1

Determining If Cloud Services

Are Secure Enough:

What Would FedRAMP Do?

John Pescatore, SANS

2

Hierarchy of Security Needs

• CYA

• Audit/certification

• Someone else is using it

• Visibility

• Address lack of control and abundance of

• promises/claims

• Early warning if something is going wrong

• Extension of existing security controls

• Testing of new approaches

• Go back to CYA

3

Overcoming Challenges

4

5

Realistic View of Cloud Risks

• Many, not all, cloud services are run more securely than many enterprise data centers

• The loss of transparency and visibility is an immediate impact of all cloud use

• Separation of duties, change control and data leakage are the major risk areas

• Security controls and policies (and skills!) need to be extended to include cloud services.

• The biggest risk is the need to change business/mission processes to match.

5

6

Best Practices in Security Sensitive Sectors

✓ Security architecture for VMware/virtualized data centers (skills!)

✓ 3rd party trust processes updated (or created…) to deal with SaaS

✓ Email SaaS and CRM SaaS usually the “camel’s nose under the tent”

✓ Achieve visibility and control parity with DIY/data center services

✓ When Dev/Test tries IaaS, security architecture adapted to cover hybrid cloud

✓ Address new threat vectors/exploit new control capabilities

✓ Where are you on BYOD CYOIT and IoT?

7

Realistic Approach

• Have a framework to assess security levels of SaaS and IaaS

￮ Cloud Security Alliance

￮ NIST Framework

￮ CIS Critical Security Controls

• Make sure security is involved in cloud services selection process

• Where possible, drive selection from FedRAMP approved list

• Make sure your security processes can scale to more than one CSP

8

NIST Reference Architecture

9

CSA Reference Architecture

10

Start With the Most Secure Cloud Service Providers

• There is a big difference between “commodity” and “enterprise class” CSPs

• Make sure security team is part of CSP selection/evaluation

￮ FedRAMP list is a good starting point

￮ Security team skills may need to be “plussed up”

• Think “Basic Security Hygiene for Cloud Use” – Critical Security Controls

1111

• The FedRAMP Agency ATO authorization process should follow the FedRAMP Security Assessment Framework (SAF)

• The FedRAMP SAF is based on the NIST Risk Management Framework (RMF)

• The FedRAMP SAF is available on FedRAMP.gov by navigating to the Resources -> Program Documents webpage

FedRAMP Assessment Process

1212

FedRAMP Continuous Monitoring Requirements

1313

FedRAMP Continuous Monitoring Mapping

Frequency 800-53 Control Critical Security Control

Continuous and Ongoing Auditable Events (14) Maint, Mon, Analysis of Logs

Component Inventory (1) Inventory of Devices

Incident Reporting (18) Incident Resp and Mgmt

Vulnerability Scanning (4) Continuous VA and Remediation

Weekly Audit Review, Report (14) Maint, Mon, Analysis of Logs

Monthly Vulnerability Scanning (4) Continuous VA and Remediation

Sec State Monitoring (14) Maint, Mon, Analysis of Logs

Flaw Remediation (3) Secure Configurations

Software/Info Integrity (2) Software Inventory

14

Focus on These Key Security Processes

• Strong authentication/access monitoring on admin accounts

• Extending configuration monitoring/vulnerability assessment to CSPs

• Incident response processes across multiple CSPs

• Data Security

• Do you need a Cloud Access Security Broker?

15

Encryption is not penicillin but…

• Encryption at rest is hard to do well

• Fear of self inflicted wounds

• Hard to prove whether done well or not

• Encryption done perfectly does not solve all risks

• See phishing, Heartbleed, etc.

• Small percentage worried about physical security at Amazon and Google

• Until user ID problem is solved, access control will not be solved completely by encryption

16

Nontraditional Application

Ecosystems

Good Old Data

Center

Security as a

Service

17

Security from the Cloud – Major Areas Already In Use

• DDoS mitigation

• 45% delivered by ISPs

• 45% by cloud-based DDoS mitigation “MITM”

• Email security as a Service

• Already more than 45% anti-spam/email AV delivered from cloud

• Vulnerability Assessment

• 30% VA scans delivered from the cloud

• 20% application vulnerability testing delivered from cloud

• Web Security Gateway

• 25% delivered from the cloud today.

18

Security as a Service: Cloud Access Security Broker

Source: Gartner

2016

19

Bottom Line

✓ There are no immovable objects for business use of cloud services

✓ Security built into virtualization and cloud is a key piece of solution, not entirety

✓ There is no such thing as using only one cloud service

✓ Mobile and IoT are cloud first

✓ How far are you from encrypting stored data?

20

Resources

• SANS 2017 Incident Response Survey: https://www.sans.org/reading-room/whitepapers/incident/show-on-2017-incident-response-survey-37815

• What Works: https://www.sans.org/critical-security-controls

• SANS SOC Summit –

https://www.sans.org/event/security-operations-center-summit-2018

• @John_Pescatore