Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
NLETS &CLOUD SECURITY
Bill Phillips, Information Security Officer
Overview■ Enhancing Nlets Audit
Capabilities
■ Nova Architecture
■ Nova Security Services
Audit
Enhancing Nlets Audits
■ Revising the existing audit process
– Better Communications– Enhance Onboarding – Enhancing Functionality– Align with Emerging Standards– Ensure Consistent Scrutiny
Enhancing Nlets Audits
■ Contracted SME for Cloud Assessments– Co-Development of
Assessment Standards– Assess Partner Cloud
Deployments – Lead and Follow– Nova Assessment
Architecture
Policy Reference5.10.3.2 Virtualization
Virtualization refers to a methodology of dividing the resources of a computer (hardware and software) into multiple execution environments. Virtualized environments are authorized for criminal justice and noncriminal justice activities. In addition to the security controls described in this Policy, the following additional controls shall be implemented in a virtual environment:
■ 1. Isolate the host from the virtual machine. In other words, virtual machine users cannot access host files, firmware, etc.
■ 2. Maintain audit logs for all virtual machines and hosts and store the logs outside the hosts’ virtual environment.
■ 3. Virtual Machines that are Internet facing (web servers, portal servers, etc.) shall be physically separate from Virtual Machines (VMs) that process CJI internally or be separated by a virtual firewall.
■ 4. Drivers that serve critical functions shall be stored within the specific VM they service. In other words, do not store these drivers within the hypervisor, or host operating system, for sharing. Each VM is to be treated as an independent system – secured as independently as possible.
Policy Reference
5.10.3.2 Virtualization
Virtualization refers to a methodology of dividing the resources of a computer (hardware and software) into multiple execution environments. Virtualized environments are authorized for criminal justice and noncriminal justice activities. In addition to the security controls described in this Policy, the following additional controls shall be implemented in a virtual environment:
■ 1. Isolate the host from the virtual machine. In other words, virtual machine users cannot access host files, firmware, etc.
■ 2. Maintain audit logs for all virtual machines and hosts and store the logs outside the hosts’ virtual environment.
■ 3. Virtual Machines that are Internet facing (web servers, portal servers, etc.) shall be physically separate from Virtual Machines (VMs) that process CJI internally.
■ 4. Drivers that serve critical functions shall be stored within the specific VM they service.
Setting the Keel
Security Services
Traffic Flow
Virtual Machines
Virtual Network Adapter
Virtual Switch
Hypervisor Host
Physical Network Adapter
Security Services Properties
■ Legacy - Traffic Between Hosts
■ Inter VM traffic
■ Agentless
■ Bound to the VM
Security Services Offering■ SPI Firewall
5.10.1.1
■ Layer 2 Segregation
■ Antimalware5.10.4.2
■ Intrusion Detection System5.10.1.3
■ Alert Notifications
■ Automatic Updates
Security Services Offering
Questions?
Stephen Exley, CISSPSenior Consultant/Technical Analyst
FBI CJIS ISO Program
Cloud Computing and the CJIS Security Policy
Nlets Implementers WorkshopAugust 30, 2016
CLOUD COMPUTING
Cloud Computing
What is Cloud Computing?
• Defined by the CJIS Security Policy as:
A distributed computing model that permits on‐demand network access to a shared pool of configurable computing resources (i.e., networks, servers, storage, applications, and services), software, and information.
CLOUD COMPUTING
CLOUD COMPUTING
What Does the Cloud Actually Look Like?
CLOUD COMPUTING
A More Realistic Cloud Diagram
On-premise environment
CLOUD COMPUTING
Benefits of Cloud Computing
Reduced Budgets Improved Efficiency
Disaster Recovery Service Consolidation
CLOUD COMPUTING
Delineation of Responsibility/Governance
CLOUD COMPUTING
Security Concerns with Cloud Computing
• Privileged user access
• Regulatory compliance
• Data location
• Data segregation
• Recovery
• Investigative support
• Long‐term viability
CLOUD COMPUTING
Is the CJIS Security Policy (CSP) “cloud friendly”?
• Yes! The CJIS Security Policy is solution and device agnostic; not prohibitive.
• Independent assessment* recommended stronger controls* (assessment results available on FBI.gov)
• Some LEAs already using cloud services for a variety of services
CLOUD COMPUTING
Achieving CSP Compliance
• Will access to Criminal Justice Information (CJI) within a cloud environment fall within the category of remote access? (5.5.6 Remote Access)
• Will advanced authentication (AA) be required for access to CJI within a cloud environment? (5.6.2.2 Advanced Authentication, 5.6.2.2.1 Advanced Authentication Policy and Rationale)
• Does/do any cloud service provider’s datacenter(s) used in the transmission or storage of CJI meet all the requirements of a physically secure location? (5.9.1 Physically Secure Location)
CLOUD COMPUTING
Achieving CSP Compliance (cont.)
• Are the encryption requirements being met? (5.10.1.2 Encryption)• Who will be providing the encryption as required in the CJIS
Security Policy? (client or cloud service provider)o Note: Individuals with access to the keys can decrypt the stored files
and therefore have access to unencrypted CJI.• Is the data encrypted while at rest and in transit?
• What are the cloud service provider’s incident response procedures? (5.3 Policy Area 3: Incident Response)• Will the cloud subscriber be notified of any incident?• If CJI is compromised, what are the notification and response
procedures
CLOUD COMPUTING
Achieving CSP Compliance (cont.)
• Is the cloud service provider a private contractor/vendor?• If so, they are subject to the same screening and agreement
requirements as any other private contractors hired to handle CJI (5.1.1.5 Private Contractor User Agreements and CJIS Security Addendum; 5.12.1.2 Personnel Screening for Contractors and Vendors)
• How will event and content logging be handled? (5.4 Policy Area 4, Auditing and Accountability) • Will the cloud service provider handle events and content logging
and provide that upon request?• What are the cloud service provider’s responsibilities with regard to
media protection and destruction? (5.8 Policy Area 8: Media Protection)
CLOUD COMPUTING
Achieving CSP Compliance (cont.)
• Will the cloud service provider allow the CSA and FBI to conduct audits? (5.11.1 Audits by the FBI CJIS Division; 5.11.2 Audits by the CSA)
CLOUD COMPUTING
Achieving CSP Compliance (cont.)
Cloud Computing and the CJIS Security Policy
• Section 5.10.1.5 Cloud Computing
The metadata derived from CJI shall not be used by any cloud service provider for any purposes.
The cloud service provider shall be prohibited from scanning any email or data files for the purpose of building analytics, data mining, advertising, or improving the services provided.
• Appendix G.3 Cloud Computing White Paper
CLOUD COMPUTING
Agency Stores CJI in a Cloud• A CJA stores encrypted CJI (Backup files and drives) in a cloud. • To access CJI, the agency will extract the CJI from the cloud to its local
machine, and then decrypt the CJI. The CJI is processed, re‐encrypted, and then re‐uploaded to the cloud environment for storage.
• In this scenario, the agency always encrypts the CJI prior to placing it in the cloud and only authorized users of the agency have access to the encryption keys.
Since the agency maintains the encryption keys, the cloud service provider employees would not need to undergo fingerprint‐based background checks, nor have security awareness training. These requirements are negated, because only authorized personnel with access to the keys have the ability to view this CJI in an unencrypted form.
Cloud Computing Encryption Use Case #1
CLOUD COMPUTING
Agency Access CJI While in a Cloud • A CJA stores CJI (files and drives) in a cloud service provider’s
environment, but as part of daily operations authorized users will remotely access the encrypted CJI in the cloud.
• The user will decrypt the CJI while it is in the cloud’s virtual environment, process the data, and then re‐encrypt the data prior to ending the remote session.
The agency maintains the keys and the cloud service provider does not have access to the encryption keys. However, since the CJI is decrypted within the cloud’s virtual environment, any administrative personnel employed by the cloud provider having the ability to access the virtual environment must be identified and subjected to security awareness training and personnel security controls as described in the CJIS Security Policy.
Cloud Computing Encryption Use Case #2
CLOUD COMPUTING
CJI Impact from a Datacenter Critical Systems Crash – Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and
remotely accesses the environment to process CJI. • During normal operation, the cloud provider experiences systems
outages within the datacenter in which CJI is processed and stored. • The cloud provider’s administrators need to repair the systems and
restore service using data from a core dump to return to normal operations.
• The cloud service provider as part of the Service Level Agreement (SLA) with the CJA has been authorized to maintain the encryption keys in order respond to such an event.
Cloud Computing Encryption Use Case #3
CLOUD COMPUTING
CJI Impact from a Datacenter Critical Systems Crash – Core Dump Recovery
The cloud administrators with such access have underwent fingerprint‐based background checks and security awareness training. This allows the cloud administrators to decrypt CJI so that it is written to the core dump files for restoration following the system outage. CJI, however, is encrypted at all times except when part of the core dump files. As part of the SLA, the cloud service provider has agreed to treat the core dump files as CJI to ensure all protection are in place in compliance with the CJIS Security Policy.
Cloud Computing Encryption Use Case #3 (cont.)
CLOUD COMPUTING
Cloud Computing Email FAQ
Question:Our city has recently been considering moving to cloud‐based email service covering all city departments and agencies, to include the local police department. Our question is: Are we allowed to send criminal justice information (CJI) through email?
Answer:You can send e‐mail containing Criminal Justice Information (CJI) as long as it remains within your physically secure environment (as described in the Policy), you send the e‐mail along an encrypted path (FIPS 140‐2 certified, 128 bit) to the recipient, or you encrypt (FIPS 140‐2 certified, 128 bit) the payload of an e‐mail.
Questions?
CLOUD COMPUTING
Jeff CampbellFBI CJIS Assistant ISO
Steve ExleySr. Consultant/Technical Analyst
John “Chris” WeatherlyFBI CJIS ISO Program Manager
George White FBI CJIS ISO
(304) 625 ‐ [email protected]
(304) 625 ‐ [email protected]
(304) 625 ‐ [email protected]
(304) 625 ‐ [email protected]
CJIS ISO CONTACT INFORMATION