VCE Product Applicability Guide for FedRAMP 2 · Cloud Computing ... An understanding of both NIST...

VCE Product Applicability Guide for FedRAMP 2.0 October 2015 Version 1.0

T E C H N I C A L W H I T E P A P E R

TECHNICAL WHITE PAPER / 1

© 2015 VCE Company, LLC. All Rights Reserved.

This is the first document in the Compliance Reference Architecture for FedRAMP. You can find more information on the Framework and download the additional documents from the FedRAMP Compliance Resources TAB on VMware Solution Exchange here.



https://solutionexchange.vmware.com/store/products/vmware-fedramp-compliance-and-cyber-risk-solutions%23.VZHEAi5VhBd

VCE Product Applicability Guide for FedRAMP 2.0

Table of Contents

Executive Summary ................................................................................................................................... 5 Introduction ............................................................................................................................................... 5 Official FedRAMP Guidance as it Applies to Cloud Environments .............................................................. 7 NIST Special Publication 800-53................................................................................................................ 8 FedRAMP.................................................................................................................................................. 9 Cloud Computing ..................................................................................................................................... 10 Where to Start - Considerations for Management, IT and Auditors ........................................................... 12 Infrastructure Considerations ................................................................................................................... 12 IT Considerations .................................................................................................................................... 12 Assessment Considerations..................................................................................................................... 13 Guidance from the Federal Risk Authorization Management Program ...................................................... 13 Vblock® Systems and FedRAMP.............................................................................................................. 13 Vblock System 340 functional and component highlights potentially impacting security models: ............... 14 Meeting FedRAMP Requirements with Vblock Systems ........................................................................... 16 Controls Details ....................................................................................................................................... 18 Access Control ........................................................................................................................................ 18 AUDIT AND ACCOUNTABILITY (AU) ...................................................................................................... 20 Configuration Management (CM) ............................................................................................................. 23 Contingency Planning (CP) ...................................................................................................................... 25 CP-2 CONTINGENCY PLAN ................................................................................................................... 25 Identification and Authentication (IA) ........................................................................................................ 26 SYSTEM AND COMMUNICATIONS PROTECTION (SC) ........................................................................ 27 SYSTEM AND INFORMATION INTEGRITY (SI) ...................................................................................... 29 References .............................................................................................................................................. 31




Design Subject Matter Experts The following people provided key input into this design.

NAME EMAIL ADDRESS ROLE/COMMENTS

Jason Macallister [email protected] Senior Security Consultant, Coalfire

Chris Krueger [email protected] QA, Oversight, Director of Coalfire Cloud and Virtualization

Trademarks Copyright © 2015 VCE Company, LLC. All Rights Reserved. VCE, VCE Vision, VCE Vscale, Vblock, VxBlock, VxRack, and the VCE logo are registered trademarks or trademarks of VCE Company LLC. All other trademarks used herein are the property of their respective owners.

SOLUTION AREA KEY PRODUCTS

VCE VCE Vision™ Intelligent Operations, VCE Vscale™, Vblock®, VxBlock™, VxRack™

VMware vCloud® Infrastructure VMware vSphere™, VMware® ESXi™, VMware vCenter Server™, VMware vCloud Director®

VMware NSX™

VMware NSX™, VMware® NSX API™, VMware® NSX Controller™, VMware® NSX Edge™, VMware® NSX Manager™, VMware® NSX Services™, VMware® NSX Virtual Switch™, Logical Firewall, Logical Router, Logical Load Balancer, NSX Service Composer

VMware vRealize™ Operations™ (formerly vCenter Operations Management Suite)

VMware vRealize™ Operations Manager™, VMware vRealize™ Configuration Manager™, VMware vRealize™ Infrastructure Navigator™, VMware vRealize™ Orchestrator™, VMware vCenter™ Update Manager™, VMware vRealize™ Automation Center™, VMware vRealize™ Log Insight™



mailto:[email protected]



Executive Summary VMware, the leader in cloud computing software for enterprises, recognizes the tremendous opportunity that VCE provides organizations wishing to leverage VMware solutions for their applications, including efficiencies, cost savings, cyber-risk management and compliance. VMware has developed a Reference Architecture Framework that provides a consistent way for VMware, its partners, and organizations to assess and evaluate the impact of regulations on virtual and cloud environments. Cloud service providers seeking to provide cloud services to US Government agencies must meet the compliance requirements established by the Federal Risk Authorization and Management Program (FedRAMP)

Vblock® Systems from VCE deliver extraordinary efficiency and business agility for virtualization and cloud computing by tightly integrating compute, network, and storage technologies from industry leaders Cisco, EMC, and VMware into a converged infrastructure. Vblock Systems provide dynamic pools of resources that are capable of being intelligently provisioned and managed to address changing demands and business requirements. Converged Infrastructure (CI) platforms are purpose-built virtualization systems that are rapidly becoming the first phase in many organizations’ cloud strategy. Security and compliance requirements are a consideration for organizations planning to process sensitive data through Vblock Systems. Cloud service providers using Vblock Systems in federal cloud environments should understand how the technology helps meet specific control requirements under FedRAMP. With the US Office of Management and Budget (OMB) making a mandatory push toward Cloud First, it is extremely important that cloud service providers understand how the technology they deploy helps meet rigorous security and compliance standards.

For this reason, VMware and VCE have enlisted their Audit Partner Coalfire, a FedRAMP accredited Third Party Assessment Organization (3PAO), to engage in a programmatic approach to evaluate VCE products and solutions for FedRAMP control capabilities and then to document these capabilities into a set of reference architecture documents. The first of these documents, the Product Applicability Guide, contains a mapping of VMware products and features that should be considered for implementing FedRAMP controls. The next two documents in the Compliance Reference Architecture Framework are the Architectural Design Guide and the Validated Reference Architecture.

1. Product Applicability Guide – contains a mapping of product and feature capabilities to address FedRAMP control enablement for consideration of how the technology aligns with FedRAMP compliance.

2. Architectural Design Guide – Provides architectural guidance for building a FedRAMP compliant solution.

3. Validated Reference Architecture – a documented report of findings from a validation exercise performed by an independent auditor against a purpose build FedRAMP solution based on the Architectural Design Guide. The joint Validated Reference Architecture includes combined solutions from VMware and partners, such as VCE.

For more information on these documents and the general approach to compliance, please review VMware Compliance and Cyber Risk Solutions.

This Product Applicability Guide Addendum, featuring VCE products and solutions, builds upon the base VMware control mapping and alignment for FedRAMP 2.0, which is documented in the VMware FedRAMP Compliance and Cyber Risk Solutions on the VMware Solutions Exchange.

If you have any comments regarding this white paper, we welcome any feedback at [email protected] or [email protected].

Introduction Compliance and security continue to be top concerns for organizations that plan to move any of their enterprise-computing environments to the cloud. VCE helps cloud service providers address these challenges by providing the industry’s broadest converged infrastructure portfolio with block, rack, and appliance offerings covering deployments of all sizes. This assessment specifically focuses on a block architecture: a model of the Vblock System. As with all VCE offerings, the Vblock System is designed, delivered and supported by VCE, seamlessly integrating leading compute, network, storage, virtualization and system management technologies. The infrastructure offerings from VCE provide a basis for a compliance capable audit ready platform. The use case addresses questions like, “How can I be FedRAMP compliant in a Vblock System-supported cloud hosting environment?”



https://solutionexchange.vmware.com/store/products/vmware-compliance-cyber-risk-solutions%23.VXXPhXlFCHs

https://solutionexchange.vmware.com/store/products/vmware-compliance-cyber-risk-solutions%23.VXXPhXlFCHs

https://solutionexchange.vmware.com/store/products/vmware-fedramp-compliance-and-cyber-risk-solutions%23.VYSQn4lVikp

https://solutionexchange.vmware.com/store/products/vmware-fedramp-compliance-and-cyber-risk-solutions%23.VYSQn4lVikp





The FedRAMP compliant Public Cloud Use Case (See section on Cloud Computing in this document for Cloud Use Cases) is focused on the cloud service provider intending to operate a FedRAMP compliant Public Cloud. Due to the nature of the Public Cloud Use Case this document is primarily concerned with providing guidance in the integration of Vblock System components within the 'Provider' layer. The use case also provides a mapping of the specific FedRAMP controls to Vblock System components and features, partner solutions, and other third party entities involved in FedRAMP compliant cloud services. While every cloud is unique, VCE solutions combined with VMware and its partners can provide a solution that addresses over 26% of FedRAMP requirements with 74% coverage among technical and operational controls.

Understanding the relationship of the Vblock System to the seventeen FedRAMP control areas is fundamental and most broadly accommodated in this document with more Use Case specific guidance represented in the Architecture Design Guide. Regardless of the Use Case or operating environment model, the FedRAMP control areas represent a broad-based, balanced, information security program that addresses the management, operational, and technical aspects of protecting federal information and information systems. Management, operational, and technical controls (that is, safeguards or countermeasures) are prescribed for an information system in order to protect the confidentiality, integrity, audit, accountability, and availability of the system and its information. Operational security controls are implemented and executed primarily by people (as opposed to systems). Management controls focus on the management of risk and the management of information system security. Technical security controls are implemented and executed primarily by the information system through mechanisms contained in the hardware, software, or firmware components of the system.

A comprehensive assessment of the management, operational and technical controls that have been selected for the “information system” is required as part of the authorization process. This assessment must determine the extent to which all selected controls are implemented correctly, operating as intended, and producing desired outcomes with respect to meeting the security requirements for the system. An understanding of both NIST 800-53 and FedRAMP controls as implemented with VCE and its Technology Partners' solutions lends itself to harmonizing the ongoing compliance of the private cloud environment but also the shared responsibility for compliance in the public cloud environment. This common set of well-understood policies and procedures implemented in a common Vblock System supported software defined data center architecture across private and public cloud enable not only the hybrid cloud to become reality but opens up tremendous opportunities for tighter control and agility with regard to the principles put forth in the Continuous Diagnostics and Mitigation program as outlined by Department of Homeland Security.

Figure 1: Intel Security + Partner Product Capabilities for a VMware-based Trusted Cloud

Figure 1 identifies capability measures with respect to protection, integrity, and availability that make up trusted cloud implementations. The graphic illustrates the specific categories that VMware and Partner solutions are able to address.



http://www.dhs.gov/cdm

http://www.dhs.gov/cdm


Official FedRAMP Guidance as it Applies to Cloud Environments The Federal Risk Authorization Management Program (FedRAMP) is the result of close collaboration with cybersecurity and cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, the Federal CIO Council and its working groups, as well as private industry.

FedRAMP CONTROL FAMILY IDENTIFIERS

FedRAMP CONTROL FAMILY TITLES FEDRAMP MODERATE BASELINE CONTROLS1

AC Access Control 18(25) AT Awareness and Training 4(1) AU Audit and Accountability 11(8) CA Certification, Accreditation, and Security Assessment 8(7) CM Configuration Management 11(15) CP Contingency Planning 9(15) IA Identification and Authentication 8(19) IR Incident Response 9(9) MA Maintenance 6(5) MP Media Protection 7(3) PE Physical and Environmental Protection 16(4) PL Planning 4(2) PS Personnel Security 8(1) RA Risk Assessment 4(6) SA System and Services Acquisition 9(13) SC System and Communications Protection 20(12) SI System and Information Integrity 12(16)

Table 1: FedRAMP Controls Baseline

FedRAMP version 2 added 80 new moderate baseline controls for a total of 325 baseline controls. Cloud service providers, deploying and maintaining an infrastructure that meets the requirements established in the NIST and FedRAMP baseline, require centralized management and control of all components including virtual applications, platforms, and network devices.

FedRAMP specifically began providing formalized guidance for cloud and virtual environments in June, 2012. These guidelines were based on industry feedback, rapid adoption of virtualization technology, and the move to cloud.

1 The number in parenthesis in this column includes the control enhancements required by FedRAMP Moderate Baseline




Figure 2: Official guidance on security in FedRAMP Cloud environments

NIST Special Publication 800-53 The objective of NIST Special Publication 800-53 is to provide a set of security controls that can satisfy the breadth and depth of security requirements levied on information systems and organizations that is consistent with and complementary to other established information security standards.

The catalog of security controls provided in Special Publication 800-53 can be effectively used to demonstrate compliance with a variety of governmental, organizational, or institutional security requirements. It is the responsibility of organizations to select the appropriate security controls, to implement the controls correctly, and to demonstrate the effectiveness of the controls in satisfying their stated security requirements. The security controls in the catalog facilitate the development of assessment methods and procedures that can be used to demonstrate control effectiveness in a consistent and repeatable manner—thus contributing to the organization’s confidence that there is ongoing compliance with its stated security requirements.

The NIST 800-53 presents the fundamental concepts associated with security control selection and specification including:

(i) the structure of security controls and the organization of the controls in the control catalog;

(ii) security control baselines;

(iii) the identification and use of common security controls;

(iv) security controls in external environments;

(v) security control assurance; and

(vi) future revisions to the security controls, the control catalog, and baseline controls. Security controls described in this publication have a well-defined organization and structure. For ease of use in the security control selection and specification process, controls are organized into eighteen families.

Each security control family contains security

controls related to the security functionality of the family. In addition, there are three general classes of security controls: management, operational, and technical.




FedRAMP Cloud computing technology allows the Federal Government to address demand from citizens for better, faster services and to save resources, consolidate services, and improve security. The essential characteristics of cloud computing -- on-demand provisioning, resource pooling, elasticity, network access, and measured services -- provide the capabilities for agencies to dramatically reduce procurement and operating costs and greatly increase the efficiency and effectiveness of services.

Agencies have realized the benefits of this technology and are integrating it into their information technology environment. On December 9, 2010; the Office of Management and Budget (OMB) released the 25 Point Implementation Plan to Reform Federal Information Technology Management, establishing the Cloud First policy and requiring agencies to use cloud-based solutions whenever a secure, reliable, cost-effective cloud option exists. FedRAMP was established by a memorandum issued by OMB on December 8, 2011, Security Authorization of Information Systems in Cloud Computing Environments (FedRAMP Policy Memo) to provide a cost-effective, risk-based approach for the adoption and use of cloud services. A key element to successful implementation of cloud computing is a security program that addresses the specific characteristics of cloud computing and provides the level of security commensurate with specific needs to protect government information. Effective security management must be based on risk management and not only on compliance. By adhering to a standardized set of processes, procedures, and controls, agencies can identify and assess risks and develop strategies to mitigate them.

The purpose of FedRAMP is to:

• Ensure that cloud based services have adequate information security;

• Eliminate duplication of effort and reduce risk management costs; and

• Enable rapid and cost-effective procurement of information systems/services for Federal agencies

The major participants in the FedRAMP process are:

• Federal agency customer – has a requirement for cloud technology that will be deployed into its security environment and is responsible for ensuring FedRAMP compliance

• Cloud Service Provider (CSP) – is willing and able to fulfill agency requirements and to meet security requirements

• Joint Authorization Board (JAB) – reviews the security package submitted by the CSP and grants a provisional Authority to Operate (ATO)

• Third Party Assessment Organization (3PAO) – validate and verify that evaluated CSPs meet FedRAMP requirements

• FedRAMP Program Management Office (PMO) – manages the process assessment, authorization, and continuous monitoring process

To achieve a FedRAMP agency ATO or JAB P-ATO, the CSP must implement the FedRAMP security controls in their environment and hire a FedRAMP-approved 3PAO to perform an independent assessment of the cloud system and present a security package for review. Table 1, above, outlines the Control Families and the number of FedRAMP moderate baseline required controls. In order to maintain a P-ATO, the cloud service provider must implement the security controls defined in the FedRAMP System Security Plan (Template) version 2.0 to ensure that all required security controls outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev 4 baseline and the additional FedRAMP parameters are effectively implemented.

The FedRAMP System Security Plan (Template) version 2.0 details all required cloud security controls. The plan (template) is written in accordance with the NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Information Technology Systems. Completion of this SSP, which describes how the U.S. Federal information will be safeguarded, is a requirement of the Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Resources, and Public Law 100-235, the Computer Security Act of 1987.

The controls provide a detailed Management, Operational and Technical control set for meeting the security requirements established by FISMA. In addition to the FISMA requirements outlined in the NIST control baseline, FedRAMP requirements have been written for key controls and control enhancements specific to a cloud service provider that wants to provide cloud services for federal government agencies.




Figure 3 illustrates the processes and notional timeline to achieve either a JAB provisional or Agency ATO. The time frame is dependent on CSP readiness and ability to comment throughout each of the stages.

Figure 3: FedRAMP Authorization Timeline (PMO, 2014)

Cloud Computing Cloud computing and virtualization have continued to grow significantly every year. There is a rush to move applications and even whole datacenters to the “cloud”, although few people can succinctly define the term “cloud computing.” There are a variety of different frameworks available to define the cloud, and their definitions are important as they serve as the basis for making business, security, and audit determinations. VMware defines cloud or utility computing as the following (http://www.vmware.com/solutions/cloud-computing/public-cloud/faqs.html):

“Cloud computing is an approach to computing that leverages the efficient pooling of on-demand, self-managed virtual infrastructure, consumed as a service. Sometimes known as utility computing, clouds provide a set of typically

virtualized computers which can provide users with the ability to start and stop servers or use compute cycles only when needed, often paying only upon usage.”



http://www.vmware.com/solutions/cloud-computing/public-cloud/faqs.html


Figure 4: Cloud Computing

There are commonly accepted definitions for the cloud computing deployment models and there are several generally accepted service models. These definitions are listed below:

• Private Cloud – The cloud infrastructure is operated solely for an organization and may be managed by the organization or a third party. The cloud infrastructure may be on premise or off-premise.

• Public Cloud – The cloud infrastructure is made available to the general public or to a large industry group and is owned by an organization, such as a cloud service provider, that sells cloud services.

• Hybrid Cloud – The cloud infrastructure is a composition of two or more clouds (private and public) that remain unique entities, but are bound together by standardized technology. This enables data and application portability; for example, cloud bursting for load balancing between clouds. With a hybrid cloud, an organization gets the best of both worlds, gaining the ability to burst into the public cloud when needed while maintaining critical assets on premise.

• Community Cloud – The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (for example, mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party, and may exist on premise or off premise.




Where to Start - Considerations for Management, IT and Auditors Migrating a traditional IT infrastructure to a virtual or cloud environment has a significant impact on an organization that extends beyond information technology. Security and compliance continue to remain top concerns for management, IT departments and auditors. All three areas should be represented and engaged for any IT virtualization or cloud projects to confirm that business, IT operations, and compliance teams carefully consider the benefits and risk. This is also true for Cloud Service Providers who will need to build out cloud infrastructure to meet requirements in anticipation of the federal government agencies who will be their customers.

Infrastructure Considerations The process for securing cloud infrastructure is much the same as the process required to secure traditional infrastructure. Use the following questions to understand the potential business impact, benefits, and risks relative when considering infrastructure options for a cloud environment.

• Do you have a clear inventory of in-scope information that will be stored or processed? Inventory should include type of data, structured, unstructured, location or storage methods, metadata, key/trigger fields, and so forth.

• What is the organization’s classification of information that will traverse or be stored within the same enclaves containing the infrastructure?

• Have you cataloged applicable security governance, policies, and procedures?

• What additional laws, regulatory or compliance requirements govern this information?

• Have you identified the users, owners, and custodians of the information systems?

• Have you identified specific roles and responsibilities for personnel responsible for the information?

• How does the implementation of the infrastructure affect your existing information lifecycle, including source, generation, workflows, and communities of interest, retention, destruction requirements?

• What additional measures or adjustments need to be taken for data protection, recovery, and business continuity?

• What additional measures or adjustments need to be taken for incident response in case of a compromise?

• How does the infrastructure affect existing or desired business processes, policies, operational procedures, or requirements related to the information?

IT Considerations 1. How does the IT Operations plan address the company’s strategic and operational goals? 2. What manual processes are in place that can be automated? 3. What are the skills and capabilities of the IT Department? 4. Have there been any previous attempts to virtualize or outsource critical operations? 5. Which IT initiatives currently underway could impact the FedRAMP system boundary? 6. How is encryption currently used to limit risk? 7. How is sensitive data currently classified (that is, do you know where all your data resides)? 8. How has security and compliance affected IT Operations?




Assessment Considerations 1. What prior experience does the auditor have with virtual/cloud environments (Third Party Assessment Organization

(3PAO))? 2. Has the 3PAO successfully assessed FedRAMP environments? 3. What certifications do they have in Intel Security products or solutions? 4. How many individuals that are part of the assessment team have experience with Intel Security? 5. What thought leadership and guidance has the 3PAO published? 6. What are the risks and mitigation techniques the 3PAO believes are appropriate for FedRAMP environments? 7. How long have they been working with Intel Security architectures? 8. What references do they have for conducting similar assessments? 9. Is the 3PAO assigned to the audit engagement company knowledgeable about the basic components, systems, and

software in an Intel Security cloud?

Once in possession of a comprehensive review of possible risks, stakeholders can begin to gain an understanding of comparative risk when implementing the Vblock System supported cloud service provider Infrastructure.

Guidance from the Federal Risk Authorization Management Program Cloud computing technology allows the Federal Government to address demand from citizens for better, faster services and to save resources, consolidate services, and improve security. The essential characteristics of cloud computing -- on-demand provisioning, resource pooling, elasticity, network access, and measured services -- provide the capabilities for agencies to dramatically reduce procurement and operating costs and greatly increase the efficiency and effectiveness of services.

Agencies can then leverage the Provisional ATO and grant their own ATO without conducting duplicative assessments. In prior cloud FISMA compliance projects, certain controls have proven to be challenging for service providers to meet. Before you decide to initiate a request to participate in FedRAMP, go through the below and make sure that you are truly able to meet these requirements. Consult with your legal team and technical staff (for example, systems administrators, database administrators, network engineers etc.) to determine if you have the right controls in place and have the ability to manage them.

Vblock® Systems and FedRAMP VCE offers the industry’s broadest converged infrastructure solution portfolio, with block, rack, and appliance offerings covering deployments of all sizes. This assessment specifically focuses on a block architecture: a model of the Vblock System. As with all VCE offerings, the Vblock System is designed, delivered, and supported by VCE, seamlessly integrating leading compute, network, storage, virtualization, and system management technologies.

The Vblock System 740, Vblock System 540 and Vblock System 340 are engineered for high levels of performance, capacity, security, high-availability, and operational efficiency. The Vblock System can also be combined with VCE™ Technology Extensions and VCE Vscale™ Architecture to offer greater value for additional use cases, such as data lakes, distributed applications, and other emerging applications.

The Product Applicability Guide target is the Vblock 340 but note that outside of storage, other Vblock Systems should be essentially identical. VxBlock™ Systems also share many components, as well as the same design and sustainment practices, so while not considered for the Product Applicability Guide, should share many control implementations. Rack and appliance systems share fewer components with the Vblock 340, but still share design and sustainment practices for some measure of commonality in control implementations.

The Vblock 340 is an enterprise and service provider ready system in the Vblock System 300 series, designed to address a wide spectrum of virtual machines (VMs), users, and applications. It is ideally suited to achieve the scale required in both private and public cloud environments. The Vblock 340 is engineered for scalability and performance to support large enterprise deployments of mission-critical applications, cloud services, VDI, mixed workloads and application development and testing. Every Vblock 340 is available with the market-leading EMC VNX storage arrays. Each Vblock 340 is pre-engineered, pre-configured, and validated, and arrives ready to meet specific workload and SLA requirements – while minimizing the costs and risks to business operations.




Vblock System 340 functional and component highlights potentially impacting security models: Management plane isolated from other functional levels within Vblock System architecture allows for functional segmentation of

the cloud service provider management workloads from operational and tenant workloads.

- Second generation of the Advanced Management Platform (AMP-2) for Vblock Systems hosts element manager applications. The element manager applications hosted on the AMP-2 provides secure centralized management access for infrastructure management.

- Dedicated management networks & physical switches provide physical network segmentation to further isolate critical infrastructure management functions and provide a secure foundation for the cloud service provider infrastructure.

Cisco Unified Compute System chassis/blade implementation.

- Profile-based blade administration and stateless blades allow for centralized management of compute resources. This also provides the means for rapid recovery or expansion of compute resources within the Vblock System.

- SAN-boot of blades also provides the means for rapid recovery of resources after failure. Secure, centralized storage of boot images for the blades further secures the underlying physical operating system.

- Converged networking provides a centralized platform for management and configuration of the network, thus simplifying the infrastructure architecture allowing similar policies and standards to be applied in one place.

Block (SAN) and unified storage options (SAN and NAS).

VMware vStorage API for Array Integration (VAAI) enablement.

Unified network architecture provides the option to leverage Cisco Nexus switches to support IP and SAN without the use of Cisco MDS switches.

Multiple distributed virtual switch choices:

- Default: Cisco Nexus 1000V Series Virtual Switch

- Optional: VMware vSphere Distributed Switch (VDS) (VMware vSphere 5.5 and higher)

VMware vSphere Server Enterprise Plus

EMC Secure Remote Support (ESRS)

Many of the above highlighted components are further described in the following sections where the VCE technology is specifically aligned with the FedRAMP controls.




Figure 5: Vblock 340 Architecture




Meeting FedRAMP Requirements with Vblock Systems While each Vblock System is customized to the cloud service provider’s requirements, a typical Vblock System supports compliance with more than 7% of the FedRAMP controls requirements. Leveraging additional partner technology, including VMware technologies not already included as part of the Vblock System improves the possibility of meeting control requirements to more than 38%.

Figure 6 illustrates the breakout of capabilities relative to VMware solutions, VMware partner solutions, including VCE, and controls not addressed by VMware or Partner technologies. The slice of the pie that represents controls not addressed by VMware and Partners represent controls that are largely organizational in nature. These controls include policies, procedures, processes and standards that are defined by the cloud service provider organization. Third party technologies, not in scope for our assessment, might also be included in this slice of the pie.

Figure 6: FedRAMP Applicability of VMware SDDC Products vs. Aggregate

The control baseline selected for the VCE Product Applicability Guide is based on FedRAMP Version 2 for a moderate impact system. This standard incorporates control requirements from NIST SP 800-53 Revision 4 and includes considerations and enhancements specific to cloud computing technology and security. These publications are most widely adopted today when seeking guidance for the recommended security controls relative to federal agencies and information systems. The moderate impact controls were selected as they represent the wide majority of information systems leveraging FedRAMP 2 today.

Starting with the control baseline, VCE performed a detailed analysis of all moderate impact controls and selected those that might be considered applicable or in-scope for cloud service providers using the Vblock System. Although not included within the Reference Architecture Framework, including this Product Applicability Guide, VCE assumes that all cloud service providers leveraging the Vblock System will include a full set of policies and procedures accounting for each of the control family “-1” controls (example: AC-1). Additional detail regarding the applicable controls, control requirements and the Vblock System implementation guidance are provided within this Product Applicability Guide in the following section. Table 2 provides a summary of the baseline and selected controls. The table includes consideration of all controls addressed by technical solutions and those identified as non-technical, organizational or cloud service provider responsibilities.

FedRAMP Requirements

Tests Addressed inVMware's SDDC Suites

Tests Addressed orenhanced with partnersolutions

Tests Not Addressed byVMware or Partners




PIE CHART FEDRAMP CONTROL FAMILIES # OF FEDRAMP CONTROLS

CONTROLS ENABLED IN VMWARE'S

SDDC SUITES

CONTROLS ENABLED OR ENHANCED

WITH PARTNER SOLUTIONS

CONTROLS NOT ADDRESSED BY

VMWARE OR PARTNERS

1. Access Control 43 3 23 38

2. Awareness and Training 5 0 0 5

3. Audit and Accountability 19 5 18 16

4. Certification, Accreditation, and Security Assessment 15 0 9 8

5. Configuration Management 26 20 6 1

6. Contingency Planning 24 0 23 24

7. Identification and Authentication 27 0 7 22

8. Incident Response 18 0 16 12

9. Maintenance 11 0 0 11

10. Media Protection 20 0 18 11

11. Physical and Environmental Planning 20 0 12 20

12. Planning 6 0 4 6

13. Personnel Security 9 0 3 9

14. Risk Assessment 10 0 0 10

15. System and Services Acquisition 22 0 0 22

16. System and Communications Protection 32 19 6 21

17. System and Information Integrity 28 12 9 9

Total/ Note: Control totals do not add up to 325 due to overlapping features of VMware products and partner products

325 59 154 245

Table 2: FedRAMP Controls per Control Family Matrix




Controls Details This section identifies all controls addressed by the Vblock System. Each control includes requirements and Vblock System implementation details, including their applicability under FedRAMP.

Access Control AC-6 LEAST PRIVILEGE

Control Description The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

AC-6(9)

Control Description The information system audits the execution of least privileged functions.

Vblock System Implementation Inasmuch as the VCE components generate logs relevant to activities performed by users or services on the Vblock System components, those logs can be reviewed for how the privileged accounts are being used. Moreover, the logs record activities performed by built-in accounts, including local super user accounts. It is recommended, however, to facilitate auditing activities to implement a log aggregation, correlation and analysis tool to provide parsing and reporting capabilities that might provide a more expeditious and accurate abstract. Additionally, analysis tools might include a notification mechanism that alerts audit personnel when results are outside the desired threshold.

Applicability FedRAMP

Low

Moderate

AC-6(10)

Control Description The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Vblock System Implementation Account management is primarily handled by a third-party directory services implementation of cloud service provider defined roles and responsibilities. However, these directory services roles and responsibilities defined with users, groups, and Organization Units are directly tied to system roles and responsibilities with integrated directory authentication or secure LDAP. Access capabilities for privileged and non-privileged users is limited by the scope of the capabilities tied to the Vblock System and/or component defined roles. System access rights, from full administration to read only audit privilege and every granular implementation of capabilities in between, are defined within the system.


Low

Moderate




AC-8 SYSTEM USE NOTICE

Control Description The information system:

(a) Displays to users [Assignment: organization-defined system use notification message or banner (See Additional Requirements and Guidance)] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:

(1) Users are accessing a U.S. Government information system;

(2) Information system usage may be monitored, recorded, and subject to audit;

(3) Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and

(4) Use of the information system indicates consent to monitoring and recording;

(b) Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and

(c) For publicly accessible systems:

(1) Displays system use information [Assignment: organization-defined conditions (See Additional Requirements and Guidance)], before granting further access;

(2) Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

(3) Includes a description of the authorized uses of the system.

Vblock System Implementation Vblock Systems use built-in access controls to enforce account management policy, including the display of system use notification. The cloud service provider sets the text that will be displayed for each of the components. To simplify meeting FedRAMP requirements, some cloud service providers elect to implement this control parameter by using a centralized access point such as a jump host into the management environment.


Low

Moderate

AC-10 CONCURRENT SESSION CONTROL

Control Description The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [FedRAMP Assignment: three (3) sessions for privileged access and two (2) sessions for non-privileged access].

Vblock System Implementation Vblock Systems are capable of limiting the number of concurrent sessions for users at the subcomponent level. Additionally, the implementation of this control can be facilitated by instituting a jump host from which to access and manage the components of the Vblock System. The use of the jump host allows for directory service policies to apply to a user’s session.


Low

Moderate




AC-11 SESSION LOCK

Control Description The information system: Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and Retains the session lock until the user reestablishes access using established identification and authentication procedures.

Vblock System Implementation Session lock policy can be set and managed by the cloud service provider for Vblock System subcomponents. To simplify meeting FedRAMP requirements, some cloud service providers elect to implement this control parameter by using a centralized access point such as a jump host into the management environment. The policies configured within the directory services apply to the jump host for the enablement of this control.


Low

Moderate

AUDIT AND ACCOUNTABILITY (AU) AU-3 CONTENT OF AUDIT RECORDS

Control Description The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

Vblock System Implementation The cloud service provider configures the auditing features of operating systems, databases, and applications to record security-related events in accordance with requirements. All Vblock System components have the ability to send logs to a remote syslog server. Audit trails can capture event, time, action and other details required for monitoring.


Low

Moderate

AU-3(1)

Control Description The information system generates audit records containing the following additional information: [FedRAMP Assignment: [session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon]].

Vblock Implementation All Vblock System components have the ability to send logs to a remote syslog server. Audit trails can capture session information including session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent. The logs can include information that would be useful for investigating activities on the Vblock System.





Low

Moderate

AU-5 RESPONSE TO AUDIT PROCESSING FAILURES

Control Description The information system: Alerts designated organizational officials in the event of an audit processing failure; and Takes the following additional actions: [Assignment: organization-defined actions to be taken (for example, shut down information system, overwrite oldest audit records, stop generating audit records)].

Vblock System Implementation Vblock Systems are designed and built using industry-standard components. Alerts on all system events including audit failure can be ported to the cloud service providers centralized log collection tool to the extent supported by the subcomponents. The cloud service provider must set the response policy for audit failures according to requirements. For added security, it is recommended to forward logs to a centralized log collection tool for environmental analysis and log preservation. Moreover, it is recommended to implement a monitoring toolset outside of the Vblock System to ensure the proper functioning of audit records and timely reporting of audit failures.


Low

Moderate

AU-7 AUDIT REDUCTION AND REPORT GENERATION

Control Description The information system provides an audit reduction and report generation capability that:

(a) Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and

(b) Does not alter the original content or time ordering of audit records.

Vblock System Implementation Vblock Systems support adjustments within the local system audit configuration. The logs generated with the system and viewable by the system components can be filtered to generate specific information based on defined patterns. It is also recommended to implement, configure, and use a centralized audit log management tool to facilitate collecting, consolidating, monitoring, analyzing, and reporting events. Parsing and queries can be used to generate reports based on selectable event criteria.


Low

Moderate

AU-7(1)

Control Description The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].




Vblock System Implementation Queries can be run against the logs to find events based on interest defined by specific audit fields. The log viewers in the Vblock System components provide the ability to filter for specific events and event types. However, for timely reporting on logs, it is recommended to use a centralized log aggregation, correlation, and reporting tool.


Low

Moderate

AU-8 TIME STAMPS

Control Description The information system uses internal system clocks to generate time stamps for audit records.

Vblock System Implementation Vblock Systems support external Network Time Protocol (NTP) servers in order to synchronize internal information system clocks. The cloud service provider is able to define within the Vblock System components the NTP servers to be used for centralized time synchronization.


Low

Moderate

AU-8(1)

Control Description The information system:

(a) Compares the internal information system clocks [FedRAMP Assignment: at least hourly] with [FedRAMP Assignment: authoritative time source: http://tf.nist.gov/tf-cgi/servers.cgi]; and

(b) Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period].

Vblock System Implementation All Vblock System components are capable of being set to update time with external NTP servers to ensure that the time across all components and subcomponents are synchronized. The authoritative time server being used can be specified within the components to enable the control enhancement. The frequency of checking systems clocks as well as the response for synchronization drift is configurable within the system to meet the FedRAMP requirements and the cloud service provider’s specifications for acceptable and reasonable defined time periods.


Low

Moderate




AU-9 PROTECTION OF AUDIT INFORMATION

Control Description The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

Vblock System Implementation With built-in role definition, access can be limited to individual or groups authorized to manage logs within the Vblock System components.

The Vblock System is limited in its scope to retain and protect against intentional or accidental modification or deletion of logs. As a result, Vblock Systems are fully compatible with Security Information Event Management (SIEM) log collection and management systems. VCE will configure the Vblock System to send logging and alerting data to the cloud service provider’s collectors. Additional measures to protect audit information and audit tools from unauthorized access, modification, and deletion once they leave the Vblock System are outside the scope of the Vblock System’s control. For added security, organizations can select a secure solution for collecting and managing the data.


Low

Moderate

AU-12 AUDIT GENERATION

Control Description The information system: Provides audit record generation capability for the list of auditable events defined in AU-2 at [Assignment: organization-defined information system components]; Allows designated organizational personnel to select which auditable events are to be audited by specific components of the system; and Generates audit records for the list of audited events defined in AU-2 with the content as defined in AU-3.

Vblock System Implementation Vblock Systems have native audit capabilities to log all activities within the environment via syslog and SNMP. The cloud service provider can configure the auditing features of operating systems, databases, and applications to record security-related events in accordance with requirements.


Low

Moderate

Configuration Management (CM) CM-2 BASELINE CONFIGURATION

Control Description The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

CM-2(2)

Control Description The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

Vblock System Implementation VCE builds Vblock Systems to customer-specific, logical specifications to ensure the proper software is loaded correctly




on the system at the factory. Specific combinations of firmware, operating systems, drivers, management tools, and other software are engineered and stringently tested together as part of the VCE Release Certification Matrix (RCM). VCE maintains multiple trains of RCMs based on certain fixed points, such as specific major, minor release combinations of VMware vSphere and Cisco UCS Manager. It then updates each train based on vendor patch releases. Each release, whether a new train or an update, goes through both extensive regression testing and upgrade planning that helps the cloud service provider transition their platforms from earlier RCM versions. In the case of major releases, this can represent well over a thousand hours of testing, and for minor releases, hundreds of hours is more typical. The latest RCMs are pushed to VCE Vision™ Intelligent Operations, which allow the Vblock System to maintain an approved baseline according to standards set forth by VCE through the Security Content Automation Protocol (SCAP) engine in the RCM compliance checker. The policies for hardening the system that are applied to the baseline pre-shipped configuration can be maintained and continuously inspected for compliance with VCE Vision software.

For added security and the intent to meet industry-accepted hardening standards, the cloud service provider should harden systems to meet their specific needs and industry recommended best practices such as the Center for Internet Security (CIS) Benchmarks, Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) or vendor-specific configuration recommendations. It might also be feasible to leverage industry accepted third-party vendor tools that enable the ability to review and perform baseline configuration updates for workloads deployed on the Vblock System automatically, when appropriate.

VCE maintains initial baseline build information for the Vblock System and is able to make the data packages available to the cloud service provider if requested. This baseline is kept on record to identify the system configurations as shipped. For added security, cloud service providers may back up the baseline build immediately upon accepted install and retain previous configurations as appropriate.


Low

Moderate

CM-8 INFORMATION SYSTEM COMPONENT INVENTORY

Control Description The organization:

(a) Develops and documents an inventory of information system components that:

(1) Accurately reflects the current information system;

(2) Includes all components within the authorization boundary of the information system;

(3) Is at the level of granularity deemed necessary for tracking and reporting; and

(4) Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and

(b) Reviews and updates the information system component inventory [FedRAMP Assignment: at least monthly].

Vblock System Implementation While this control is largely organizational in nature, there are capabilities of the Vblock System to partially aid the cloud service provider with meeting the requirements of this control. Upon delivery of a Vblock System to a cloud service provider, VCE provides detailed documentation covering all components of the Vblock System. Additionally, VCE Vision Intelligent Operations gives the cloud service provider the means to maintain an inventory of base information system components. For added security, cloud service providers might choose to document system workloads as part of an organizational system inventory. This can include details regarding hardware and software specifications.

In an effort to facilitate a layered approach to security, it is advisable for the cloud service provider to develop, document, and maintain inventories of information systems separate from automated information system generated inventories as a means to provide accountability, verification, and alignment for configuration changes that occur within the system.





Low

Moderate

CM-8(1)

Control Description The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.

Vblock System Implementation VCE Vision software helps to maintain an updated inventory of base information system components specific to the Vblock System. As such, it is partially able to facilitate the enablement of this control enhancement. VCE Vision software provides unified visibility across multiple VCE converged infrastructure systems or data centers.


Low

Moderate

Contingency Planning (CP) CP-2 CONTINGENCY PLAN CP-2(2)

Control Description The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.

Vblock System Implementations While contingency planning commonly falls under the auspices of the procedures defined by the Cloud service provider, Vblock System capabilities assist in maintaining an ongoing knowledge of the system’s capacity usage and requirements. The individual components of the Vblock System can provide capacity usage information. Additionally, VCE Vision software provides insight into the data center systems usage, which assists management with improving usage efficiency of utilization and planning for expansion as necessary. This same capability can help management make determination for contingency planning.


Low

Moderate

CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION

Control Description The organization: provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise or failure.

Vblock System Implementation




The management capability of Cisco UCS Manager within the Vblock System makes it possible to quickly recover from hardware failures. The UCS blade component configuration is stored as a management abstract and essentially virtualized whereby replacement hardware can quickly inherit the identification of the failed hardware and quickly and efficiently resume normal operations. Many Vblock System components are redundant to maintain high availability, allowing for timely recovery of failed components without noticeable operational loss. It is recommended that any and all component configurations be backed up in the event of a catastrophic failure.

The EMC storage array component of the Vblock System provides the ability to snapshot data onto a separate protected set of disks on the storage array, whereby data can be restored to a defined point in time in the event of data loss or corruption.


Low

Moderate

Identification and Authentication (IA) IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

Control Description The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Vblock System Implementation Vblock System components support integrated directory services authentication or secure LDAP authentication with existing authentication stores. As the Vblock System is dependent on the authentication provider, the information system uniquely identifies and authenticates the cloud service provider user that has been established within the authentication provider. The Vblock System can disallow anonymous access to the system.

Additional toolsets might be required to assist in determining the uniqueness of the authentication as neither the directory service nor the Vblock System inherently include intelligence capable of ensuring that users are not sharing credentials. Multifactor identification might lessen the likelihood of this occurring as authenticators are required to provide more than one variable to the authentication process. Reducing the number of concurrent connections can also reduce the likelihood of shared identifiers.


Low

Moderate

IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION

Control Description The information system uniquely identifies and authenticates [Assignment: organization-defined list of specific and/or types of devices] before establishing a connection.

Vblock System Implementation All Vblock System virtual devices are identified by internal Internet Protocol (IP) addresses. The IP address format follows RFC 1918, Address Allocation for Private Internets, to establish a private network and not be routable on the Internet. Devices are configured to authenticate to each other in order to establish connections. VPN gateways using IPsec tunnels and gateway devices using ACLs restrict device communication and connections to only authorized devices.





Low

Moderate

IA-6 AUTHENTICATOR FEEDBACK

Control Description The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

Vblock System Implementation Vblock System components do not provide clear text information that would compromise the authenticator. In the event of an invalid login, the system informs the user that the login was unsuccessful but does not provide any information that might compromise the authentication mechanism.


Low

Moderate

IA-8 IDENTIFICATION AND AUTHENTICATION (Non-Organizational Users)

Control Description The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

Vblock System Implementation Similar to the control of organizational users, the directory services and the built in authentication mechanisms of the Vblock System can restrict access to the system components to uniquely identified individuals. For the purposes of this control in relation to the Vblock System, this control implementation would most likely pertain to VCE specific system support individuals outside the Cloud service provider organization.


Low

Moderate

SYSTEM AND COMMUNICATIONS PROTECTION (SC) SC-2 APPLICATION PARTITIONING

Control Description The information system separates user functionality (including user interface services) from information system management functionality.

Vblock System Implementation The separation of user functionality from information system management functionality on Vblock System is both physical and logical. This is accomplished using separate compute, storage, and network resources running separate virtualization instances for the isolated management operating systems and applications. The management network is additionally on a separate network address range, and access to the administrative interfaces can optionally require separate authentication methods. In addition, the administrative network may likely be isolated on a separate domain and might




incorporate additional access controls. Finally, security can be further enhanced by opting to include a jump host from which to access the management components, where access to the jump host can further be controlled through a gateway authentication mechanism.


Low

Moderate

SC-4 INFORMATION IN SHARED RESOURCES

Control Description The information system prevents unauthorized and unintended information transfer via shared system resources.

Vblock Systems Implementation Role-based access controls are available for each Vblock System infrastructure component. Resources and configurations of resources are strictly controlled by the cloud service provider. For added security, the cloud service provider can choose to enforce role-based access controls and use only unique user identities as part of general best practices and in accordance with FedRAMP guidance. Following these guidelines can prevent unauthorized and unintended information transfer through shared system resources. The network segmentation of Vblock System management systems also enables prevention of data access across network perimeters, except where enabled by design where the Vblock System management components exist on a separate network. The implementation and use of additional network segmentation capabilities included with the cloud service provider’s core network components should be implemented. Further segmentation of internal boundary controls can be enabled with VMware NSX components as well as EMC VNX.


Low

Moderate

SC-5 DENIAL OF SERVICE PROTECTION

Control Description The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined list of types of denial of service attacks or reference to source for current list].

Cloud Service Provider Implementation The Vblock System’s management environment can be deployed in a high-availability configuration and is logically and physically separated from the user environment. This might mitigate the effects of attempted external denial of service attacks on the management components of the system. The Vblock System is fully compatible with external boundary protection devices such as DDoS guards and firewalls. Vblock System’s management of the virtualization infrastructure allows workload virtual machines to be deployed onto physically separate blades in a high-availability or fault tolerant configuration. The cloud service provider can adjust virtual workloads by allocating memory, vCPU, and disk capacity to mitigate or respond to attacks. Network segmentation to establish isolation boundaries between Vblock System management, cloud service provider systems and tenant virtual machines could minimize the impact of denial of service attacks.


Low

Moderate




SC-6 RESOURCE PRIORITY

Control Description The information system protects the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined security safeguards]].

Vblock System Implementation Vblock Systems support priority protection to help prevent a lower priority workload or process from delaying or interfering with the information system servicing higher priority workloads or processes. Priority protection is supported at the hypervisor, storage, and network layers to provide isolation of each virtual machine in a domain of execution. This can provide protection from interference and tampering by other virtual machines. System administrators for each component can alter or adjust resource prioritization as necessary to support mission operations. Configure system to monitor, log, and provide alert feeds into the cloud service provider’s system and network operations monitoring tools. VMware provides additional capabilities beyond quality of service controls such as VMware Distributed Resource Scheduler, which monitors resource usage and intelligently allocates workloads using affinity rules.


Low

Moderate

SC-39 PROCESS ISOLATION

Control Description The information system maintains a separate execution domain for each executing process.

Vblock System Implementation Intel Virtualization Technology VT is built into the physical processor enabling a virtual machine monitor (VMM), a system level virtualization software, at the hardware level to isolate and control access of the virtual machine to the physical CPU. The virtual machine instructions are trapped and emulated by the VMM with the physical processor and then returned to the virtual machine. The VMM isolates and controls access to the physical processors by emulating the virtual machines instructions and determining available cores on which the process threads can operate in a separate execution domain2. Only the VMM is able to run at “Ring-0”. Only the VMM is able to run at a privileged level and the guest OS only operates at the virtualized level.


Low

Moderate

SYSTEM AND INFORMATION INTEGRITY (SI) SI-7 SOFTWARE AND INFORMATION INTEGRITY

Control Description The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].

Vblock System Implementation

2 Mike Foley, 2014 http://www.vmware.com/files/pdf/techpaper/vmw-wp-secrty-vsphr-hyprvsr-uslet-101.pdf




Vblock Systems include VCE Vision software as a virtual machine that can access system components to verify firmware versions and recommend updates. For added security, regularly verify software and firmware versions and make updates as required.


Low

Moderate

SI-7(1)

Control Description The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [FedRAMP Selection (one or more): at startup; at [FedRAMP Assignment: to include security-relevant events]; [FedRAMP Assignment: at least monthly]].

Vblock System Implementation The Intel® Trusted Execution Technology (Intel® TXT)/ Intel® Trusted Platform Module (Intel® TPM) capabilities of the server hardware enable measurement of the physical hypervisor’s known good configurations to determine that the integrity of the system has not been compromised and that there has been no unauthorized changes. This forms the basis for the trusted platform. It does this by establishing a Measured Launch Environment (MLE). The MLE is based on a cryptographic hash algorithm that assigns a weight to the trusted platform configuration, such that changes, even as small as a byte, would be measurable by the environment. The MLE is also stored within a secure location to prevent tampering. This technology works alongside boot attestation security software, such as HyTrust Cloud Control or other Intel partners solutions for enablement of the verification process. When a host, during boot up, is measured to be outside the designated specification, it can no longer participate in the host cluster. Workloads cannot be joined to that hypervisor.


Low

Moderate

SI-7(7)

Control Description The organization incorporates the detection of unauthorized security relevant changes to the information system into organizational incident response capability. (JAB, 2014)

Vblock System Implementation Specific events relative to changes to hardware or software that make up the Vblock System can be trapped and sent to the cloud service provider’s incident response system for the generation of an incident ticket for manual or automated response.


Low

Moderate

SI-11 ERROR HANDLING

Control Description




The information system:

a. Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and

b. Reveals error messages only to [Assignment: organization-defined personnel or roles]

Vblock System Implementation Vblock System components include services that communicate error messages and are configurable to “call home” in case of an error. For added security, the cloud service provider can choose to configure the system to report error messages that are reviewed by key stakeholders on a schedule or as defined by the severity (or other classification) of the error. Error messages at any level of criticality can be customized as to the content that they contain in order to limit the type of information.

Cisco components include a “Call Home Service,” and EMC components use ESRS.


Low

Moderate

SI-16 MEMORY PROTECTION

Control Description The information system implemented defined security safeguards to protect its memory from unauthorized code execution.

Vblock System Implementation Similar to the way VMM handles process isolation by emulating processes on behalf of the virtual machine, the VMM also manages virtual machine memory by using a software abstraction to provide the illusion of physical memory being addressed to the virtual machine. The VMM maintains a memory map of the machines processes (pmap) data structure for each virtual machine to translate “physical” page numbers (PPNs) to machine page numbers (MPNs). vSphere uses address space layout randomization (ASLR) to randomize where core kernel modules are loaded into memory. The NX/XD (Never eXecute/eXecute Disable) CPU features enable the VMkernel to mark writeable areas of memory as non-executable. Both methods protect the system from buffer overflow attacks in running code.3

References Foley, M. (2014, January). VMware White Paper Security vSphere Hypervisor. Retrieved from VMware White Paper:

http://www.vmware.com/files/pdf/techpaper/vmw-wp-secrty-vsphr-hyprvsr-uslet-101.pdf JAB, F. (2014, June). FedRAMP Rev 4 Baseline Workbook Final 062014. Retrieved from www.fedramp.gov:

https://www.fedramp.gov/files/2015/03/FedRAMP-Rev-4-Baseline-Workbook-FINAL062014.xlsx

PMO, F. (2014, June 6). Guide to Understanding FedRAMP. Retrieved from https://www.fedramp.gov: https://www.fedramp.gov/files/2015/03/Guide-to-Understanding-FedRAMP-v2.0-4.docx

The information provided by Coalfire Systems and contained in this document is for educational and informational purposes only. Coalfire Systems makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein.

3 Mike Foley, 2014 http://www.vmware.com/files/pdf/techpaper/vmw-wp-secrty-vsphr-hyprvsr-uslet-101.pdf




About Coalfire®

Coalfire Systems is a leading, independent information technology Governance, Risk and Compliance (IT GRC) firm that provides IT audit, risk assessment and compliance management solutions. Founded in 2001, Coalfire® has offices in Dallas, Denver, Los Angeles, New York, San Francisco, Seattle and Washington, D.C., and completes thousands of projects annually in retail, financial services, healthcare, government and utilities. Coalfire® has developed a new generation of cloud-based IT GRC tools under the Navis™ brand that clients use to efficiently manage IT controls and keep pace with rapidly changing regulations and best practices. Coalfire’s solutions are adapted to requirements under emerging data privacy legislation, the PCI DSS, GLBA, FFIEC, HIPAA/HITECH, NERC CIP, Sarbanes-Oxley, FISMA and FedRAMP. For more information, visit www.coalfire.com.

About VCE

VCE, an EMC Federation Company, is the world market leader in converged infrastructure and converged solutions. VCE accelerates the adoption of converged infrastructure and cloud-based computing models that reduce IT costs while improving time to market. VCE delivers the industry’s only fully integrated and virtualized cloud infrastructure systems, allowing customers to focus on business innovation instead of integrating, validating, and managing IT industry offerings, and application development environments, allowing customers to focus on business innovation instead of integrating, validating, and managing IT infrastructure.

For more information, go to www.vce.com.



http://www.coalfire.com/

VCE Product Applicability Guide for FedRAMP 2 · Cloud Computing ... An understanding of both NIST...

Documents

Transcript of VCE Product Applicability Guide for FedRAMP 2 · Cloud Computing ... An understanding of both NIST...