Upload
others
View
11
Download
0
Embed Size (px)
Citation preview
NIST800-171ComplianceGuide
Note:Thiswhitepaperisintendedtoprovideanoverviewandisnotintendedtoprovidelegaladvice.Formorecomprehensiveinformationonregulationsandtheirimplications,pleaseconsultyourlegalcounsel.
WWW.GETFILECLOUD.COM
FileCloud
Introduction
WWW.GETFILECLOUD.COM
TheU.S.governmentrequiresfederalcontractorstocomplywiththeNIST800-171securitystandardtoensurethesecurityofControlledUnclassified
Information(CUI)innon-federalsystemsandorganizations.
InadditiontogeneralrequirementsforcontractorstocomplywithNIST800-
171,theU.S.DepartmentofDefense (DoD)mandatesthatallDODcontractorsthatprocess,storeortransmitCUI“meettheDefense FederalAcquisition
RegulationSupplement(DFARS)minimumsecuritystandardsbyDecember31,
2017orrisklosingtheirDoDcontracts.”CompliancewithNIST800-171enablescontractorstomeetthoseminimumDFARSsecuritystandards.This
documentexplainshowCodeLathe’s product,FileCloud Server,canbeusedtomanagetheCUIinnon-federalsystemsandorganizations.
CUIisdefinedasacategoricaldesignationthatreferstounclassifiedinformationthatdoesnotmeetthestandardsforNationalSecurity
ClassificationunderExecutiveOrder12958,asamended,butis(i)pertinenttothenationalinterestsoftheUnitedStatesortotheimportantinterestsof
entitiesoutsidethefederalgovernment,and(ii)underlaworpolicyrequires
protectionfromunauthorizeddisclosure,specialhandlingsafeguards,orprescribedlimitsonexchangeordissemination.
FileCloud Serverisahighlyscalable,self-hostedEnterpriseFileSharingand
Syncsolution(EFSS).TheUniquesellingpropositionofFileCloud are:total
controlofanorganization’sdata,completesecurity,unparalleledbrandingoptions,andexcellentuserexperience.Security,privacy,anddataownership
isfundamentaltoFileCloud’s securityarchitecture.FileCloud securitystartswith256-bitAdvancedEncryptionStandard(AES)SecureSocketsLayer(SSL)
encryptionatrest,two-factorauthentication,SSO(singlesign-on),granular
userandfilesharingpermissions,clientapplicationsecuritypolicies,automaticanti-virusscanningoffileswhenuploading,unlimitedfileversioning,file
locking,endpointdeviceprotection,andcomprehensiveHIPAAcompliantaudittrail.FileCloud alsousesFIPS140-2validatedcryptomoduleforallits
cryptooperations(encryptingdataatrestandintransit).WithFileCloud,you
canberestassuredthatCUIdataiswellprotectedonyourservers.FileCloudprovidesavarietyofdeploymentoptions:PrivateCloud(behindfirewalland
proxy)andPublicCloud(AWSorAzureGov Cloud).
FeaturesofFileCloud Server
WWW.GETFILECLOUD.COM
• Accessandsyncallyourfilesonallyourdevices
• Sharefilestointernalandexternalusers
• MountyourremotefilesasalocaldriveonWindowsandMacOS
• Integratemobileapps,Outlook,andOfficeAdd-ons
• SetupTeamFoldersaroundprojectsordepartmentalneedsandallowbothemployeesandpartnerstosecurelyaccesstheirfilesfromanywhere
• WhiteLabelSolution- Canbebrandedforyourorganization
• Unlimitedfileversioningandrecyclebinsupport
• Versatile,granularfolderpermissionstomimicanykindoffileshareandpermissionshierarchy
• Ensureappropriatelevelofaccessforeveryuserbyassigningindividualfolderlevelpermissions
• AdministratorscanmanagealldevicesaccessingFileCloud dataandmonitorsuspiciousactivitiesinrealtime
• Incaseofanysuspiciousactivity,administratorscanselectivelyblockdevicesorpermanentlyremoveusersfromaccessingthedata
• Completedatasecurity,ownership,andtotalprivacy
• DetailedAuditTrail(What,When,Who,Where,andHow)
• DLP- FileCloud’s uniquecapabilitiestomonitor,prevent,andfixdataleakageassurescorporatedataisprotectedacrossallyourdevices(Laptops,Desktops,SmartphonesandTablets).
• Governance:FileCloud’s detailedactivitylogs,connecteddevicesinventory,andaccesslogsprovidealltherighttoolstosatisfyanydatacomplianceneeds.
• Ransomwareprotection,workflowautomation,federatedsearch,adminreports,metadatasystem,policymanagementcapabilitiesandmore….
ThefollowingtablemapstheNIST800-171requirementstoFileCloudServerthatishostedbyyouinyourprivatecloudorpubliccloudinfrastructurelikeAWSorAzureGovCloud.
NIST800-171Requirement Details HowFileCloud ServerSupportsNIST800-171Compliance
3.1.1
Limitinformationsystemaccesstoauthorizedusers,processesactingonbehalfofauthorizedusers,anddevices(includingothersystems).
TheFileCloud platformprovidescomprehensiveaccesscontrolsanddevicemanagementcapabilitiestomanageandaccesstheCUI.
3.1.2
Limitinformationsystemaccesstothetypesoftransactionsandfunctionsthatauthorizedusersarepermittedtoexecute
FileCloud’s granularaccesspermissions(viewonly,download,upload,share,sync,anddelete)allowSystemadminstolimitauthorizeduseraccesstoCUI.
3.1.3ControltheflowofCUIinaccordancewithapprovedauthorizations.
FileCloud’s powerfulworkflowcapabilitiesprovidecontrolmechanisms(copy,move,delete,verifyintegrityandnotifyowners)tomanagetheflowofCUI.
3.1.4Separatethedutiesofindividualstoreducetheriskofmalevolentactivitywithoutcollusion.
TheFileCloud platformoffersRBAC,groups,andpowerfulpolicymanagementcapabilitiestoseparatethedutiesofindividualswhowillbeusingtheFileCloudsystem.
3.1.5
Employtheprincipleofleastprivilege,includingforspecificsecurityfunctionsandprivilegedaccounts.
FileCloud’s role,group,andpolicy-basedaccessmanagementcapabilitiesallowsystemadministratorstodefineaccesspoliciesthatemploytheprincipleofleastprivilege.
3.1.6 Usenon-privilegedaccountsorroleswhenaccessingnon-securityfunctions.
FileCloud offersrole-basedaccesscontrolsanddifferentusertypestoaccessnon-securityfunctions
3.1.7 Preventnon-privilegedusersfromexecutingprivilegedfunctionsandaudittheexecutionofsuchfunctions.
FileCloud preventsnon-privilegedusersfromperformingadministratorduties.Privilegedadministratoractionsarealsokeptinauditrecords.
3.1.8 Limitunsuccessfullogonattempts. TheFileCloud platformallowstheadministratorstosetthemaximumnumberofunsuccessfullogonattempts.
3.1.9 ProvideprivacyandsecuritynoticesconsistentwithapplicableCUIrules.
FileCloudServerisaself-hostedproduct.Customerscancreatetheirownprivacy,TermsofService(TOS),andsecuritypolicies.
3.1.10 Usesessionlockwithpattern-hidingdisplaystopreventaccessandviewingofdataafterperiodofinactivity.
FileCloudprovidestheabilityforsystemadministratorstosetsessionlocks.Afteradefinedperiodoftime,theusersessionsareterminated.However,FileClouddoesnotusepatternhidingdisplays.
3.1.11 Terminate(automatically)ausersessionafteradefinedcondition.
FileCloudprovidestheabilityforsystemadministratorstosetdefaultloginsessionsusingthe sessiontimeoutparameter.Thiswillkeepusersactivelyloggedintotheiraccountforalimitedtimeonly.Oncetheuserexceedstheinactivityperiodthenthesessionexpires,andtheuser’ssessionsareterminated.Theusermustloginagaintogetaccess.
3.1.12 Monitorandcontrolremoteaccesssessions.
FileCloud’spowerfulauditcapabilitiesmonitors“what,when,who,why,andhow,”attributesofeveryuseraction(preview,download,uploadandotheractions)withinthesystem.Administratorscaneasilymonitortheaudittransactionsandcontroltheuseraccessifneeded.
3.1.13 Employcryptographicmechanismstoprotecttheconfidentialityofremoteaccesssessions.
FileCloud protectstheconfidentialityandintegrityofyourfilesintransitandatrest.• AES256-bitencryptionto
storefilesatrest• SSL/TLSsecuretunnelfor
filestransmission
3.1.14 Routeremoteaccessviamanagedaccesscontrolpoints.
FileCloudallowsadministratorstocontrolwhichnodesorportsareallowedforremoteaccess.SystemadministratorscanalsochoosetodeployFileCloudbehindareverseproxy.
3.1.15 Authorizeremoteexecutionofprivilegedcommandsandremoteaccesstosecurity-relevantinformation.
FileCloudprovidesaseparateadministratorportaltoexecuteprivilegedoperations.ThisportalcanbefurtherprotectedbyIPaccessrestrictionsandtwo-factorauthentication(2FA)mechanisms.
3.1.16 Authorizewirelessaccesspriortoallowingsuchconnections.
FileCloudcanbedeployedbehindacorporatefirewallorreverseproxytoauthorizewirelessaccess.FileCloudcanalsorestrictbasedonclientIPaddressesanddisabletheabilityforclientapplicationstoconnect.
3.1.17 Protectwirelessaccessusingauthenticationandencryption.
AllFileCloudcommunications(OnTransit,AtRest)areprotectedbyNIST-recommendedencryptiontechnologies.
3.1.18 Controlconnectionofmobiledevices
FileCloudpolicymanagementanddevicemanagementcapabilitiesallowdisablingandenablingtheconnectionofmobiledevicestoFileCloud.
3.1.19 EncryptCUIonmobiledevicesandmobilecomputingplatforms.
FileCloud utilizesnativeencryptionprovidedbythepopularmobileplatforms(iOSandAndroid).Administratorscanalsodisabletheabilitytoopencontentfromothermobileapplications.
3.1.20 Verifyandcontrol/limitconnectionstoanduseofexternalsystems.
Allexternalsystems(likeS3compatiblestorage)arecontrolledbyauthenticationkeys.
WWW.GETFILECLOUD.COM
3.1.21 Limituseoforganizationalportablestoragedevicesonexternalsystems.
NotApplicable.
3.1.22 ControlCUIpostedorprocessedonpubliclyaccessiblesystems
FileCloud offersavarietyofdeploymentoptionstocontrolCUI:Hostiton-premisesservers(privatedeployment),orhostonhybridorsecurepublicclouddeployments(AWS/AzureGovCloud).
WWW.GETFILECLOUD.COM
3.2AwarenessAndTraining
NIST800-171Requirement Details HowFileCloud ServerSupportsNIST800-171Compliance
3.2.1 Ensurethatmanagers,systemsadministrators,andusersoforganizationalinformationsystemsaremadeawareofthesecurityrisksassociatedwiththeiractivitiesandoftheapplicablepolicies,standards,andproceduresrelatedtothesecurityoforganizationalinformationsystems.
FileCloud AlertsareavailableinFileCloud's Adminportalwhichtracksallunhandledexceptions,securityissues,andsystemerrormessagesgeneratedontheserver.ThenumberofalertsisshownontheFileCloud DashboardandtheAlertspagewillshowdetailedinformationaboutthevariouserrorsencountered.
3.2.2 Ensurethatorganizationalpersonnelareadequatelytrainedtocarryouttheirassignedinformationsecurity-relateddutiesandresponsibilities.
FileCloudalertsandnotificationshelptheadministratorsandenduserstofollowthebestpracticeswhenitcomestosecurity.
3.2.3 Providesecurityawarenesstrainingonrecognizingandreportingpotentialindicatorsofinsiderthreat.
FileCloud auditlogs,notifications,andshareanalyticscanbeusedforusertrainingtoidentifypotentialindicatorsofinsiderthreats.
WWW.GETFILECLOUD.COM
3.3AuditAndAccountability
NIST800-171Requirement Details HowFileCloud ServerSupportsNIST800-171Compliance
3.3.1 Create,protect,andretaininformationsystemauditrecordstotheextentneededtoenablethemonitoring,analysis,investigation,andreportingofunlawful,unauthorized,orinappropriateinformationsystemactivity.
FileCloudprovidescomprehensiveauditlogging(what,when,who,whereandhow)details.Administratorscanexportorarchivetheauditlogsforsafekeeping.
3.3.2 Ensurethattheactionsofindividualinformationsystemuserscanbeuniquelytracedtothoseuserssotheycanbeheldaccountablefortheiractions.
ByprovidingoptionstorecordeveryactionwithWhat,When,WhoandHowattributes,FileCloudgivescustomersthebestpossibleauditdatatosatisfyanytypeofcompliance.
3.3.3 Reviewandupdateauditedevents. TheFileCloudplatformhelpssystemadministratorsandpersonnelwithprivilegedaccesstoviewtheauditedevents.
3.3.4 Alertintheeventofanauditprocessfailure.
FileCloudAuditinterfaceclearlyshowstheaudittimeline.Administratorscancheckitperiodicallytomakesureactionsareauditedproperly.FileCloudalsosendsanalerttotheSystemAdministratorifauditarchivalfailsforsomereason.
3.3.5 Correlateauditreview,analysis,andreportingprocessesforinvestigationandresponsetoindicationsofinappropriate,suspicious,orunusualactivity.
FileCloudAuditlogscanbeexportedtoSecurityInformationandEventmanagement(SIEM)systemsandcanalsobeintegratedwithsyslogtoanalyzeandidentifysuspiciousorunusualactivity.
3.3.6 Provideauditreductionandreportgenerationtosupporton-demandanalysisandreporting.
TheFileCloud platformoffersbuilt-inandconfigurablereportsforon-demandanalysisandreporting.
3.3.7 Provideaninformationsystemcapabilitythatcomparesandsynchronizesinternalsystemclockswithanauthoritativesourcetogeneratetimestampsforauditrecords.
FileCloudcanbeintegratedwithNTPserverstoprovideauthoritativetimestamps.
3.3.8 Protectauditinformationandaudittoolsfromunauthorizedaccess,modification,anddeletion.
FileCloud canautoarchivetheauditlogstoasafelocationtopreventunauthorizedaccess,modification,anddeletion.TheFileCloud Adminportalalsooffersrole-basedaccesstorestrictunauthorizedaccesstoaudittransactions.
3.3.9 Limitmanagementofauditfunctionalitytoasubsetofprivilegedusers.
TheFileCloud Adminportaloffersrole-basedaccesstomanageandlimittheaudittransactiontoasubsetofprivilegedusers.
3.4ConfigurationManagement
NIST800-171Requirement Details HowFileCloud ServerSupportsNIST800-171Compliance
3.4.1 Establishandmaintainbaselineconfigurationsandinventoriesoforganizationalinformationsystems(includinghardware,software,firmware,anddocumentation)throughouttherespectivesystemdevelopmentlifecycles.
FileCloud providessystemcheckreportsthatgivethebaselineconfigurationoftheFileCloudsoftwareanditscomponents.
3.4.2 Establishandenforcesecurityconfigurationsettingsforinformationtechnologyproductsemployedinorganizationalinformationsystems.
TheFileCloud Adminportalprovidessecuritysettings(Passwordpolicy,Authentication,Access,andSharesettings)fortheplatformthatcanbeeasilyconfiguredbythesystemadministrators.FileCloud DeviceandPolicymanagementalsoofferssecuritysettingsthatcanbeenforcedformobileandclientdeviceaccess.
3.4.3 Track,review,approve/disapprove,andauditchangestoinformationsystems.
TheFileCloudplatformrecordsadministratoractionsintheauditlog.
3.4.4 Analyzethesecurityimpactofchangespriortoimplementation.
FileCloudoffersthebestsecuritypracticesdocumentation.Systemadministratorscanconfigurethesystemasperguidelinestorunthesystemsecurely.
3.4.5 Define,document,approve,andenforcephysicalandlogicalaccessrestrictionsassociatedwithchangestotheinformationsystem.
FileCloudenforceslogicalaccessasdefinedbythesystemadministrators.Further,FileCloudauditlogstrackalllogicalaccessappliedtotheCUIdata.
3.4.6 Employtheprincipleofleastfunctionalitybyconfiguringtheinformationsystemtoprovideonlyessentialcapabilities.
FileCloudcanbeconfiguredtoprovidetheleastandessentialaccesstotheCUIdata.
3.4.7 Restrict,disable,andpreventtheuseofnonessentialfunctions,ports,protocols,andservices.
FileCloudcanbeconfiguredtorunonasecureport.Administratorscanallowonlythenecessaryfunctionsforendusers.
3.4.8 Applydeny-by-exception(blacklist)policytopreventtheuseofunauthorizedsoftwareordeny-all,permit-by-exception(whitelisting)policytoallowtheexecutionofauthorizedsoftware.
FileCloudoffersMDMcapabilitiestoenforceblacklistingofothermobileapplicationstoopenoreditFileClouddata.
3.4.9 Controlandmonitoruserinstalledsoftware.
FileCloud preventsunauthorizedappsfromaccessingtheCUI.OnlyFileCloud mobileappscanaccessthedata.
WWW.GETFILECLOUD.COM
WWW.GETFILECLOUD.COM
3.5IdentificationandAuthentication
NIST800-171Requirement Details HowFileCloud ServerSupportsNIST800-171Compliance
3.5.1 Identifyinformationsystemusers,processesactingonbehalfofusers,ordevices.
FileCloudassignsuniqueIDstousersanddevicestotrackactivityontheplatformacrossalldevices.
3.5.2 Authenticate(orverify)theidentitiesofthoseusers,processes,ordevices,asaprerequisitetoallowingaccesstoorganizationalinformationsystems.
FileCloud offers advanced policyoptions to enable authenticationfor users as well as devices beforeallowing access to organizationalinformation systems.
3.5.3 Usemultifactorauthenticationforlocalandnetworkaccesstoprivilegedaccountsandfornetworkaccesstonon-privilegedaccounts.
FileCloudsupports2FAforusersandadministratorslocalandnetworkaccess.
3.5.4 Employreplay-resistantauthenticationmechanismsfornetworkaccesstoprivilegedandnonprivilegedaccounts.
FileClouduseraccountswillbelockedoutiftheytryusingthewrongpasswordfor“n”times.The“n”numbercanbeconfiguredtomeetyourorganizationsecurityrequirements.
3.5.5 Preventreuseofidentifiersforadefinedperiod.
FileCloudprohibitsduplicateidentifierswithinthesystemanduseridentifierscanalsobedisabledforadefinedperiod.
3.5.6 Disableidentifiersafteradefinedperiodofinactivity.
FileCloudallowsdisablingofuseraccountsafteraspecifiedtimeperiodofuserinactivity.
3.5.7 Enforceaminimumpasswordcomplexityandchangeofcharacterswhennewpasswordsarecreated.
FileCloud supportsstrongpasswordpolicy.Enablingthisoptionwillrequirethepasswordtocontainatleastoneuppercase,lowercase,number,andaspecialcharacterinthepassword.
3.5.8 Prohibitpasswordreuseforaspecifiednumberofgenerations.
FileCloudprohibitspasswordreuse.Anadministratorcanspecifythenumberofpreviouspasswordsthatcannotbereusedwhenpasswordischanged.
3.5.9 Allowtemporarypassworduseforsystemlogonswithanimmediatechangetoapermanentpassword.
FileCloudprovidesanoptionthatwillforcethenewuser,onlogin,tochangethepassword.
3.5.10 Storeandtransmitonlyencryptedrepresentationofpasswords.
Allpasswordsarestoredandtransmittedonlyinencryptedformat.
3.5.11 Obscurefeedbackofauthenticationinformation.
FileCloud providesobscurefeedbackwhenwrongpasswordisenteredtomakeithardertoguessthepassword.
WWW.GETFILECLOUD.COM
3.6IncidentResponse
NIST800-171Requirement Details HowFileCloud ServerSupportsNIST800-171Compliance
3.6.1 Establishanoperationalincident-handlingcapabilityfororganizationalinformationsystemsthatincludesadequatepreparation,detection,analysis,containment,recovery,anduserresponseactivities.
N/A
3.6.2 Track,document,andreportincidentstoappropriateorganizationalofficialsand/orauthorities.
TheFileCloudplatformlogsincidentsandgeneratessystemalertswhenmaliciousincidentsoccur.
3.6.3 Testtheorganizationalincidentresponsecapability.
N/A
WWW.GETFILECLOUD.COM
3.7Maintenance
NIST800-171Requirement Details HowFileCloud ServerSupportsNIST800-171Compliance
3.7.1 Performmaintenanceonorganizationalinformationsystems.
N/A
3.7.2 Provideeffectivecontrolsonthetools,techniques,mechanisms,andpersonnelusedtoconductsystemmaintenance.
FileCloudoffersaseparateAdminportaltolimitaccesstoconfigurationandmaintenancecontrolstoauthorizeduserssuchassystemadministrators.
3.7.3 Ensureequipmentremovedforoff-sitemaintenanceissanitizedofanyCUI.
FileCloudsupportsremoteerasingofFileClouddatainPCsandmobiledevices.
3.7.4 Checkmediacontainingdiagnosticandtestprogramsformaliciouscodebeforethemediaareusedintheinformationsystem.
FileCloudcanbeconfiguredtoscanformalwareusingananti-virusprogrambeforecontentisuploadedtoFileCloud.
3.7.5 Requiremultifactorauthenticationtoestablishnonlocalmaintenancesessionsviaexternalnetworkconnectionsandterminatesuchconnectionswhennonlocalmaintenanceiscomplete.
TheFileCloudAdminportalcanbeconfiguredtorequire2FAaccess. Itcanalsobeconfiguredtotimeoutthosesessionsafterathresholdofidletimehasbeenreached.
3.7.6 Supervisethemaintenanceactivitiesofmaintenancepersonnelwithoutrequiredaccessauthorization.
TheFileCloud auditfunctionlogsallusertransactionsirrespectiveoftheirprivilegelevels.
WWW.GETFILECLOUD.COM
3.8MediaProtection
NIST800-171Requirement Details HowFileCloud ServerSupportsNIST800-171Compliance
3.8.1 Protect(i.e.,physicallycontrolandsecurelystore)informationsystemmediacontainingCUI,bothpaperanddigital.
N/A
3.8.2 LimitaccesstoCUIoninformationsystemmediatoauthorizedusers.
FileCloudprotectsCUIbyencryptingcontentatrestandenforcingproperaccesscontrols.
3.8.3 SanitizeordestroyinformationsystemmediacontainingCUIbeforedisposalorreleaseforreuse.
FileCloudcanremotelyeraseCUIonclientdevices(PCs,MobilePhones).
3.8.4 MarkmediawithnecessaryCUImarkingsanddistributionlimitations.
N/A
3.8.5 ControlaccesstomediacontainingCUIandmaintainaccountabilityformediaduringtransportoutsideofcontrolledareas.
FileCloudenforcesaccesscontrolsonmobiledevicesregardlessoftheirlocation.FileCloudcanremotelyblockoreraseFileClouddataonmobiledevicesifneeded.
3.8.6 Implementcryptographicmechanismstoprotecttheconfidentialityofinformationstoredondigitalmediaduringtransportoutsideofcontrolledareasunlessotherwiseprotectedbyalternativephysicalsafeguards.
FileCloudencryptsallCUIatrestwithAESencryption.
3.8.7 Controltheuseofremovablemediaoninformationsystemcomponents.
N/A
3.8.8 Prohibittheuseofportablestoragedeviceswhensuchdeviceshavenoidentifiableowner.
N/A
WWW.GETFILECLOUD.COM
3.8.9 ProtecttheconfidentialityofbackupCUIatstoragelocations.
FileCloud encryptsandenforcesaccesscontrolsforallCUIundermanagement,includingCUIonredundantservers.
3.9PersonnelSecurity
NIST800-171Requirement DetailsHowFileCloud ServerSupportsNIST800-171Compliance
3.9.1 ScreenindividualspriortoauthorizingaccesstoinformationsystemscontainingCUI.
TheFileCloudplatformallowsaccesstoCUIonlytoauthorizedusers.
3.9.2 EnsurethatCUIandinformationsystemscontainingCUIareprotectedduringandafterpersonnelactionssuchasterminationsandtransfers.
Whenemployeesandcontractorsareterminated,FileCloud canrevokepermissionsoftheusersandblocktheaccesstoCUI.Further,personneldevicescanberemotelyblockedanderasedbytheFileCloud platform.
3.10PhysicalProtection
NIST800-171Requirement DetailsHowFileCloud ServerSupportsNIST800-171Compliance
3.10.1 Limitphysicalaccesstoorganizationalinformationsystems,equipment,andtherespectiveoperatingenvironmentstoauthorizedindividuals.
N/A
3.10.2 Protectandmonitorthephysicalfacilityandsupportinfrastructureforthoseinformationsystems.
N/A
3.10.3 Escortvisitorsandmonitorvisitoractivity.
N/A
3.10.4 Maintainauditlogsofphysicalaccess.
N/A
3.10.5 Controlandmanagephysicalaccessdevices.
N/A
3.10.6 EnforcesafeguardingmeasuresforCUIatalternateworksites(e.g.,teleworksites).
RemoteaccesstoCUIisprotectedbystrongauthenticationandaccesscontrols.Thedataisencryptedintransitandatrest.
3.11RiskAssessment
NIST800-171Requirement DetailsHowFileCloud ServerSupportsNIST800-171Compliance
3.11.1 Periodicallyassesstherisktoorganizationaloperations(includingmission,functions,image,orreputation),organizationalassets,andindividuals,resultingfromtheoperationoforganizationalinformationsystemsandtheassociatedprocessing,storage,ortransmissionofCUI.
TheFileCloudplatformoffersanadministrativedashboard(systemsummary,recentaccesslocations,Filetypedistribution),detailedauditlogs,andbuilt-inreportstoperiodicallyassesstherisks.
3.11.2 Scanforvulnerabilitiesintheinformationsystemandapplicationsperiodicallyandwhennewvulnerabilitiesaffectingthesystemareidentified.
FileCloudcanbeintegratedwithClamAVorotheranti-malwaresoftwareviaInternetContentAdaptionProtocol(ICAP) interfacetoblockanyvirusesormalwarefrombeinguploadedtoFileCloud.
3.11.3 Remediatevulnerabilitiesinaccordancewithassessmentsofrisk.
FileCloud alertssystemadministratorsaboutsuspiciousfilesthatfailsignaturechecksaswellasfilesblockedbytheAVsoftware.
3.12SecurityAssessment
NIST800-171Requirement DetailsHowFileCloud ServerSupportsNIST800-171Compliance
3.12.1 Periodicallyassessthesecuritycontrolsinorganizationalinformationsystemstodetermineifthecontrolsareeffectiveintheirapplication.
FileCloudoffersadministrativedashboard,alerts,andreportstoperformsecurityassessmentsquickly.
3.12.2 Developandimplementplansofactiondesignedtocorrectdeficienciesandreduceoreliminatevulnerabilitiesinorganizationalinformationsystems.
FileCloudprovidefunctionalitiestoprotectthesystemfromransomwareandmalwareattacks(RequiresintegrationwithAnt-VirusSoftwarewithICAPcapabilities).
3.12.3 Monitorinformationsystemsecuritycontrolsonanongoingbasistoensurethecontinuedeffectivenessofthecontrols.
N/A
3.12.4 Develop,document,andperiodicallyupdatesystemsecurityplansthatdescribesystemboundaries,systemenvironmentsofoperation,howsecurityrequirementsareimplemented,andtherelationshipswithorconnectionstoothersystems.
N/A
3.13SystemandCommunicationsProtection
NIST800-171Requirement DetailsHowFileCloud ServerSupportsNIST800-171Compliance
3.13.1 Monitor,control,andprotectorganizationalcommunications(i.e.,informationtransmittedorreceivedbyorganizationalinformationsystems)attheexternalboundariesandkeyinternalboundariesoftheinformationsystems.
FileCloud monitors,controls,andprotectsorganizationalcommunicationintransitandatrestviaencryptionusingFIPS140-2validatedencryptionmodule.
3.13.2 Employarchitecturaldesigns,softwaredevelopmenttechniques,andsystemsengineeringprinciplesthatpromoteeffectiveinformationsecuritywithinorganizationalinformationsystems.
FileCloudprovidesend-to-enddataprotectionwithmultiplelevelsofsecurityateachlayer.Securityisafirst-ordercitizenwithFileCloudandisbuiltfromthegroundup–notasanafterthought.FileCloudisavailableonprivateorhybridcloudorasaprivatehosteddeploymentisanisolatedenvironmentonAWSGovCloud.Thisenablescustomerstoadoptthedeploymentmodelthatbestsuitstheirsecurityneeds.
3.13.3 Separateuserfunctionalityfrominformationsystemmanagementfunctionality(e.g.,privilegeduserfunctions).
FileCloudoffersanAdminportalwhichisseparatefromtheendUserportal.Further,theAdminportalcanbeconfiguredwithrole-basedaccesscontrolforprivilegeduserfunctions.
3.13.4 Preventunauthorizedandunintendedinformationtransferviasharedsystemresources.
FileCloudpreventsunauthorizedaccessorsharingofCUI.OnlyauthorizeduserscanshareinformationviaFileCloud.FileCloudalsohastheoptiontodisablepublicsharinganddisablingnewuserinvitesinsuchawaythattheinformationiskeptonlywithintheorganizationandauthorizedusers.
3.13.5 Implementsubnetworksforpubliclyaccessiblesystemcomponentsthatarephysicallyorlogicallyseparatedfrominternalnetworks.
FileCloud’s3-tierarchitectureallowswebinterfacesandothersystemfunctionstobedeployedoutsidenetworkDMZsforpublicaccess,whileensuringthatapplicationlogicandCUIstorageremainsoninternalnetworks.FileCloudcanbealsodeployedbehindareverseproxyforfurtherprotection.
3.13.6 Denynetworkcommunicationstrafficbydefaultandallownetworkcommunicationstrafficbyexception(i.e.,denyall,permitbyexception).
Byconfiguringtheunderlyingwebserver,youcanwhitelisttheIPaddressesusedtoaccessFileCloud.
WWW.GETFILECLOUD.COM
3.13.7 Preventremotedevicesfromsimultaneouslyestablishingnon-remoteconnectionswiththeinformationsystemandcommunicatingviasomeotherconnectiontoresourcesinexternalnetworks.
N/A
3.13.8 ImplementcryptographicmechanismstopreventunauthorizeddisclosureofCUIduringtransmissionunlessotherwiseprotectedbyalternativephysicalsafeguards.
FileCloudencryptsCUIintransitusingTLS1.2(TransportLayerSecurity).
3.13.9 Terminatenetworkconnectionsassociatedwithcommunicationssessionsattheendofthesessionsorafteradefinedperiodofinactivity.
FileCloudprovidessessiontimeoutforboththeendUserandAdminportalthatcanbeconfiguredbythesystemadministrators.Afteradefinedperiodofinactivity,theuseraswellastheadminsessionexpires.
3.13.10 Establishandmanagecryptographickeysforcryptographyemployedintheinformationsystem.
FileCloudenablessystemadministratorstosetencryptionfordataatrestandintransit.
3.13.11 EmployFIPS-validatedcryptographywhenusedtoprotecttheconfidentialityofCUI.
FileCloudusesFIPS140-2validatedcryptographicmoduleforallcryptographicoperationincludingencryptionofCUIdataatrestandintransit.
3.13.12 Prohibitremoteactivationofcollaborativecomputingdevicesandprovideindicationofdevicesinusetouserspresentatthedevice.
N/A
3.13.13 Controlandmonitortheuseofmobilecode.
FileCloud clients(webbrowserordesktopclients)don’tuseanymobilecodesuchasappletsoractivexcontrols.
WWW.GETFILECLOUD.COM
3.13.14 ControlandmonitortheuseofVoiceoverInternetProtocol(VoIP)technologies.
N/A
3.13.15 Protecttheauthenticityofcommunicationssessions.
FileCloudinvalidatesthesessionuponuserlogoutoruponadefinedperiodofinactivity.
3.13.16 ProtecttheconfidentialityofCUIatrest.
FileCloud usesFIPS140-2validatedencryptionmoduletoencrypt(AES256)CUIdataatRest
3.14SystemandInformationIntegrity
NIST800-171Requirement DetailsHowFileCloud ServerSupportsNIST800-171Compliance
3.14.1 Identify,report,andcorrectinformationandinformationsystemflawsinatimelymanner.
CodeLathe monitors vulnerabilitiesinthe FileCloud platform regularlyand resolve these vulnerabilitiesbased onimpact and severity.
3.14.2 Provideprotectionfrommaliciouscodeatappropriatelocationswithinorganizationalinformationsystems.
FileCloudcanbeintegratedwithanti-malwareproductstoscanforviruses,APTsandzero-dayattacks.FileCloudalsoprovidesbuilt-inransomwareprotectionbycomparingthefilesignature.
3.14.3 Monitorinformationsystemsecurityalertsandadvisoriesandtakeappropriateactionsinresponse.
TheFileCloud platformcanbeconfiguredtoexportauditlogsandsystemalertsfromSecurityInformationandEventManagement(SIEM)systemsbeingusedforsecuritymonitoringandalerts.
3.14.4 Updatemaliciouscodeprotectionmechanismswhennewreleasesareavailable.
FileCloud canbeintegratedwithanti-malwareproductsviaanICAPinterface.Theseproductscanbeupdatedperiodicallyasnewdefinitionsarereleasedbythevendor.Bydefault,FileCloud canbeintegratedwiththeopensourceClamAV productwhichcanbeupdatedperiodically.
3.14.5 Performperiodicscansoftheinformationsystemandreal-timescansoffilesfromexternalsourcesasfilesaredownloaded,opened,orexecuted.
WhenyouintegrateFileCloudwithananti-virusproductviaICAP,alluploadedfilesarescannedforvirusesandmalware.
3.14.6 Monitortheinformationsystem,includinginboundandoutboundcommunicationstraffic,todetectattacksandindicatorsofpotentialattacks.
FileCloudmonitorsallthecommunicationsforsignsofransomwareandourauditlogs,dashboardsandgeoIPfeaturescanbeusedtolookfortrafficanomaly.
3.14.7 Identifyunauthorizeduseoftheinformationsystem.
TheFileCloud platformdoesn’tpermitunauthorizedaccessofthesystem.FileCloud’s auditlogsrecordallusertransactions.
FileCloud Architecture
FileCloud softwareistypicallyinstalledonaserver(LinuxorWindows).Afterinstallation,anAdminportalisavailabletoconfigureandmanagethesystem.Onceconfiguredbyanadministrator,userscanaccesstheFileCloud installationusingthewebbrowser,mobileapps,orevenkeeptheirdesktopfoldersinsyncusingtheFileCloud’s desktopsyncclients.
Diagram1.FileCloud Architecture
13785ResearchBlvd,Suite125AustinTX78750
Email:[email protected]
Website:https://www.getfilecloud.com
Phone:+1(888)571-6480
Fax:+1(866)824-9584
FileCloud HighAvailabilityArchitecture
TheFileCloud solutioncanbeimplementedusingtheclassic3-tierhighavailabilityarchitecture.Thefirsttierconsistsoftheloadbalancerandaccesscontrolservices.Tier1willbeawebtiermadeupofloadbalancers.Tier2willbestatelessapplicationserversandforFileCloud implementation.ThislayerwillconsistofApachenodes.Tier3willbethedatabaselayer.Theadvantageofthisarchitectureisseparationofstatelesscomponentsfromstate-fullcomponentsallowinggreatflexibilityindeployingthesolution.
TolearnmoreabouthowtheFileCloudplatformcanhelpyourorganizationcomplywithNIST800-171regulations,[email protected].
Diagram2.FileCloud High-AvailabilityArchitecture