nlets cjis security - amazon s3cji impact from a datacenter critical systems crash –core dump...
TRANSCRIPT
![Page 1: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/1.jpg)
NLETS &CLOUD SECURITY
Bill Phillips, Information Security Officer
![Page 2: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/2.jpg)
Overview■ Enhancing Nlets Audit
Capabilities
■ Nova Architecture
■ Nova Security Services
![Page 3: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/3.jpg)
Audit
![Page 4: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/4.jpg)
Enhancing Nlets Audits
■ Revising the existing audit process
– Better Communications– Enhance Onboarding – Enhancing Functionality– Align with Emerging Standards– Ensure Consistent Scrutiny
![Page 5: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/5.jpg)
Enhancing Nlets Audits
■ Contracted SME for Cloud Assessments– Co-Development of
Assessment Standards– Assess Partner Cloud
Deployments – Lead and Follow– Nova Assessment
![Page 6: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/6.jpg)
Architecture
![Page 7: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/7.jpg)
Policy Reference5.10.3.2 Virtualization
Virtualization refers to a methodology of dividing the resources of a computer (hardware and software) into multiple execution environments. Virtualized environments are authorized for criminal justice and noncriminal justice activities. In addition to the security controls described in this Policy, the following additional controls shall be implemented in a virtual environment:
■ 1. Isolate the host from the virtual machine. In other words, virtual machine users cannot access host files, firmware, etc.
■ 2. Maintain audit logs for all virtual machines and hosts and store the logs outside the hosts’ virtual environment.
■ 3. Virtual Machines that are Internet facing (web servers, portal servers, etc.) shall be physically separate from Virtual Machines (VMs) that process CJI internally or be separated by a virtual firewall.
■ 4. Drivers that serve critical functions shall be stored within the specific VM they service. In other words, do not store these drivers within the hypervisor, or host operating system, for sharing. Each VM is to be treated as an independent system – secured as independently as possible.
![Page 8: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/8.jpg)
Policy Reference
5.10.3.2 Virtualization
Virtualization refers to a methodology of dividing the resources of a computer (hardware and software) into multiple execution environments. Virtualized environments are authorized for criminal justice and noncriminal justice activities. In addition to the security controls described in this Policy, the following additional controls shall be implemented in a virtual environment:
■ 1. Isolate the host from the virtual machine. In other words, virtual machine users cannot access host files, firmware, etc.
■ 2. Maintain audit logs for all virtual machines and hosts and store the logs outside the hosts’ virtual environment.
■ 3. Virtual Machines that are Internet facing (web servers, portal servers, etc.) shall be physically separate from Virtual Machines (VMs) that process CJI internally.
■ 4. Drivers that serve critical functions shall be stored within the specific VM they service.
![Page 9: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/9.jpg)
Setting the Keel
![Page 10: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/10.jpg)
Security Services
![Page 11: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/11.jpg)
Traffic Flow
Virtual Machines
Virtual Network Adapter
Virtual Switch
Hypervisor Host
Physical Network Adapter
![Page 12: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/12.jpg)
Security Services Properties
■ Legacy - Traffic Between Hosts
■ Inter VM traffic
■ Agentless
■ Bound to the VM
![Page 13: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/13.jpg)
Security Services Offering■ SPI Firewall
5.10.1.1
■ Layer 2 Segregation
■ Antimalware5.10.4.2
■ Intrusion Detection System5.10.1.3
■ Alert Notifications
■ Automatic Updates
![Page 14: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/14.jpg)
Security Services Offering
![Page 15: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/15.jpg)
Questions?
![Page 16: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/16.jpg)
Stephen Exley, CISSPSenior Consultant/Technical Analyst
FBI CJIS ISO Program
Cloud Computing and the CJIS Security Policy
Nlets Implementers WorkshopAugust 30, 2016
![Page 17: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/17.jpg)
CLOUD COMPUTING
Cloud Computing
![Page 18: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/18.jpg)
What is Cloud Computing?
• Defined by the CJIS Security Policy as:
A distributed computing model that permits on‐demand network access to a shared pool of configurable computing resources (i.e., networks, servers, storage, applications, and services), software, and information.
CLOUD COMPUTING
![Page 19: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/19.jpg)
CLOUD COMPUTING
What Does the Cloud Actually Look Like?
![Page 20: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/20.jpg)
CLOUD COMPUTING
A More Realistic Cloud Diagram
On-premise environment
![Page 21: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/21.jpg)
CLOUD COMPUTING
Benefits of Cloud Computing
Reduced Budgets Improved Efficiency
Disaster Recovery Service Consolidation
![Page 22: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/22.jpg)
CLOUD COMPUTING
Delineation of Responsibility/Governance
![Page 23: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/23.jpg)
CLOUD COMPUTING
Security Concerns with Cloud Computing
• Privileged user access
• Regulatory compliance
• Data location
• Data segregation
• Recovery
• Investigative support
• Long‐term viability
![Page 24: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/24.jpg)
CLOUD COMPUTING
Is the CJIS Security Policy (CSP) “cloud friendly”?
• Yes! The CJIS Security Policy is solution and device agnostic; not prohibitive.
• Independent assessment* recommended stronger controls* (assessment results available on FBI.gov)
• Some LEAs already using cloud services for a variety of services
![Page 25: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/25.jpg)
CLOUD COMPUTING
Achieving CSP Compliance
• Will access to Criminal Justice Information (CJI) within a cloud environment fall within the category of remote access? (5.5.6 Remote Access)
• Will advanced authentication (AA) be required for access to CJI within a cloud environment? (5.6.2.2 Advanced Authentication, 5.6.2.2.1 Advanced Authentication Policy and Rationale)
• Does/do any cloud service provider’s datacenter(s) used in the transmission or storage of CJI meet all the requirements of a physically secure location? (5.9.1 Physically Secure Location)
![Page 26: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/26.jpg)
CLOUD COMPUTING
Achieving CSP Compliance (cont.)
• Are the encryption requirements being met? (5.10.1.2 Encryption)• Who will be providing the encryption as required in the CJIS
Security Policy? (client or cloud service provider)o Note: Individuals with access to the keys can decrypt the stored files
and therefore have access to unencrypted CJI.• Is the data encrypted while at rest and in transit?
• What are the cloud service provider’s incident response procedures? (5.3 Policy Area 3: Incident Response)• Will the cloud subscriber be notified of any incident?• If CJI is compromised, what are the notification and response
procedures
![Page 27: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/27.jpg)
CLOUD COMPUTING
Achieving CSP Compliance (cont.)
• Is the cloud service provider a private contractor/vendor?• If so, they are subject to the same screening and agreement
requirements as any other private contractors hired to handle CJI (5.1.1.5 Private Contractor User Agreements and CJIS Security Addendum; 5.12.1.2 Personnel Screening for Contractors and Vendors)
• How will event and content logging be handled? (5.4 Policy Area 4, Auditing and Accountability) • Will the cloud service provider handle events and content logging
and provide that upon request?• What are the cloud service provider’s responsibilities with regard to
media protection and destruction? (5.8 Policy Area 8: Media Protection)
![Page 28: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/28.jpg)
CLOUD COMPUTING
Achieving CSP Compliance (cont.)
• Will the cloud service provider allow the CSA and FBI to conduct audits? (5.11.1 Audits by the FBI CJIS Division; 5.11.2 Audits by the CSA)
![Page 29: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/29.jpg)
CLOUD COMPUTING
Achieving CSP Compliance (cont.)
Cloud Computing and the CJIS Security Policy
• Section 5.10.1.5 Cloud Computing
The metadata derived from CJI shall not be used by any cloud service provider for any purposes.
The cloud service provider shall be prohibited from scanning any email or data files for the purpose of building analytics, data mining, advertising, or improving the services provided.
• Appendix G.3 Cloud Computing White Paper
![Page 30: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/30.jpg)
CLOUD COMPUTING
Agency Stores CJI in a Cloud• A CJA stores encrypted CJI (Backup files and drives) in a cloud. • To access CJI, the agency will extract the CJI from the cloud to its local
machine, and then decrypt the CJI. The CJI is processed, re‐encrypted, and then re‐uploaded to the cloud environment for storage.
• In this scenario, the agency always encrypts the CJI prior to placing it in the cloud and only authorized users of the agency have access to the encryption keys.
Since the agency maintains the encryption keys, the cloud service provider employees would not need to undergo fingerprint‐based background checks, nor have security awareness training. These requirements are negated, because only authorized personnel with access to the keys have the ability to view this CJI in an unencrypted form.
Cloud Computing Encryption Use Case #1
![Page 31: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/31.jpg)
CLOUD COMPUTING
Agency Access CJI While in a Cloud • A CJA stores CJI (files and drives) in a cloud service provider’s
environment, but as part of daily operations authorized users will remotely access the encrypted CJI in the cloud.
• The user will decrypt the CJI while it is in the cloud’s virtual environment, process the data, and then re‐encrypt the data prior to ending the remote session.
The agency maintains the keys and the cloud service provider does not have access to the encryption keys. However, since the CJI is decrypted within the cloud’s virtual environment, any administrative personnel employed by the cloud provider having the ability to access the virtual environment must be identified and subjected to security awareness training and personnel security controls as described in the CJIS Security Policy.
Cloud Computing Encryption Use Case #2
![Page 32: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/32.jpg)
CLOUD COMPUTING
CJI Impact from a Datacenter Critical Systems Crash – Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and
remotely accesses the environment to process CJI. • During normal operation, the cloud provider experiences systems
outages within the datacenter in which CJI is processed and stored. • The cloud provider’s administrators need to repair the systems and
restore service using data from a core dump to return to normal operations.
• The cloud service provider as part of the Service Level Agreement (SLA) with the CJA has been authorized to maintain the encryption keys in order respond to such an event.
Cloud Computing Encryption Use Case #3
![Page 33: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/33.jpg)
CLOUD COMPUTING
CJI Impact from a Datacenter Critical Systems Crash – Core Dump Recovery
The cloud administrators with such access have underwent fingerprint‐based background checks and security awareness training. This allows the cloud administrators to decrypt CJI so that it is written to the core dump files for restoration following the system outage. CJI, however, is encrypted at all times except when part of the core dump files. As part of the SLA, the cloud service provider has agreed to treat the core dump files as CJI to ensure all protection are in place in compliance with the CJIS Security Policy.
Cloud Computing Encryption Use Case #3 (cont.)
![Page 34: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/34.jpg)
CLOUD COMPUTING
Cloud Computing Email FAQ
Question:Our city has recently been considering moving to cloud‐based email service covering all city departments and agencies, to include the local police department. Our question is: Are we allowed to send criminal justice information (CJI) through email?
Answer:You can send e‐mail containing Criminal Justice Information (CJI) as long as it remains within your physically secure environment (as described in the Policy), you send the e‐mail along an encrypted path (FIPS 140‐2 certified, 128 bit) to the recipient, or you encrypt (FIPS 140‐2 certified, 128 bit) the payload of an e‐mail.
![Page 35: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/35.jpg)
Questions?
CLOUD COMPUTING
![Page 36: Nlets CJIS Security - Amazon S3CJI Impact from a Datacenter Critical Systems Crash –Core Dump Recovery • A CJA utilizes a cloud service provider (IaaS or PaaS) to store CJI and](https://reader034.vdocuments.us/reader034/viewer/2022042306/5ed2497557a90c76e074c5f2/html5/thumbnails/36.jpg)
Jeff CampbellFBI CJIS Assistant ISO
Steve ExleySr. Consultant/Technical Analyst
John “Chris” WeatherlyFBI CJIS ISO Program Manager
George White FBI CJIS ISO
(304) 625 ‐ [email protected]
(304) 625 ‐ [email protected]
(304) 625 ‐ [email protected]
(304) 625 ‐ [email protected]
CJIS ISO CONTACT INFORMATION