORENSICS : AN OVERVIEW. Kumiko Ogawa

What you need to know about cloud backup: your guide to cost, security, and flexibility. 8 common questions answered

Information Security Incident Response Plan

NU Cloud Terms of Service

ISO27001 Preparing your business with Snare

Compliance with NIST

Trust Services Principles and Criteria

TRACKVIA SECURITY OVERVIEW

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

CYBER SECURITY POLICY REVISION: 12

Level 3 Certificate in Cloud Services (for the Level 3 Infrastructure Technician Apprenticeship) Cloud Services

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

locuz.com SOC Services

Security Standards for Electric Market Participants

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Inventory and Reporting Security Q&A

AUDIT QUESTIONNAIRE. Completion of this questionnaire and all related items prior to the audit will reduce the time needed to complete your audit.

SERVICE DESCRIPTION MANAGED BACKUP & RECOVERY

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer

Transcription:

NLETS & CLOUD SECURITY Bill Phillips, Information Security Officer

Overview Enhancing Nlets Audit Capabilities Nova Architecture Nova Security Services

Audit

Enhancing Nlets Audits Revising the existing audit process Better Communications Enhance Onboarding Enhancing Functionality Align with Emerging Standards Ensure Consistent Scrutiny

Enhancing Nlets Audits Contracted SME for Cloud Assessments Co-Development of Assessment Standards Assess Partner Cloud Deployments Lead and Follow Nova Assessment

Architecture

Policy Reference 5.10.3.2 Virtualization Virtualization refers to a methodology of dividing the resources of a computer (hardware and software) into multiple execution environments. Virtualized environments are authorized for criminal justice and noncriminal justice activities. In addition to the security controls described in this Policy, the following additional controls shall be implemented in a virtual environment: 1. Isolate the host from the virtual machine. In other words, virtual machine users cannot access host files, firmware, etc. 2. Maintain audit logs for all virtual machines and hosts and store the logs outside the hosts virtual environment. 3. Virtual Machines that are Internet facing (web servers, portal servers, etc.) shall be physically separate from Virtual Machines (VMs) that process CJI internally or be separated by a virtual firewall. 4. Drivers that serve critical functions shall be stored within the specific VM they service. In other words, do not store these drivers within the hypervisor, or host operating system, for sharing. Each VM is to be treated as an independent system secured as independently as possible.

Policy Reference 5.10.3.2 Virtualization Virtualization refers to a methodology of dividing the resources of a computer (hardware and software) into multiple execution environments. Virtualized environments are authorized for criminal justice and noncriminal justice activities. In addition to the security controls described in this Policy, the following additional controls shall be implemented in a virtual environment: 1. Isolate the host from the virtual machine. In other words, virtual machine users cannot access host files, firmware, etc. 2. Maintain audit logs for all virtual machines and hosts and store the logs outside the hosts virtual environment. 3. Virtual Machines that are Internet facing (web servers, portal servers, etc.) shall be physically separate from Virtual Machines (VMs) that process CJI internally. 4. Drivers that serve critical functions shall be stored within the specific VM they service.

Setting the Keel

Security Services

Traffic Flow Virtual Machines Virtual Network Adapter Virtual Switch Hypervisor Host Physical Network Adapter

Security Services Properties Legacy - Traffic Between Hosts Inter VM traffic Agentless Bound to the VM

Security Services Offering SPI Firewall 5.10.1.1 Layer 2 Segregation Antimalware 5.10.4.2 Intrusion Detection System 5.10.1.3 Alert Notifications Automatic Updates

Security Services Offering

Questions?

Cloud Computing and the CJIS Security Policy Nlets Implementers Workshop August 30, 2016 Stephen Exley, CISSP Senior Consultant/Technical Analyst FBI CJIS ISO Program

Cloud Computing

What is Cloud Computing? Defined by the CJIS Security Policy as: A distributed computing model that permits on demand network access to a shared pool of configurable computing resources (i.e., networks, servers, storage, applications, and services), software, and information.

What Does the Cloud Actually Look Like?

A More Realistic Cloud Diagram On-premise environment

Benefits of Cloud Computing Reduced Budgets Improved Efficiency Disaster Recovery Service Consolidation

Delineation of Responsibility/Governance

Security Concerns with Cloud Computing Privileged user access Regulatory compliance Data location Data segregation Recovery Investigative support Long term viability

Is the CJIS Security Policy (CSP) cloud friendly? Yes! The CJIS Security Policy is solution and device agnostic; not prohibitive. Independent assessment* recommended stronger controls * (assessment results available on FBI.gov) Some LEAs already using cloud services for a variety of services

Achieving CSP Compliance Will access to Criminal Justice Information (CJI) within a cloud environment fall within the category of remote access? (5.5.6 Remote Access) Will advanced authentication (AA) be required for access to CJI within a cloud environment? (5.6.2.2 Advanced Authentication, 5.6.2.2.1 Advanced Authentication Policy and Rationale) Does/do any cloud service provider s datacenter(s) used in the transmission or storage of CJI meet all the requirements of a physically secure location? (5.9.1 Physically Secure Location)

Achieving CSP Compliance (cont.) Are the encryption requirements being met? (5.10.1.2 Encryption) Who will be providing the encryption as required in the CJIS Security Policy? (client or cloud service provider) o Note: Individuals with access to the keys can decrypt the stored files and therefore have access to unencrypted CJI. Is the data encrypted while at rest and in transit? What are the cloud service provider s incident response procedures? (5.3 Policy Area 3: Incident Response) Will the cloud subscriber be notified of any incident? If CJI is compromised, what are the notification and response procedures

Achieving CSP Compliance (cont.) Is the cloud service provider a private contractor/vendor? If so, they are subject to the same screening and agreement requirements as any other private contractors hired to handle CJI (5.1.1.5 Private Contractor User Agreements and CJIS Security Addendum; 5.12.1.2 Personnel Screening for Contractors and Vendors) How will event and content logging be handled? (5.4 Policy Area 4, Auditing and Accountability) Will the cloud service provider handle events and content logging and provide that upon request? What are the cloud service provider s responsibilities with regard to media protection and destruction? (5.8 Policy Area 8: Media Protection)

Achieving CSP Compliance (cont.) Will the cloud service provider allow the CSA and FBI to conduct audits? (5.11.1 Audits by the FBI CJIS Division; 5.11.2 Audits by the CSA)

Achieving CSP Compliance (cont.) Cloud Computing and the CJIS Security Policy Section 5.10.1.5 Cloud Computing The metadata derived from CJI shall not be used by any cloud service provider for any purposes. The cloud service provider shall be prohibited from scanning any email or data files for the purpose of building analytics, data mining, advertising, or improving the services provided. Appendix G.3 Cloud Computing White Paper

Cloud Computing Encryption Use Case #1 Agency Stores CJI in a Cloud A CJA stores encrypted CJI (Backup files and drives) in a cloud. To access CJI, the agency will extract the CJI from the cloud to its local machine, and then decrypt the CJI. The CJI is processed, re encrypted, and then re uploaded to the cloud environment for storage. In this scenario, the agency always encrypts the CJI prior to placing it in the cloud and only authorized users of the agency have access to the encryption keys. Since the agency maintains the encryption keys, the cloud service provider employees would not need to undergo fingerprint based background checks, nor have security awareness training. These requirements are negated, because only authorized personnel with access to the keys have the ability to view this CJI in an unencrypted form.

Cloud Computing Encryption Use Case #2 Agency Access CJI While in a Cloud A CJA stores CJI (files and drives) in a cloud service provider s environment, but as part of daily operations authorized users will remotely access the encrypted CJI in the cloud. The user will decrypt the CJI while it is in the cloud s virtual environment, process the data, and then re encrypt the data prior to ending the remote session. The agency maintains the keys and the cloud service provider does not have access to the encryption keys. However, since the CJI is decrypted within the cloud s virtual environment, any administrative personnel employed by the cloud provider having the ability to access the virtual environment must be identified and subjected to security awareness training and personnel security controls as described in the CJIS Security Policy.

Cloud Computing Encryption Use Case #3 CJI Impact from a Datacenter Critical Systems Crash Core Dump Recovery A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and remotely accesses the environment to process CJI. During normal operation, the cloud provider experiences systems outages within the datacenter in which CJI is processed and stored. The cloud provider s administrators need to repair the systems and restore service using data from a core dump to return to normal operations. The cloud service provider as part of the Service Level Agreement (SLA) with the CJA has been authorized to maintain the encryption keys in order respond to such an event.

Cloud Computing Encryption Use Case #3 (cont.) CJI Impact from a Datacenter Critical Systems Crash Core Dump Recovery The cloud administrators with such access have underwent fingerprintbased background checks and security awareness training. This allows the cloud administrators to decrypt CJI so that it is written to the core dump files for restoration following the system outage. CJI, however, is encrypted at all times except when part of the core dump files. As part of the SLA, the cloud service provider has agreed to treat the core dump files as CJI to ensure all protection are in place in compliance with the CJIS Security Policy.

Cloud Computing Email FAQ Question: Our city has recently been considering moving to cloud based email service covering all city departments and agencies, to include the local police department. Our question is: Are we allowed to send criminal justice information (CJI) through email? Answer: You can send e mail containing Criminal Justice Information (CJI) as long as it remains within your physically secure environment (as described in the Policy), you send the e mail along an encrypted path (FIPS 140 2 certified, 128 bit) to the recipient, or you encrypt (FIPS 140 2 certified, 128 bit) the payload of an e mail.

Questions?

CJIS ISO CONTACT INFORMATION George White FBI CJIS ISO (304) 625 5849 george.white@ic.fbi.gov John Chris Weatherly FBI CJIS ISO Program Manager (304) 625 3660 john.weatherly@ic.fbi.gov Jeff Campbell FBI CJIS Assistant ISO (304) 625 4961 jeffrey.campbell@ic.fbi.gov Steve Exley Sr. Consultant/Technical Analyst (304) 625 2670 stephen.exley@ic.fbi.gov iso@ic.fbi.gov

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback