Using Cisco’s Vmdc to Facilitate FISMA Compliance

Using Cisco’s VMDC to Facilitate FISMA Compliance


July 23, 2014

Jason P. Broz

1


2

Synopsis

This whitepaper discusses how Cisco’s Virtualized Multiservice Data Center (VMDC) validated architecture

can facilitate compliance with the Federal Information Security Management Act (FISMA) (NIST 800-53

Revision 4 moderate control set).

Table of Contents

Introduction..............................................................................................................................................3

VMDC ................................................................................................................................................................ 3

SecureState ........................................................................................................................................................ 4

Who Needs to be FISMA Compliant? .........................................................................................................4

What are the Current Challenges? .............................................................................................................5

FISMA Control Areas .................................................................................................................................6

How VMDC Can Help.................................................................................................................................7

Access Control (AC) ............................................................................................................................................ 7

Audit and Accountability (AU)............................................................................................................................. 7

Security Assessment and Authorization (CA) ....................................................................................................... 7

Configuration Management (CM)........................................................................................................................ 7

Identification and Authentication (IA) ................................................................................................................. 8

Media Protection (MP) ....................................................................................................................................... 8

Personnel Security (PS) ....................................................................................................................................... 8

Risk Assessment (RA).......................................................................................................................................... 8

System and Services Acquisition (SA) .................................................................................................................. 8

System and Communications Protection (SC) ...................................................................................................... 9

System and Information Integrity (SI).................................................................................................................. 9

Achieving FISMA Compliance .................................................................................................................. 10


Introduction

Cisco’s Virtualized Multiservice Data Center (VMDC) is a scalable network topology that service providers and large

organizations can implement in order to provide a secure multi-tenant solution to their clients. The architecture that

VMDC utilizes greatly assists service providers in creating a network which meets the various security needs of clients.

In order to evaluate the ability of Cisco’s VMDC network topology to facilitate Federal Information Security Management

Act (FISMA) compliance on behalf of the clients that implement this blueprint, Cisco requested SecureState analyze the

VDMC topology against the NIST 800-53 Revision 4 control set. Previously, SecureState evaluated earlier versions of the

VMDC topology against NIST 800-53 Revision 3. Cisco’s VMDC architecture provides a number of controls which can be implemented in order to help fulfill a particular component of the overall control. VMDC

The Cisco VMDC is a tested and validated reference architecture for the Cisco Unified Data Center. It provides a set of

guidelines and best practices for the creation and deployment of a scalable, secure, and resilient infrastructure in the

data center. The Cisco VMDC architecture demonstrates how to bring together the latest Cisco routing and switching

technologies, network services, data center and cloud security, automation, and integrated solutions with those of

Cisco's ecosystem of partners to develop a trusted approach to data center transformation. Specific benefits include:

Demonstrated solutions to critical technology-related problems in evolving IT infrastructure: Provides support for cloud

computing, applications, desktop virtualization, consolidation and virtualization, and business continuance

Reduced time to deployment: Provides best-practice recommendations based on a fully tested and validated

architecture, helping enable technology adoption and rapid deployment

Reduced risk: Enables enterprises and service providers to deploy new architectures and technologies with confidence

Increased flexibility: Enables rapid, on-demand, workload deployment in a multitenant environment using a

comprehensive automation framework with portal-based resource provisioning and management capabilities

Improved operating efficiency: Integrates automation with a multitenant pool of computing, networking, and storage

resources to improve asset use, reduce operation overhead, and mitigate operation configuration errors

The Cisco VMDC architecture, consisting of the Cisco Unified Data Center and Cisco Data Center Interconnect (DCI)

together with other architectural components such as infrastructure abstraction, orchestration and automation,

assurance, and integrated services and applications, as shown below, provide comprehensive guidelines for deployment

of cloud infrastructure and services at multiple levels.

3


4

SecureState SecureState is a management consulting company specializing in information security and compliance services. We

believe in a different approach to security which guides our clients as partners, from their CurrentState (CS) to their

DesiredState (DS) and ultimately their SecureState. As shown in the graph below, SecureState begins working with

clients at the CS, performing assessments to understand the security posture of the organization as it is constructed

today. Once SecureState identifies the CS, we then construct tactical and strategic methods to move from the CS to the

DS and ultimately a managed SecureState (SS).

SecureState provides services to public and private organizations that operate within the Governmental Sector, assisting

organizations in identifying their CurrentState of FISMA compliance. SecureState then provides a roadmap and assistance

as desired with tactical and strategic items them to achieve their DesiredState and SecureState. Types of

assistance include validation of NIST 800-53 controls, secure system configuration, and policy development and strategic

security solutions that align with operational goals.

SecureState’s team of resources is consistently looked upon as thought leaders in information security, presenting at

conferences such as InfoSec World, DefCon, BlackHat, and SecureWorld Expo. The team is also sought after by

journalists for publications such as SC Magazine, InformationWeek, and Federal CIO Magazine.

Who Needs to be FISMA Compliant?

All federal agencies and contracted private entities who support operations such as providing protection, administration

or maintenance of federal assets as they pertain to information systems security are required to comply with FISMA.

Requirements vary based on the categorization level of the asset as defined in Federal Information Processing Standard

(FIPS 199). The goal is to provide a holistic, risk based information security program, including implementation of

administrative and technical components to support the program.


5

What are the Current Challenges?

1. Agency Size. Based on Government Accountability Office (GAO) report 14-344, released June 2014, agency size

plays a role in achieving FISMA compliance. While some controls found not to be in place are administrative,

lack of assessing risk or implementing policies and procedures does not provide the structure to implement

technical safeguards. As depicted in the graph below, which is included in GAO report 14-344 with data supplied

by US-CERT, incidents such as unauthorized access and active or passive reconnaissance are steadily increasing.

2. Access Controls/Authentication Management. As evidenced in the graph provided in the GAO report above,

many organizations are struggling with unauthorized access. Through the use of Active Directory (AD), Windows

domain accounts are easily managed. Accounts such for devices that provide network infrastructure, Linux

and/or Unix system accounts or local machine administrator accounts still can remain a challenge (e.g.,

password length and/or complexity and length, password history, session timeouts, device lockout.). Application

of consistent security controls becomes time consuming and unmanageable.

3. Device Hardening. All systems and applications are required to be securely configured as defined in

configuration management (CM) control area of FISMA. Common systems that must be securely configured

include databases (Oracle, MS-SQL, MySQL, etc.), servers (Windows 2003, Windows 2008, Red Hat, etc.), web

servers (IIS, Apache, WebLogic, etc.), and network infrastructure (firewalls, routers, switches, etc.). If there are

not standard operating procedures in place or baseline configurations implemented, standard hardening

practices can become inconsistent.

4. Monitoring and Log aggregation-Log aggregation is easily achieved with Windows devices, however,

aggregating all outlying devices such as network components can be a challenge. This requires additional

resources to implement appropriate log controls and anomaly reporting from such devices.


6

FISMA Control Areas

FISMA consists of seventeen control areas that must be applied dependent upon categorization of device:

1. Access Control (AC)- Assesses processes as they pertain to account management including role based access, least priviledge, remote access, priviledged accounts and revokation processes, including wireless network and mobile device access.

2. Awareness and Training (AT)- Assesses process, frequency and methods as they pertain to security awareness and training. Additionally, controls as they pertain to role based traing (e.g., developers) and training verification and tracking are also assessed.

3. Audit and Accountability (AU)- Assesses administrative and technical controls around logging access and events, audit log storage capacity, log review and reporting and protection of audit trails from modification. Non- repudiation, log generation and log retention are also included.

4. Security Assessment and Authorization (CA)- Assesses testing of security defenses as implemented (e.g., penetration testing). Additionally, system interconnections, segmentation, continous monitoring, authorization are addressed as are remediation plans for vulnerabilities.

5. Configuration Management (CM)- Assesses processes as they pertain to system hardening standards, including authoritative and supporting documentation pertaining to configuration management. Change control methods and mechnanisms and asset inventory are also addressed.

6. Contingency Planning (CP)- Assesses processes regarding planning efforts in case of a natural disaster, continuity of operations and recovery efforts. Training, testing, after action reviews, and plan improvement are also assessed.

7. Identification and Authentication (IA)- Assesses organizational processes as they pertain to the management of users and components identity and proper authorization for access and authentication.

8. Incident Response (IR)- Assesses processes and procedures as they pertain to incident repsonse methods and mechanisms involving information system components and data, including training of individuals, testing and continual improvement of the plan.

9. Maintanance (MA)- Assesses management of system maintenance activities, documentation. Additionally, tools, remote vendor access, and maintenance personnel management are included.

10. Media Protection (MP)- Assesses protection mechanisms and management processes as they pertain to physical and electronic media throughout their lifecycle. Areas such as proper chain of custody and inventroy management are also assessed.

11. Physical and Environmental Protection (PE)- Assesses phyiscal controls and access management processes as they pertain to system components. Areas such as monitoring and visitor managment, emergency procedures and management of the environment (e.g., temperature, humidity and damage protection) are included.

12. Planning (PL)- Assesses administrative processes regarding items such as security plans and codes of conduct, as they pertain to security and privacy.

13. Personnel Security (PS)- Assesses management processes as they pertain to individuals with access to information systems. Items assessed include validity of qualifications, criminal history and termination/transfer processes, third- party access management and sanctions.

14. Risk Assessment (RA)- Assesses the risk management processes within the agency or organization including categorization rationale, risk assessment reporting and vulnerability management.

15. System and Services Acquisition (SA)- Assesses the management of the acquisition process. Additionally, Systems Development Lifecycle (SDLC), supply chain management and analysis are included.

16. System and Communications Protection (SC)- Assesses data in transit methods to ensure confidentiality and integrity. Key management , shared resources, operational security, and availability are included.

17. System and Information Integrity (SI)- Assesses data integrity management. Processes such as code flaw remediation , malicious code protection, third party security alerts, functionality testing and input validation are included.

7


How VMDC Can Help

While FISMA is a holistic governance model addressing administrative and technical controls, VMDC can be utilized to

facilitate compliance in several control areas. Keeping in mind, control families contain both administrative and technical

controls, VMDC facilitates an overall eighty six (86) controls with the balance being administrative controls that would

need to be implemented by the agency or organization. Four control areas not addressed, Awareness and Training,

Maintenance, Physical and Environmental Protection, and Planning are the responsibility of the organization to

implement as they are process driven.

Access Control (AC) Cisco’s Access Control Server (ACS) provides capability to integrate with RADIUS/TACACS or LDAP servers such as Active

Directory (AD) providing strong access controls for data store devices and network components within the VMDC

solution. While performing the review of the VMDC network architecture, SecureState verified that ACS is capable of

integrating each of the core pieces of network infrastructure into AD. Roles can be configured in ACS, which limit the

types of commands a particular account can run on a particular device. Furthermore, roles can be created which grant

access to only a subset of network devices in the network. The VMDC solution facilitates nineteen (19) applicable

controls, with the balance being the responsibility of the organization.

Audit and Accountability (AU) Introduction of Splunk into the VMDC solution provides an agency or organization with the ability to aggregate logging

into a powerful Security Information and Event Management (SIEM). Splunk facilitates many of the attributes required

for compliance (e.g., date/time stamp, source, user identity). Additionally, VMDC allows organizations to not only input

Windows logs, but also logs from network components in order to continuously monitor all systems. Anomaly alerting

can also be configured to report from one central source. Lancope StealthWatch provides additional audit information

from a network monitoring perspective. Sourcefire provides the capability to provide intrusion detection, adding

another layer of security and provide early detection of irregularities. VMDC facilitates ten (10) applicable controls

required for FISMA compliance in this control area.

Security Assessment and Authorization (CA) Incorporating Sourcefire, Splunk, and Lancope StealthWatch into the overall VMDC solution facilitates continuous

monitoring requirements from a systems and network infrastructure perspective. VMDC provides robust network

infrastructure which can be used in order to segment operational areas from areas containing confidential data thereby

maintaining confidentiality of information. These technologies include ACLs, VLANs, and virtual firewalls. . VMDC

facilitates two (2) applicable controls, with the balance being the responsibility of the organization.

Configuration Management (CM) The BMC configuration tool can be incorporated into the VMDC architecture to streamline configuration management.

This powerful tool drives efficiency as hardening baselines can be implemented using this tool. Additionally, features of

the BMC tool facilitate synchronization of devices, and provides the ability to update or rollback configurations as

needed. Use of Cisco’s ASA firewalls permits organizations the ability to implement restrictions as needed to meet

operational requirements while still maintaining a secure posture. Cisco has developed configuration guides for each

8


component which can be used be used to apply specific controls. SecureState reviewed each device in order to verify

that they could be hardened in such a way as to meet FISMA compliance requirements. The VMDC solution facilitates

seven (7) applicable controls, with the balance being the responsibility of the organization.

Contingency Planning (CP)

VMDC cannot directly meet FISMA controls pertaining to contingency planning as these are administrative in nature. The

VMDC solution can provide agencies or organizations with the ability to implement as a Disaster Recovery site

maintained in an off-site facility at a Cisco or other data center of their choice.

Identification and Authentication (IA) As with the AC control area, Cisco’s Access Control Server can be integrated with RADIUS/TACACS or LDAP servers such

as Active Directory (AD) to facilitate authentication controls, applying them to both systems and network components

within the VMDC solution; driving efficiency and reducing the amount of time required for administrative tasks.

Additionally, capability to incorporate two-factor authentication as required by FISMA is available. The VMDC solution

facilitates thirteen (13) applicable controls, with the balance being the responsibility of the organization.

Incident Response (IR)

Anomaly Reporting provided by Splunk, Sourcefire, and Lancope StealthWatch can be used to detect incidents and force

activation of the Incident Response Plan in the early stages of the incident. This can save time resources and limit the

severity of the incident. Additionally, if alerts are acted upon early enough, data confidentiality and integrity potentially

maintained and system downtime can potentially be minimized.

Media Protection (MP) Cisco can provide disk level encryption as an added service incorporated into the VMDC architecture as a way to provide

data confidentiality when stored on electronic media. One (1) applicable FISMA control can be facilitated using the

VMDC solution.

Personnel Security (PS) Splunk can provide logical access control review as a part of the VMDC solution. This would facilitate one (1) applicable

control required for FISMA compliance.

Risk Assessment (RA) The use of Cisco’s ACS integrated into RADIUS/TACACS or LDAP servers facilitate role based access and elevated

privileges as they pertain to this control area. The VMDC solution facilitates one (1) applicable control in this control

area.

System and Services Acquisition (SA) This control area covers many process and administrative controls as they pertain to the management of the Systems

Development Lifecycle (SDLC). While VMDC can only facilitate one (1) applicable control in this control area, secure areas

can be configured to logically separated environments (e.g., development, test, sandbox, production) and through use of

Cisco’s ACS separation of duties can be facilitated, providing technical support for administrative controls.

9


System and Communications Protection (SC) Integration of Lancope StealthWatch network monitoring can provide early detection of potential denial of service

attacks and send alerts to resources in order to preserve system availability. Information leakage can be minimized

through VMDC’s solution of VLANs and virtual firewalls to logically segment business units into separate containers. ASA

firewalls, routers and switches provide defense against external leakage in conjunction with the BMC configuration tool,

which can be used to properly configure all components securely. Sourcefire Intrusion Prevention provides an added

layer of defense alerting on suspicious activity within the internal network. Disk level encryption is available as an

additional service, which would further facilitate controls in this control family. Data in transit is also secured through

the use of the VMDC solution and the ability to provide secure communication channels (e.g,. SSL, SSH) and support the

use of key certificates.

Cisco’s ACS provides strong access controls and use of virtual firewalls and VLANS for segmentation provides several

layers of protection for data at rest. The VMDC facilitates seventeen (17) applicable controls in this control area.

System and Information Integrity (SI) Through the integration of Splunk SIEM, Sourcefire IPS, and Lancope StealthWatch network performance tool into the

overall VMDC solution, agencies and organizations are provided with the ability to monitor activities from several

different perspectives, providing a more complete view into network events and performance; providing the ability to

adjust fire as needed and continually improve, maintaining confidentiality and integrity of data, while maintaining the

high levels of availability and network performance. Additionally, Sourcefire’s ability to provide real-time alerting of

events allows for quicker response times and potential incident resolution; allowing organizations to potentially meet or

exceed recovery time objectives (RTO).

All Cisco devices contained within the VMDC solution have gone through security testing to protect memory from

unauthorized code execution. The VMDC solution facilitates eight (8) applicable controls, with the balance being the

responsibility of the organization.

10


Achieving FISMA Compliance

As FISMA is a holistic governance approach based on risk. Administrative documentation, processes, and device

categorization is required prior to selection and implementation and assessment of technical controls. Additionally,

continued monitoring of the administrative and technical controls is required to ensure consistency of process as it

pertains to confidentiality, integrity, and availability of data stored on federal information systems.

The process starts with NIST SP 800-30 Revision 1 Guide for Conducting Risk

Assessments as defined in NIST SP 800-37 Revision 1 Guide for Applying the

Risk Management Framework to Federal Information Systems. This enables

an agency or supporting organization accurately categorize and information

system in accordance with FIPS 199 Standards for Security Categorization of

Federal Information and Information Systems.

NIST 800-37 Rev 1 provides guidance for in the specific areas as they pertain

to federal information systems to include activities such as “security

categorization, security control selection, and implementation, security

control assessment, information system authorization and security control

monitoring.” per the documented definition. It addresses risk from three levels, the organization, business process, and

information system level.

FIPS 199 requires information to be categorized based on potential impact to the agency or organization if

confidentiality, integrity or availability is lost. Low impact is defined as having a limited adverse effect, where moderate

impact would be defined as a serious effect, and high would be defined as severe or catastrophic effect. NIST SP 800-30

provides risk management framework for assessing the risks associated with federal information systems in order to

provide appropriate levels in accordance with FIPS 199. NIST SP 800-37 Rev 1 Guide for Applying the Risk Management

Framework to Federal Information Systems is the guidance document for assessing associated risks.

After implementation of administrative and technical safeguards, a NIST SP 800-53 assessment is performed, as defined

by category, in accordance with FIPS 200 Minimum Security Requirements for Federal Information and Information

Systems in order to assess compliance

NIST SP 800-53 Revision 4 is the most current control framework used to assess administrative and technical safeguards

implemented in order to authorize an information system as being FISMA compliant.

Upon achievement of FISMA compliance, authorization to operate is granted from a Certifying Authority (agency

official).

NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations

provides guidance on implementation and management of an overall continuous monitoring program.

For further information, refer to the VMDC Cloud Security 1.0 Design guide at: http://www.cisco.com/c/en/us/solutions/enterprise/data-center-designs-cloud-computing/landing_vmdc.html

http://www.cisco.com/c/en/us/solutions/enterprise/data-center-designs-cloud-computing/landing_vmdc.html

Technology

Using Cisco’s Vmdc to Facilitate FISMA Compliance