#acquia

BUILDING AND SECURING GOVERNMENT DRUPAL SITES IN THE CLOUDBUILDING AND SECURING GOVERNMENT DRUPAL SITES IN THE CLOUD

Presenters

Michael LemireDirector of Information Securitymichael.lemire@acquia.com

Chris BrownTechnical Account Managerchris.brown@acquia.com

Jim SalemVice President of Cloud Servicesjim.salem@acquia.com

Agenda

• Review Current US Government Compliance landscape

• Learn how to achieve Federal Compliance in the Cloud

• International and Developing Compliance Standards

• Case Study - Defense Security Cooperative Agency (DSCA)

• How Acquia achieved a compliant ready hosting platform.

The Opportunity• Governments are expanding use of Drupal

• Drupal is open source• Cost effective vs proprietary licensed software• Proven secure

• Drupal facilitates shared development between agencies

• Federal Government has prioritized a Cloud First Strategy• Federal Cloud Computing Strategy by Vivek Kundra, former US Fed

CIO• Recognition of fundamental shift to cloud• Targets $20B of $80B annual federal IT spending for cloud

• Significant cost savings to governments• -more agile, and is more easier scalable

• Similar initiatives in the UK, Australia, all over

• We are at the tip of the iceberg!

Current US Government Compliance LandscapeFISMA, DIACAP and FedRAMP are standardized approaches to security assessment,

authorization, and continuous monitoring for information systems utilized by the Federal government.

FISMA - Federal Information Security Management Act of 2002. Applicable to non-DoD agencies.

DIACAP – Department of Defense Information Assurance Certification and Accreditation Process. Applicable to DoD related agencies.

With both FISMA and DIACAP each information system must be documented, reviewed by independent third party assessor and authorized by authorizing officials.

Time consuming, expensive

FedRAMP - Federal Risk and Authorization Management Program

• Establishes an “authorize once, use many times” framework for cloud computing products and services. FedRAMP is meant to supersede FISMA and DIACAP for cloud products.

• FedRAMP was established on Dec 8, 2011 via a memorandum produced by the Federal Chief Information Officer and is due to achieve Initial Operating Capacity in 2012.

• Based on the same NIST publications as FISMA with added controls pertinent to the cloud

• FedRAMP Concept of Operations – defines how the FedRAMP process will work

• http://www.gsa.gov/graphics/staffoffices/FedRAMP_CONOPS.pdf

Coming Soon - FedRAMP

FIPS 199 – Security categorization of the information system according to its Confidentiality, Availability and Integrity requirements

• What type of data?

• Importance to national security?

Determine “High water mark” (low, medium, high)

NIST 800-53 rev 3 – Security Controls documented in the SSP

All domains of security are covered and must be documented

Risk Assessment, Personnel, System Acquisition, Physical and Environmental, Contingency Planning, Configuration Management, Incident Response, Security Awareness Training, Authentication, Logging and Audit, Network Security and Encryption

Rev 4 now in draft – adds add’l mobile and cloud controls

NIST 800-30 – Risk Assessments

Defines process for assessing risk and how to apply the process to the organizational, mission and information system levels.

Important NIST Publications and Standards

FISMA, DIACAP and FedRAMP Process

Federal Compliance - High Level ProcessCategorize the System –

FIPS 199Confidentiality, Integrity,

Availability

Select the controls – NIST 800-53

Implement the controls and document them

-System Security Plan-Privacy Impact Assessment

Assess – Contract with Third Party Assessor

-3PAO reviews SSP and creates STE & POA&M

Authorize – This package of documents submitted to the

Authorizing Official who reviews, comments, asks for

revisions.-grants IATC and/or ATO

Monitor – Continuous update to SSP , continuous

mitigation of items identified in STE and POA&M

Accomplishing Federal Compliance in the Cloud

Cloud Service Providers may be responsible for the entire set of controls, or they may be shared in a Shared Responsibility ModelExamples:SaaS may be built on PaaS Ex: DrupalGardensPaaS may be built on IaaS Ex: Acquia Managed Cloud

Three primary layers in the shared responsibility model:•Application Layer (Drupal)•OS Stack Layer (Linux, Windows, Database, etc)•Infrastructure Layer (Datacenter, network)

*Each entity must document the controls for which they are responsible for.*

Example: Acquia Managed CloudAcquia Managed Cloud is a PaaS built on Amazon’s AWS IaaS

Example SSP control description:Control: (from 800-53)Control Type: Agency/Common/HybridControl Status: Implemented/Planned/Not Applicable

Application Layer:Responsibility: Customer (Agency)Implementation Detail: Describe how the control is the responsibility of the agency.

LAMP Stack Layer:Responsibility: AcquiaImplementation Detail: Describe how the control is implemented

Infrastructure:Responsibility: AmazonImplementation Detail: Refer to hosting provider’s SSP

Acquia documents its control responsibilities in its SSPAmazon documents its control responsibilities in its SSP

Example: Acquia Managed Cloud

International Compliance LandscapeISO/IEC 27002 –

-Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)

Similar to NIST800-53 controls; more flexible in that organizations may define the controls which are applicable to its environment.

Risk AssessmentSecurity PoliciesAsset ManagementHR / PersonnelCommunications and NetworksAccess ControlSystem Acquisition, developmentContinuity Planning

Two levels of ISO compliance-self evaluation based on the standards-certification by a third party auditor

Developing Cloud Compliance StandardsCloud Security Alliance (CSA) – organization which promotes best practices for security

within Cloud Computing. The CSA is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders in cloud computing field.

Two important CSA initiatives

CSA Security Guidance – Recommendations and guidance for cloud service providers to security their clouds according to best practices (SaaS, PaaS and IaaS service providers)

CSA Consensus Initiative Questionnaire –designed to help CSP’s gauge their controls against best practices as defined by the CSA

https://cloudsecurityalliance.org/

Mapping Compliance Standards to Each OtherCloud Service Providers have a number of compliance objectives, each requiring painstakingly long review of standards and gauging adherence to the specified controls. CSA’s Control Compliance Matrix helps ease the process of compliance with sometimes redundant compliance standards.

Example: achieving compliance with NIST 800-53 largely achieves ISO 27002 compliance, the BITS Shared Assessment standard, COBIT, PCI and HIPAA.

See Cloud Security Alliance Control Matrix: https://cloudsecurityalliance.org/

DSCA GlobalNET Experience

• Social Collaboration Platform for Sharing information within and across "enterprises" worldwide

• Currently has over 10 organizations deployed on the platform

• Package delivered August 2011

Components in the Accreditation Boundary

Amazon EC2

Acquia Manage Cloud (LAMP)

GlobalNET

Drupal Commons (D6)

OpenLDAP

PiwikComet Chat/APE

IaaS

PaaS

SaaS

Drupal Based Control Solutions

External Application Control Implementation

• Data between all third party applications is encrypted over SSL

• Password encryption• Use the LDAP Module to provision accounts in LDAP• Passwords in LDAP are SHA-1 (FIPS 140-2 compliant) Encrypted

• Governance• Users with elevated accounts should have a not-elevated account on system• User approval and role assignment policies• User 1 should not be used

Challenges Cloud and Drupal Accreditation

• Common Critera/NIAP for Drupal• Expensive Process that needs a sponsor• What modules would be put through the process? How would adding different

modules affect the Certification?

• Governance around user 1 account to ensure it is not used as a group account

• Multi-tenancy of the Cloud• Hardware• Software• Shared Disks

• Shared Responsibility Model• How are the swim lanes of responsibility draw between the parties involved?• SLA agreements between each of the parties• Security Responsibility

Building a Compliance-Ready Infrastructure• Drupal Stack Architecture• Robust and secure

• Server Management Architecture• Controlled access

• Standard, reproducible configurations

• Policies and Procedures• Documented and auditable

• Consistent

• Test, Test, Test

Start Early

!

Acquia Cloud’s Server Architecture

• Designed for compliance

• Built on Amazon EC2: • SAS 70, PCI, and FISMA

certified

• High availability with automatic failover

Disaster Recovery and High Availability• Split infrastructure

b/w two data centers

• Multi-region replication (not pictured)

• Active-active difficult with Drupal

• Acquia Cloud uses Tungsten for multi-master DB replication

Data Center 2Data Center 1

Acquia Cloud Management Architecture• Controlled Sysadmin Access• Two-factor auth

• No shared accounts

• Bastion host with audit trail

• Automated Backups

• Configuration Management• Centralized DB

• Puppet for s/w deploys

• Scripts for config files (e.g., apache, MySQL, etc.)

• Monitoring• Nagios

Bastion ServerBastion Server

PuppetPuppet

Backup ServerBackup Server

Config DB

Managed Cloud Server Clusters

Custom

Scripts

Custom

Scripts

Monitoring

Server

Monitoring

Server

Policies and Procedures

• Start small and build up

• Write them down and follow them

• Key Policies• Access control

• Change management

• Disaster recovery

• Security review

• Crisis management

Test, Test, Test

Anything that is not tested will not work (for long)

• Automated system tests• Verify you can continue to deploy servers consistently

• Positive and negative security tests

• On-going vulnerability scans

• Simulated failures• Untested failovers and redundancies will NOT work!

• Backup verification

• Test the processes too!