4 frameworks you need to protect your digital business against the latest cybersecurity threats
Organizations spend millions of dollars to protect themselves against vicious and debilitating, relentless and powerful cyber attacks. The fear of digital disruption is omnipresent and leads to a frantic search for “quick fixes”, including hiring CISOs, purchasing numerous cybersecurity tools and bringing in an army of consultants. But now what? Is the current security posture sufficient? Are there reliable benchmarks and benchmarks?
CIOs and CISOs, especially in regulated industries with high-value data, should consider leveraging the pioneering work being done by the U.S. Federal Government and the U.S. Department of Defense to protect a global business with a $ 80 billion annual IT budget and loads of ultra-sensitive data. The US government, with its vast resources and cyber intelligence, has developed several security frameworks to protect government and defense agencies. These frameworks include Secure Cloud Computing Architecture (SCCA), Cyber Threat Framework (CTF), Federal Risk & Authorization Management Program (FedRAMP), and Continuous Diagnostics & Mitigation (CDM). Each of these frameworks is described in more detail below and should be included in the toolbox of every CIO and CISO responsible for protecting sensitive data.
1. Secure Cloud Computing Architecture (SCCA)
The rapid consumption of commercial cloud services like Amazon Web Services (AWS), Microsoft Azure, Salesforce.com, and Microsoft Office365, among others, by government agencies prompted the Defense Information Systems Agency (DISA) to create the Secure Cloud Computing Architecture framework. (SCCA). SCCA is designed to cover the security issues inherent in Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) cloud services. SCCA consists of four key enterprise-level cloud security and management services. The framework uses a standard approach to boundary and application-level security for sensitive (but unclassified) data hosted in commercial cloud environments. Each of these four business services is described in more detail below.
- Cloud access point (CAP). CAP provides cloud access and protects the cloud enterprise network by streamlining protections focused on protecting network boundaries. CAP performs two main functions: a) providing dedicated connectivity to approved commercial cloud providers, and b) protecting the corporate network against any attack from the cloud environment. There are two categories of solutions: either single cloud access using AWS DirectConnect to access AWS, or multicloud access hubs like AT&T NetBond or Equinix Cloud Exchange, among others. It is essential to ensure that the chosen CAP provides integrated security and network access services that meet specific compliance certifications such as FedRAMP, SOC2 or HIPAA, as applicable.
- Managed Virtual Data Center Services (VDMS). VDMS provides application host security for privileged user access in commercial cloud environments. Management, security, and privileged user access are all managed in VDMS. This includes the host-based security system and assured conformity assessment services, including the ability to provide security policies, push upgrades, and manage security roles and policies. Trend Micro Deep Security is an example of a commercial solution offering host-based protection services among many others.
- Virtual Data Center Security Stack (VDSS). VDSS provides virtual network enclave security to protect applications and data in commercial cloud offerings. It includes two main services: Web Application Firewall (WAF) and Next Generation Firewall to detect and prevent threats facing web applications and workloads. There are several readily available solutions, including cloud native services like AWS Web Application Firewall (WAF) or third party vendors like Palo Alto Networks, among others.
- Trusted Cloud Credential Manager (TCCM). TCCM is the cloud credential manager for enforcing role-based access control (RBAC) and least privileged access. It includes processes and procedures to control and monitor privileged user access to cloud environments. Specific capabilities include privileged password management and control, SSH key management and security, session management to control and monitor privileged user access to cloud services, and bastion host services to access to all management and security services.
With the rapid proliferation of commercial cloud services like AWS, Salesforce, ServiceNow, and Microsoft O365, among others, organizations need to adapt SCCA to develop a secure cloud architecture.
2. Cyber Threat Framework (CTF)
Lack of threat intelligence and understanding of adversary profiles, vectors and tactics are critical weaknesses that most organizations continue to have based on multiple reports and investigations. The President’s Executive Office recently released the “Federal Cyber Security Risk Identification Report and Action Plan to the President of the United States” report containing conclusions and recommendations based on an analysis of the cybersecurity posture of 96 civilian agencies. The report highlights critical gaps in the ability to identify, detect, respond to and, if necessary, recover from cyber incidents. The report found that in 38% of reported cybersecurity incidents, the organization could not identify the attack vector or method of attack. This is a critical information gap that hinders the ability to formulate a robust and effective cybersecurity response. The report calls and recommends that organizations complement their existing cybersecurity and compliance efforts by increasing awareness of cybersecurity threats by implementing the Cyber Threat Framework (CTF). CTF was developed by the defense and intelligence community to help CISOs prepare, prevent, and predict a cybersecurity attack by understanding threat vectors, adversary actions, and threat profiles.
The CTF provides cyberthreat indicators, actions, targets and milestones with detailed phases throughout the lifecycle. CTF begins with the actions of threat actors starting with “pre-event” activities including preparation, reconnaissance and militarization, followed by subsequent exploitation and installation activities. The CTF is deployed throughout the U.S. Federal Enterprise as part of a collaborative exercise with the NSA, DOD, and the Department of Homeland Security (DHS) as partners. By reviewing and implementing a customized version of CTF, CISOs can move forward in developing a responsive threat-based cybersecurity posture. A threat-based cybersecurity response increases the efficiency of cybersecurity spending with a better return on investment.
3. Federal Risk Management and Licensing Program (FedRAMP)
FedRAMP is a government-wide program that provides a standardized approach to the security assessment, authorization and ongoing monitoring of cloud products and services. Any government agency that uses a commercial cloud service should ensure that it has FedRAMP accreditation. The FedRAMP program is based on the NIST SP 800-53 security framework to ensure the confidentiality, integrity and availability of digital assets. CIOs and CISOs should seriously consider the FedRAMP program from two angles 1) as a consumer and 2) as a holistic compliance and security framework. Cloud service providers interested in tapping into the US $ 80 billion federal and DOD IT marketplace should invest in demonstrating compliance with the stringent security requirements specified in NIST SP 800-53 guidelines. To understand the value of FedRAMP accreditation, a simple example is assurance related to the update schedule. If a cloud provider is accredited by FedRAMP, they are required to patch their systems at least monthly and demonstrate the completion of these activities through monitoring reports. However, without FedRAMP accreditation, you don’t really know what patching and management practices are used by the cloud provider. CISOs and CIOs should consider verifying if the cloud provider is FedRAMP accredited.
The FedRAMP framework is based on NIST SP 800-53, which is a great resource for organizations looking to implement a holistic security solution. NIST SP 800-53 is organized around 18 security categories called security control families, including access control, planning, program management, and incident response, to name a few. Granted, there are several security frameworks to choose from, but the NIST SP 800-53 is one of the most mature and holistic frameworks used in the US Federal and Department of Defense IT enterprise and provides a detailed plan with specific advice. The framework can be tailored to meet specific security and compliance requirements, as well as deployed iteratively.
4. Continuous Diagnosis and Mitigation (CDM)
Given the dynamic nature of IT environments due to cloud computing, developments and rapidly changing cyber threats, the CDM program is designed to strengthen the cybersecurity of government networks and systems. The CDM provides the capabilities and tools to identify cybersecurity risks on an ongoing basis, prioritize those risks based on potential impacts, and enable cybersecurity personnel to mitigate the most important issues first. Congress established the CDM program to provide adequate, risk-based, cost-effective cybersecurity and more efficiently allocate cybersecurity resources. Implementing a strong monitoring and ongoing management program begins with a phased approach that ensures the organization has the following capabilities:
- What is on the network: Identifies the existence of hardware, software, configuration characteristics, and known security vulnerabilities.
- Who is on the network: Identifies and determines users or systems with access permission, authenticated permissions, and granted resource rights.
- How is the network protected: Determines user / system actions and behavior at network boundaries and within IT infrastructure.
- What is happening on the network: prepare for events / incidents, collect data from appropriate sources; and identifies incidents through data analysis.
By understanding the CDM framework, the associated phases, and the tools approved to be used to meet the capabilities defined above, CISOs can save valuable time and start investing in capabilities based on proven and effective tools and techniques.
Copyright © 2018 IDG Communications, Inc.