Using Cisco’s Vmdc to Facilitate FISMA Compliance
-
Upload
cisco-service-provider -
Category
Technology
-
view
344 -
download
4
Transcript of Using Cisco’s Vmdc to Facilitate FISMA Compliance
Using Cisco’s VMDC to Facilitate FISMA Compliance
Using Cisco’s VMDC to Facilitate FISMA Compliance
July 23, 2014
Jason P. Broz
1
Using Cisco’s VMDC to Facilitate FISMA Compliance
2
Synopsis
This whitepaper discusses how Cisco’s Virtualized Multiservice Data Center (VMDC) validated architecture
can facilitate compliance with the Federal Information Security Management Act (FISMA) (NIST 800-53
Revision 4 moderate control set).
Table of Contents
Introduction..............................................................................................................................................3
VMDC ................................................................................................................................................................ 3
SecureState ........................................................................................................................................................ 4
Who Needs to be FISMA Compliant? .........................................................................................................4
What are the Current Challenges? .............................................................................................................5
FISMA Control Areas .................................................................................................................................6
How VMDC Can Help.................................................................................................................................7
Access Control (AC) ............................................................................................................................................ 7
Audit and Accountability (AU)............................................................................................................................. 7
Security Assessment and Authorization (CA) ....................................................................................................... 7
Configuration Management (CM)........................................................................................................................ 7
Identification and Authentication (IA) ................................................................................................................. 8
Media Protection (MP) ....................................................................................................................................... 8
Personnel Security (PS) ....................................................................................................................................... 8
Risk Assessment (RA).......................................................................................................................................... 8
System and Services Acquisition (SA) .................................................................................................................. 8
System and Communications Protection (SC) ...................................................................................................... 9
System and Information Integrity (SI).................................................................................................................. 9
Achieving FISMA Compliance .................................................................................................................. 10
Using Cisco’s VMDC to Facilitate FISMA Compliance
Introduction
Cisco’s Virtualized Multiservice Data Center (VMDC) is a scalable network topology that service providers and large
organizations can implement in order to provide a secure multi-tenant solution to their clients. The architecture that
VMDC utilizes greatly assists service providers in creating a network which meets the various security needs of clients.
In order to evaluate the ability of Cisco’s VMDC network topology to facilitate Federal Information Security Management
Act (FISMA) compliance on behalf of the clients that implement this blueprint, Cisco requested SecureState analyze the
VDMC topology against the NIST 800-53 Revision 4 control set. Previously, SecureState evaluated earlier versions of the
VMDC topology against NIST 800-53 Revision 3. Cisco’s VMDC architecture provides a number of controls which can be implemented in order to help fulfill a particular component of the overall control. VMDC
The Cisco VMDC is a tested and validated reference architecture for the Cisco Unified Data Center. It provides a set of
guidelines and best practices for the creation and deployment of a scalable, secure, and resilient infrastructure in the
data center. The Cisco VMDC architecture demonstrates how to bring together the latest Cisco routing and switching
technologies, network services, data center and cloud security, automation, and integrated solutions with those of
Cisco's ecosystem of partners to develop a trusted approach to data center transformation. Specific benefits include:
Demonstrated solutions to critical technology-related problems in evolving IT infrastructure: Provides support for cloud
computing, applications, desktop virtualization, consolidation and virtualization, and business continuance
Reduced time to deployment: Provides best-practice recommendations based on a fully tested and validated
architecture, helping enable technology adoption and rapid deployment
Reduced risk: Enables enterprises and service providers to deploy new architectures and technologies with confidence
Increased flexibility: Enables rapid, on-demand, workload deployment in a multitenant environment using a
comprehensive automation framework with portal-based resource provisioning and management capabilities
Improved operating efficiency: Integrates automation with a multitenant pool of computing, networking, and storage
resources to improve asset use, reduce operation overhead, and mitigate operation configuration errors
The Cisco VMDC architecture, consisting of the Cisco Unified Data Center and Cisco Data Center Interconnect (DCI)
together with other architectural components such as infrastructure abstraction, orchestration and automation,
assurance, and integrated services and applications, as shown below, provide comprehensive guidelines for deployment
of cloud infrastructure and services at multiple levels.
3
Using Cisco’s VMDC to Facilitate FISMA Compliance
4
SecureState SecureState is a management consulting company specializing in information security and compliance services. We
believe in a different approach to security which guides our clients as partners, from their CurrentState (CS) to their
DesiredState (DS) and ultimately their SecureState. As shown in the graph below, SecureState begins working with
clients at the CS, performing assessments to understand the security posture of the organization as it is constructed
today. Once SecureState identifies the CS, we then construct tactical and strategic methods to move from the CS to the
DS and ultimately a managed SecureState (SS).
SecureState provides services to public and private organizations that operate within the Governmental Sector, assisting
organizations in identifying their CurrentState of FISMA compliance. SecureState then provides a roadmap and assistance
as desired with tactical and strategic items them to achieve their DesiredState and SecureState. Types of
assistance include validation of NIST 800-53 controls, secure system configuration, and policy development and strategic
security solutions that align with operational goals.
SecureState’s team of resources is consistently looked upon as thought leaders in information security, presenting at
conferences such as InfoSec World, DefCon, BlackHat, and SecureWorld Expo. The team is also sought after by
journalists for publications such as SC Magazine, InformationWeek, and Federal CIO Magazine.
Who Needs to be FISMA Compliant?
All federal agencies and contracted private entities who support operations such as providing protection, administration
or maintenance of federal assets as they pertain to information systems security are required to comply with FISMA.
Requirements vary based on the categorization level of the asset as defined in Federal Information Processing Standard
(FIPS 199). The goal is to provide a holistic, risk based information security program, including implementation of
administrative and technical components to support the program.
Using Cisco’s VMDC to Facilitate FISMA Compliance
5
What are the Current Challenges?
1. Agency Size. Based on Government Accountability Office (GAO) report 14-344, released June 2014, agency size
plays a role in achieving FISMA compliance. While some controls found not to be in place are administrative,
lack of assessing risk or implementing policies and procedures does not provide the structure to implement
technical safeguards. As depicted in the graph below, which is included in GAO report 14-344 with data supplied
by US-CERT, incidents such as unauthorized access and active or passive reconnaissance are steadily increasing.
2. Access Controls/Authentication Management. As evidenced in the graph provided in the GAO report above,
many organizations are struggling with unauthorized access. Through the use of Active Directory (AD), Windows
domain accounts are easily managed. Accounts such for devices that provide network infrastructure, Linux
and/or Unix system accounts or local machine administrator accounts still can remain a challenge (e.g.,
password length and/or complexity and length, password history, session timeouts, device lockout.). Application
of consistent security controls becomes time consuming and unmanageable.
3. Device Hardening. All systems and applications are required to be securely configured as defined in
configuration management (CM) control area of FISMA. Common systems that must be securely configured
include databases (Oracle, MS-SQL, MySQL, etc.), servers (Windows 2003, Windows 2008, Red Hat, etc.), web
servers (IIS, Apache, WebLogic, etc.), and network infrastructure (firewalls, routers, switches, etc.). If there are
not standard operating procedures in place or baseline configurations implemented, standard hardening
practices can become inconsistent.
4. Monitoring and Log aggregation-Log aggregation is easily achieved with Windows devices, however,
aggregating all outlying devices such as network components can be a challenge. This requires additional
resources to implement appropriate log controls and anomaly reporting from such devices.
Using Cisco’s VMDC to Facilitate FISMA Compliance
6
FISMA Control Areas
FISMA consists of seventeen control areas that must be applied dependent upon categorization of device:
1. Access Control (AC)- Assesses processes as they pertain to account management including role based access, least priviledge, remote access, priviledged accounts and revokation processes, including wireless network and mobile device access.
2. Awareness and Training (AT)- Assesses process, frequency and methods as they pertain to security awareness and training. Additionally, controls as they pertain to role based traing (e.g., developers) and training verification and tracking are also assessed.
3. Audit and Accountability (AU)- Assesses administrative and technical controls around logging access and events, audit log storage capacity, log review and reporting and protection of audit trails from modification. Non- repudiation, log generation and log retention are also included.
4. Security Assessment and Authorization (CA)- Assesses testing of security defenses as implemented (e.g., penetration testing). Additionally, system interconnections, segmentation, continous monitoring, authorization are addressed as are remediation plans for vulnerabilities.
5. Configuration Management (CM)- Assesses processes as they pertain to system hardening standards, including authoritative and supporting documentation pertaining to configuration management. Change control methods and mechnanisms and asset inventory are also addressed.
6. Contingency Planning (CP)- Assesses processes regarding planning efforts in case of a natural disaster, continuity of operations and recovery efforts. Training, testing, after action reviews, and plan improvement are also assessed.
7. Identification and Authentication (IA)- Assesses organizational processes as they pertain to the management of users and components identity and proper authorization for access and authentication.
8. Incident Response (IR)- Assesses processes and procedures as they pertain to incident repsonse methods and mechanisms involving information system components and data, including training of individuals, testing and continual improvement of the plan.
9. Maintanance (MA)- Assesses management of system maintenance activities, documentation. Additionally, tools, remote vendor access, and maintenance personnel management are included.
10. Media Protection (MP)- Assesses protection mechanisms and management processes as they pertain to physical and electronic media throughout their lifecycle. Areas such as proper chain of custody and inventroy management are also assessed.
11. Physical and Environmental Protection (PE)- Assesses phyiscal controls and access management processes as they pertain to system components. Areas such as monitoring and visitor managment, emergency procedures and management of the environment (e.g., temperature, humidity and damage protection) are included.
12. Planning (PL)- Assesses administrative processes regarding items such as security plans and codes of conduct, as they pertain to security and privacy.
13. Personnel Security (PS)- Assesses management processes as they pertain to individuals with access to information systems. Items assessed include validity of qualifications, criminal history and termination/transfer processes, third- party access management and sanctions.
14. Risk Assessment (RA)- Assesses the risk management processes within the agency or organization including categorization rationale, risk assessment reporting and vulnerability management.
15. System and Services Acquisition (SA)- Assesses the management of the acquisition process. Additionally, Systems Development Lifecycle (SDLC), supply chain management and analysis are included.
16. System and Communications Protection (SC)- Assesses data in transit methods to ensure confidentiality and integrity. Key management , shared resources, operational security, and availability are included.
17. System and Information Integrity (SI)- Assesses data integrity management. Processes such as code flaw remediation , malicious code protection, third party security alerts, functionality testing and input validation are included.
7
Using Cisco’s VMDC to Facilitate FISMA Compliance
How VMDC Can Help
While FISMA is a holistic governance model addressing administrative and technical controls, VMDC can be utilized to
facilitate compliance in several control areas. Keeping in mind, control families contain both administrative and technical
controls, VMDC facilitates an overall eighty six (86) controls with the balance being administrative controls that would
need to be implemented by the agency or organization. Four control areas not addressed, Awareness and Training,
Maintenance, Physical and Environmental Protection, and Planning are the responsibility of the organization to
implement as they are process driven.
Access Control (AC) Cisco’s Access Control Server (ACS) provides capability to integrate with RADIUS/TACACS or LDAP servers such as Active
Directory (AD) providing strong access controls for data store devices and network components within the VMDC
solution. While performing the review of the VMDC network architecture, SecureState verified that ACS is capable of
integrating each of the core pieces of network infrastructure into AD. Roles can be configured in ACS, which limit the
types of commands a particular account can run on a particular device. Furthermore, roles can be created which grant
access to only a subset of network devices in the network. The VMDC solution facilitates nineteen (19) applicable
controls, with the balance being the responsibility of the organization.
Audit and Accountability (AU) Introduction of Splunk into the VMDC solution provides an agency or organization with the ability to aggregate logging
into a powerful Security Information and Event Management (SIEM). Splunk facilitates many of the attributes required
for compliance (e.g., date/time stamp, source, user identity). Additionally, VMDC allows organizations to not only input
Windows logs, but also logs from network components in order to continuously monitor all systems. Anomaly alerting
can also be configured to report from one central source. Lancope StealthWatch provides additional audit information
from a network monitoring perspective. Sourcefire provides the capability to provide intrusion detection, adding
another layer of security and provide early detection of irregularities. VMDC facilitates ten (10) applicable controls
required for FISMA compliance in this control area.
Security Assessment and Authorization (CA) Incorporating Sourcefire, Splunk, and Lancope StealthWatch into the overall VMDC solution facilitates continuous
monitoring requirements from a systems and network infrastructure perspective. VMDC provides robust network
infrastructure which can be used in order to segment operational areas from areas containing confidential data thereby
maintaining confidentiality of information. These technologies include ACLs, VLANs, and virtual firewalls. . VMDC
facilitates two (2) applicable controls, with the balance being the responsibility of the organization.
Configuration Management (CM) The BMC configuration tool can be incorporated into the VMDC architecture to streamline configuration management.
This powerful tool drives efficiency as hardening baselines can be implemented using this tool. Additionally, features of
the BMC tool facilitate synchronization of devices, and provides the ability to update or rollback configurations as
needed. Use of Cisco’s ASA firewalls permits organizations the ability to implement restrictions as needed to meet
operational requirements while still maintaining a secure posture. Cisco has developed configuration guides for each
8
Using Cisco’s VMDC to Facilitate FISMA Compliance
component which can be used be used to apply specific controls. SecureState reviewed each device in order to verify
that they could be hardened in such a way as to meet FISMA compliance requirements. The VMDC solution facilitates
seven (7) applicable controls, with the balance being the responsibility of the organization.
Contingency Planning (CP)
VMDC cannot directly meet FISMA controls pertaining to contingency planning as these are administrative in nature. The
VMDC solution can provide agencies or organizations with the ability to implement as a Disaster Recovery site
maintained in an off-site facility at a Cisco or other data center of their choice.
Identification and Authentication (IA) As with the AC control area, Cisco’s Access Control Server can be integrated with RADIUS/TACACS or LDAP servers such
as Active Directory (AD) to facilitate authentication controls, applying them to both systems and network components
within the VMDC solution; driving efficiency and reducing the amount of time required for administrative tasks.
Additionally, capability to incorporate two-factor authentication as required by FISMA is available. The VMDC solution
facilitates thirteen (13) applicable controls, with the balance being the responsibility of the organization.
Incident Response (IR)
Anomaly Reporting provided by Splunk, Sourcefire, and Lancope StealthWatch can be used to detect incidents and force
activation of the Incident Response Plan in the early stages of the incident. This can save time resources and limit the
severity of the incident. Additionally, if alerts are acted upon early enough, data confidentiality and integrity potentially
maintained and system downtime can potentially be minimized.
Media Protection (MP) Cisco can provide disk level encryption as an added service incorporated into the VMDC architecture as a way to provide
data confidentiality when stored on electronic media. One (1) applicable FISMA control can be facilitated using the
VMDC solution.
Personnel Security (PS) Splunk can provide logical access control review as a part of the VMDC solution. This would facilitate one (1) applicable
control required for FISMA compliance.
Risk Assessment (RA) The use of Cisco’s ACS integrated into RADIUS/TACACS or LDAP servers facilitate role based access and elevated
privileges as they pertain to this control area. The VMDC solution facilitates one (1) applicable control in this control
area.
System and Services Acquisition (SA) This control area covers many process and administrative controls as they pertain to the management of the Systems
Development Lifecycle (SDLC). While VMDC can only facilitate one (1) applicable control in this control area, secure areas
can be configured to logically separated environments (e.g., development, test, sandbox, production) and through use of
Cisco’s ACS separation of duties can be facilitated, providing technical support for administrative controls.
9
Using Cisco’s VMDC to Facilitate FISMA Compliance
System and Communications Protection (SC) Integration of Lancope StealthWatch network monitoring can provide early detection of potential denial of service
attacks and send alerts to resources in order to preserve system availability. Information leakage can be minimized
through VMDC’s solution of VLANs and virtual firewalls to logically segment business units into separate containers. ASA
firewalls, routers and switches provide defense against external leakage in conjunction with the BMC configuration tool,
which can be used to properly configure all components securely. Sourcefire Intrusion Prevention provides an added
layer of defense alerting on suspicious activity within the internal network. Disk level encryption is available as an
additional service, which would further facilitate controls in this control family. Data in transit is also secured through
the use of the VMDC solution and the ability to provide secure communication channels (e.g,. SSL, SSH) and support the
use of key certificates.
Cisco’s ACS provides strong access controls and use of virtual firewalls and VLANS for segmentation provides several
layers of protection for data at rest. The VMDC facilitates seventeen (17) applicable controls in this control area.
System and Information Integrity (SI) Through the integration of Splunk SIEM, Sourcefire IPS, and Lancope StealthWatch network performance tool into the
overall VMDC solution, agencies and organizations are provided with the ability to monitor activities from several
different perspectives, providing a more complete view into network events and performance; providing the ability to
adjust fire as needed and continually improve, maintaining confidentiality and integrity of data, while maintaining the
high levels of availability and network performance. Additionally, Sourcefire’s ability to provide real-time alerting of
events allows for quicker response times and potential incident resolution; allowing organizations to potentially meet or
exceed recovery time objectives (RTO).
All Cisco devices contained within the VMDC solution have gone through security testing to protect memory from
unauthorized code execution. The VMDC solution facilitates eight (8) applicable controls, with the balance being the
responsibility of the organization.
10
Using Cisco’s VMDC to Facilitate FISMA Compliance
Achieving FISMA Compliance
As FISMA is a holistic governance approach based on risk. Administrative documentation, processes, and device
categorization is required prior to selection and implementation and assessment of technical controls. Additionally,
continued monitoring of the administrative and technical controls is required to ensure consistency of process as it
pertains to confidentiality, integrity, and availability of data stored on federal information systems.
The process starts with NIST SP 800-30 Revision 1 Guide for Conducting Risk
Assessments as defined in NIST SP 800-37 Revision 1 Guide for Applying the
Risk Management Framework to Federal Information Systems. This enables
an agency or supporting organization accurately categorize and information
system in accordance with FIPS 199 Standards for Security Categorization of
Federal Information and Information Systems.
NIST 800-37 Rev 1 provides guidance for in the specific areas as they pertain
to federal information systems to include activities such as “security
categorization, security control selection, and implementation, security
control assessment, information system authorization and security control
monitoring.” per the documented definition. It addresses risk from three levels, the organization, business process, and
information system level.
FIPS 199 requires information to be categorized based on potential impact to the agency or organization if
confidentiality, integrity or availability is lost. Low impact is defined as having a limited adverse effect, where moderate
impact would be defined as a serious effect, and high would be defined as severe or catastrophic effect. NIST SP 800-30
provides risk management framework for assessing the risks associated with federal information systems in order to
provide appropriate levels in accordance with FIPS 199. NIST SP 800-37 Rev 1 Guide for Applying the Risk Management
Framework to Federal Information Systems is the guidance document for assessing associated risks.
After implementation of administrative and technical safeguards, a NIST SP 800-53 assessment is performed, as defined
by category, in accordance with FIPS 200 Minimum Security Requirements for Federal Information and Information
Systems in order to assess compliance
NIST SP 800-53 Revision 4 is the most current control framework used to assess administrative and technical safeguards
implemented in order to authorize an information system as being FISMA compliant.
Upon achievement of FISMA compliance, authorization to operate is granted from a Certifying Authority (agency
official).
NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations
provides guidance on implementation and management of an overall continuous monitoring program.
For further information, refer to the VMDC Cloud Security 1.0 Design guide at: http://www.cisco.com/c/en/us/solutions/enterprise/data-center-designs-cloud-computing/landing_vmdc.html