Organizations are spending millions of dollars to armor themselves against vicious and debilitating cyberattacks that are unrelenting and potent. The fear of digital disruption is pervasive and driving a frenetic search for “silver bullets” including hiring CISO’s, buying lots of cybersecurity tools and contracting an army of consultants. But now what? Is the current security posture good enough? Are there any benchmarks and reliable guideposts?
CIO’s and CISO’s especially in regulated industries with high-value data should consider leveraging the pioneering work done by the US Federal Government and Department of Defense protecting a global enterprise with a $80 Billion annual IT budget and loads of super sensitive data. The US Government with its vast resources and cyber intelligence has developed several security frameworks to protect Government and Defense agencies. These frameworks include Secure Cloud Computing Architecture (SCCA), Cyber Threat Framework (CTF), Federal Risk & Authorization Management Program (FedRAMP) and Continuous Diagnostics & Mitigation (CDM). Each of these frameworks are described in greater detail below and should be in the toolkit of every CIO and CISO tasked with protecting sensitive data.
1. Secure Cloud Computing Architecture (SCCA)
The rapid consumption of commercial cloud services like Amazon Web Services (AWS), Microsoft Azure, Salesforce.com and Microsoft Office365 amongst others by government agencies prompted the Defense Information Systems Agency (DISA) to create the Secure Cloud Computing Architecture (SCCA) framework. SCCA is designed to cover security concerns inherent in infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS) cloud services. SCCA consists of four key enterprise-level cloud security and management services. The framework uses a standard approach for boundary and application level security for sensitive (but not classified) data hosted in commercial cloud environments. Each of these four enterprise services are described in greater detail below.
- Cloud Access Point (CAP). CAP provides access to the cloud and protects the enterprise network from the cloud by streamlining protections focused on protecting the network boundary. CAP serves two major functions: a) provide dedicated connectivity to approved commercial cloud providers, and b) protect the corporate network from any attack that originates from the cloud environment. There are two categories of solutions – either single cloud access using AWS DirectConnect for access to AWS or multi-cloud access hubs like AT&T NetBond or Equinix Cloud Exchange amongst others. It is critical to ensure that the chosen CAP provides integrated network security and access services meet specific compliance certifications such as FedRAMP, SOC2 or HIPAA as applicable.
- Virtual Data Center Managed Services (VDMS). VDMS provides application host security for privileged user access in commercial cloud environments. Management, security, and privileged user access are all handled within VDMS. This includes Host-Based Security System and Assured Compliance Assessment services including the ability to deliver security policies, push upgrades, and manage roles and security policies. Trend Micro Deep Security is an example of a commercial solution offering host-based protection services amongst many others.
- Virtual Data Center Security Stack (VDSS). VDSS provides a virtual network enclave security to protect applications and data in commercial cloud offerings. It includes two core services: Web Application Firewall (WAF) and Next Generation Firewall to detect and prevent threats facing web applications and workloads. There are several readily available solutions including cloud-native services like AWS Web Application Firewall (WAF) or third-party providers like Palo Alto Networks amongst others.
- Trusted Cloud Credential Manager (TCCM). TCCM is the cloud credential manager to enforce role-based access control (RBAC) and least privileged access. It includes processes and procedures to control and monitor privileged user access for cloud environments. Specific capabilities include privileged password management and control, SSH Key security and management, session management to control and monitor privileged user access to cloud services and bastion host services for access into all management and security services.
Given the rapid proliferation of commercial cloud services like AWS, Salesforce, ServiceNow and Microsoft O365 amongst others, organizations should tailor SCCA to develop a secure cloud architecture.
2. Cyber Threat Framework (CTF)
The lack of threat intelligence and understanding of profiles, vectors and adversary tactics are critical weaknesses that most organizations continue to have based on multiple reports and surveys. The Executive Office of the President recently published the “Federal Cybersecurity Risk Determination Report and Action Plan to the President of the United States” report with findings and recommendations based on an analysis of the cybersecurity posture of 96 civilian agencies. The report highlights critical gaps in the ability to identify, detect, respond, and if necessary, recover from cyber incidents. The report found that in 38% of reported cybersecurity incidents, the organization could not identify the attack vector or the method of attack. This is a critical information gap that hinders the ability to formulate a robust and effective cybersecurity response. The report calls out and recommends organizations complement their existing cybersecurity and compliance efforts by increasing cybersecurity threat awareness by implementing the Cyber Threat Framework (CTF). CTF was developed by the Defense and Intelligence community to help CISO’s prepare, prevent and predict a cybersecurity attack by understanding threat vectors, adversary actions and threat profiles.
CTF provides indicators, actions, objectives and stages of cyber threats with detailed phases across the lifecycle. CTF begins with threat actors’ actions starting with “pre-event” activities including staging, reconnaissance and weaponization followed by subsequent exploitation and installation activities. CTF is being rolled out across the US Federal Enterprise as a collaborative exercise with the NSA, DOD and Department of Homeland Security (DHS) as partners. By reviewing and implementing a tailored version of CTF, CISO’s can get ahead by crafting a responsive cybersecurity posture that is threat-based. A threat-based cybersecurity response increases the effectiveness of cybersecurity spending with greater ROI.
3. Federal Risk and Authorization Management Program (FedRAMP)
FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Any government agency that consumes a commercial cloud service, must ensure that it has a FedRAMP accreditation. The FedRAMP program is based on the NIST SP 800-53 security framework for ensuring the confidentiality, integrity and availability of digital assets. CIO’s and CISO’s should take a serious look at the FedRAMP program from two perspectives 1) as a consumer and 2) as a holistic compliance and security framework. Cloud service providers interested in tapping into the $80 billion US Federal and DOD IT market must invest in demonstrating compliance with strict security requirements as specified in the NIST SP 800-53 guidance. To understand the value of the FedRAMP accreditation a simple example is assurance related to the patching schedule. If a cloud vendor is accredited by FedRAMP they are mandated to patch their systems at least every month and demonstrate completion of such activities through control reports. However, in the absence of FedRAMP accreditation, you don’t really know what patching and management practices are used by the cloud vendor. CISO’s and CIO’s should consider verifying whether the cloud vendor is FedRAMP accredited.
The FedRAMP framework is based on NIST SP 800-53, which is a great resource for organizations looking to implement a holistic security solution. NIST SP 800-53 is organized around 18 security categories called security control families including Access Control, Planning, Program Management and Incident Response just to name a few. Admittedly, there are several security frameworks to choose from but NIST SP 800-53 is one of the most mature and holistic frameworks used across the US Federal and Department of Defense IT enterprise and provides a comprehensive blueprint with specific guidance. The framework can be tailored to meet specific security and compliance requirements as well as rolled out iteratively.
4. Continuous Diagnostics and Mitigation (CDM)
Given the dynamic nature of the IT environments due to cloud computing, devops and rapid evolution of cyber threats, the CDM program is designed to fortify the cybersecurity of government networks and systems. CDM provides capabilities and tools to identify cybersecurity risks on an ongoing basis, prioritize these risks based on potential impacts, and enable cybersecurity personnel to mitigate the most significant problems first. Congress established the CDM program to provide adequate, risk-based, and cost-effective cybersecurity and more efficiently allocate cybersecurity resources. Implementing a strong continuous monitoring and management program begins with phased approach that ensures that the organization is equipped with the following capabilities:
- What is on the network: Identifies the existence of hardware, software, configuration characteristics and known security vulnerabilities.
- Who is on the network: Identifies and determines the users or systems with access authorization, authenticated permissions and granted resource rights.
- How is the network protected: Determines the user/system actions and behavior at the network boundaries and within the computing infrastructure.
- What is happening on the network: Prepares for events/incidents, gathers data from appropriate sources; and identifies incidents through analysis of data.
By understanding the CDM framework, associated phases, and tools approved for use to meet the capabilities defined above, CISO’s can save valuable time and begin to invest in capabilities that are based on proven and effective tools and techniques.