11
Phone: 650-681-8100 / email: [email protected] 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 FISMA Compliance in the Virtual Data Center Fulfilling NIST Requirements © 2012, HyTrust, Inc. www.hytrust.com

HyTrust-FISMA Compliance in the Virtual Data Center

  • Upload
    hytrust

  • View
    477

  • Download
    3

Embed Size (px)

DESCRIPTION

 

Citation preview

  • 1. FISMA Compliance in the Virtual Data CenterFulfilling NIST Requirements 2012, HyTrust, Inc. www.hytrust.com 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: [email protected] 1

2. NIST Directives on Virtualization Security Organizations should have the same security controls in place for virtualized operating systems as they have for the same operating systems running directly on hardware.Ensure that the hypervisor is properly secured. Restrict and protect administrator access to thevirtualization solution. The security of the entire virtual infrastructure relies on the security of the virtualization management system that controls the hypervisor and allows the operator to start guest OSs, create new guest OS images, and perform other administrative actions.Neither physical data center security controls nor the basic controls provided by the virtualization platform were designed to fulfill these requirements for FISMA compliance. 2012, HyTrust, Inc. www.hytrust.com 2 3. HyTrust Role in NIST/FISMA Compliance 6 of 18 NIST 800-53 control families IDENTIFIERFAMILYfocus on controlling and trackinginfrastructure access or ensuringconfiguration and system integrity Compliance in virtual environmentsrequires an approach that addressesthe distinct attributes of virtualinfrastructure access, configuration,and system integrity HyTrust is purpose-built to control andlog access activity, ensure complianthost configurations, and protect systemintegrity in virtual environments HyTrust fills critical gaps in thevirtualization platforms NIST/FISMA Source: NIST Special Publication 800-53, Revision 3compliance capabilities* * Platform capabilities mentioned in this document are believed to be accurate as of April, 2012, and are subject to revision 2012, HyTrust, Inc. www.hytrust.com 3 4. HyTrust Enables Access Control (AC) ComplianceAC Control NIST Requirement for FISMA Compliance Virtualization PlatformHyTrust Requirement Fulfillment for Constraints/Gaps Virtual EnvironmentsAccountSpecify access privileges and grant access to Supports single factor Supports multi-factor authenticationManagement the system based on: (i) a valid accessauthentication only Prevents root account sharing(AC-2) authorization; (ii) intended system usage; andAllows root account sharingPrevents use of default passwords (iii) other attributes as required by the Allows default passwords Enables limited access privileges based organization or associated missions/businessDefaults to admin privilegeson intended system usage and other functions. for all operations attributesAccess Enforce approved authorizations for logical Enables broad access Enforces authorization policy defined byEnforcementaccess to the system in accordance withprivileges based on rolesgranular role-based and attribute-based(AC-3) applicable policy. only access privilegesInformationEnforce approved authorizations for Allows unfiltered VM-to-VM Enforces trust zone policies thatFlow controlling the flow of information within the communications,constrain users ability to changeEnforcementsystem and between interconnected systemsunconstrained by policyinformation flows(AC-4) in accordance with policy.Separation ofImplement separation of duties throughProvides limited ability toProvides the authorization granularityDuties (AC-5)assigned information system access enforce access policiesneeded for effective separation of authorizations.separating dutiesduties Provides no pre-definedProvides 17 pre-defined, customizableroles besides administratorrolesLeast PrivilegeEmploy the concept of least privilege, allowing Defaults to super user Allows only the operations and access to(AC-6) only authorized accesses for users which are privileges virtual resources users need to do their necessary to accomplish assigned tasks in jobs accordance with organizational mission.Security Support the binding of security attributes to Provides no mechanism to Enables object tagging with securityAttributes information in storage, in process, and in tag virtual objects with attributes that enable robust and(AC-16)transmission.security attributesflexible access control 2012, HyTrust, Inc. www.hytrust.com 4 5. HyTrust Enables Audit and Accountability (AU) Compliance(continued)AU Control NIST Requirement for FISMAVirtualization PlatformHyTrust Requirement Fulfillment for ComplianceConstraints/Gaps Virtual EnvironmentsAudit Review,Analyze and correlate audit records Provides basic virtualizationProvides the thorough, fine-grainedAnalysis, andacross different repositories to gainevent data to SIEM solutions virtualization event data needed byReporting (AU-6) organization-wide situational awarenessthat may not be detailed SIEM solutions for correlation withenough for correlation withsimilarly detailed physical dataphysical data center audit center recordsrecordsNon-RepudiationProtect against an individual falsely Allows admin anonymity via Associates unique user ID with every(AU-10)denying having performed a particularsharing of root accountevent logged action.Audit Generation Provide audit record generation Creates separate log files for Consolidates and centrally manages(AU-12)capability for the list of auditable events vCenter and each host server logs covering vCenter and all hosts defined in AU-2.Uses different log formats for Uses a single, uniform format for Produce audit records in a standardized vCenter vs. hostscombined vCenter and host log data format. 2012, HyTrust, Inc. www.hytrust.com5 6. HyTrust Enables Security Assessment and Authorization (CA)ComplianceCA Control NIST Requirement for FISMA Compliance Virtualization PlatformHyTrust Requirement Fulfillment Constraints/Gaps for Virtual EnvironmentsContinuous Establish a continuous monitoring strategyDoes not provide functionality Continuously monitors hypervisorMonitoring (CA-7)and implement a continuous monitoringto continuously monitor andconfigurations for drift and policy program that includes: manage the hypervisorviolations a configuration management process for configuration Determines the security impact of the information systemDoes not provide functionalityconfiguration changes by a determination of the security impact ofto determine the securitycontinuously comparing changes to the information systemimpact of changes to the configuration states to baselineshypervisor configuration such as C.I.S. Benchmark Can only implementstandards, VMware Bestpermissions on virtual Practices, and other frameworksobjects in a hierarchical Can establish permissions andfashion; cannot implementpolicies that can follow the virtualmeaningful permissions in amachine regardless of where itdynamic environment. resides in the environment 2012, HyTrust, Inc. www.hytrust.com 6 7. HyTrust Enables Configuration Management (CM) ComplianceCM ControlNIST Requirement for FISMAVirtualization Platform HyTrust Requirement Fulfillment for VirtualComplianceConstraints/GapsEnvironmentsBaselineDevelop, document, and maintain under Host Profiles functionality Enables organization to define and automaticallyConfiguration configuration control, a current baselinefor maintaining baselines maintain a custom baseline configuration or a pre-(CM-2)configuration. not available withbuilt baseline such as C.I.S. Benchmark standards,Employ automated mechanisms to Standard or EnterpriseVMware Best Practices, or other frameworksmaintain an up-to-date, complete,versions of platform Does not require putting hosts in maintenance modeaccurate, and readily available baselineRequires hosts to be put inafter remediating baseline variationsconfiguration. maintenance mode and Provides automated configuration maintenance for all VMs to be moved to all versions of virtualization platform another host for the duration of the operation.Configuration Audit activities associated withLogs changes for individual Centrally logs all hypervisor configuration changeChangeconfiguration-controlled changes.hosts only, and may not event data, including specific user, actionControl Employ automated mechanisms to capture unique user IDattempted (allowed or denied), source IP,(CM-3)implement changes to the currentPuts hosts in maintenancetimestamp, target, etc.baseline and deploy the updatedmode to deploy changes Automates deployment of changes to the securitybaseline across the installed base.configuration of the hypervisor, without putting hosts in maintenance modeAccessEnforce logical access restrictions Enables broadly defined Applies granular, user-specific role-based accessRestrictionsassociated with changes to the system. role-based access controls to the hypervisor configuration andfor ChangeEmploy automated mechanisms to restrictionsmanagement interfaces(CM-5)enforce access restrictions and support Does not log disallowed orAutomatically logs all allowed and denied operationsauditing of the enforcement actions. failed operations on the hypervisor configurationDoes not support privilegesLimit developer/ integrator privileges to Enables enforcement of access restrictions tied to objects such aschange hardware, software, and customized for roles such as developer and production VMsfirmware and system information within integrator, and limitation of privileges on virtuala production environment.objects assigned a label such as production 2012, HyTrust, Inc. www.hytrust.com 7 8. HyTrust Enables Configuration Management (CM) Compliance(continued)CM Control NIST Requirement for FISMA Compliance Virtualization PlatformHyTrust Requirement Fulfillment for Constraints/Gaps Virtual EnvironmentsConfigurationMonitor and control changes to configurationDoes not provide Verifies, monitors, and controlsSettings settings in accordance with organizational functionality that hypervisor configuration changes(CM-6) policies and procedures. verifies, monitors, orProvides configuration change request Employ automated mechanisms to centrally controls hypervisorlogs to SIEM solutions that can be manage, apply, and verify configuration settings.configurations used to trigger alerts Employ automated mechanisms to respond to Does not provide means Enables organization to check if a unauthorized changes to organizationsto generate alerts forconfiguration conforms with a configuration settingsunauthorizedcustomized configuration policy or configuration changes with guidance such as C.I.S. Demonstrate conformance to security configuration guidance (i.e., security checklists), Is not able to check if a Benchmark standards, VMware Best prior to being introduced into a production configuration conformsPractices, or other frameworks environment.with policy or checklistLeastConfigure the information system to prohibit or Enables some Centrally enforces hypervisor accessFunctionalityrestrict the use of specified functions, ports,configuration of accesspolicy via protocol (SSH, vSphere(CM-7) protocols, and/or services.restrictions onclient, SOAP) and hypervisor IPindividual hosts address controls on all hosts 2012, HyTrust, Inc. www.hytrust.com 8 9. HyTrust Enables Identification and Authentication (IA)ComplianceIA ControlNIST Requirement for FISMA ComplianceVirtualization PlatformHyTrust Requirement Fulfillment Constraints/Gaps for Virtual EnvironmentsIdentification andUniquely identify and authenticate Permits root account Requires a unique ID for access byAuthenticationorganizational users, including organizationalsharing, enablingan organizational user and(Organizational employees or individuals the organization anonymous access associates the unique ID withUsers)deems to have equivalent status of employees Requires password for every operation performed by(IA-2)(e.g., contractors, guest researchers,access; does not the userindividuals from allied nations). support multi-factorSupports multi-factor, replay-Use multifactor, replay-resistant authenticationauthentication resistant authentication such asfor network and local access to privileged RSA SecurID and hardwareaccounts. For network accounts, one of the tokens for network and localfactors is provided by a device separate fromaccess to privileged accountsthe information system being accessed.Allow the use of group authenticators onlywhen used in conjunction with an individual/unique authenticator.Identification andUniquely identify and authenticate non-Permits potential root Requires a unique ID for access byAuthentication (Non-organizational users. account sharing by non-a non-organizational user andOrganizational Users) organizational users,associates the unique ID with(IA-2)enabling anonymous every operation performed byaccess the user 2012, HyTrust, Inc. www.hytrust.com9 10. HyTrust Enables System and Information Integrity (SI)ComplianceSI Control NIST Requirement for FISMA ComplianceVirtualization PlatformHyTrust Requirement Fulfillment forConstraints/Gaps Virtual EnvironmentsInformationRestricts the capability to input informationDoes not restrict the ability to Restricts the capability to inputInputto the information system to authorized input information based on information, via any access method,Restrictions personnel. Restrictions may extend beyond specific operational/project using role-based authorization(SI-9) the typical access controls employed by the responsibilities sufficiently fine-grained to system and include limitations based ondistinguish between users specific operational/project responsibilities. operational/project responsibilities 2012, HyTrust, Inc. www.hytrust.com10 11. HyTrust Fills Critical FISMA Audit Data Gaps Log DataData for Allowed Data for DeniedUsability and ProviderOperation (example)Reconfig Attempt Productivity(example) VirtualizationUser: root none Separate log files for PlatformTime/datevCenter and each host Target resource name,server URL Operation executed Different log formats forvCenter vs. hosts HyTrust All of the above, plus: User ID Consolidated, centrally User ID Date/timemanaged logs covering Source IP address Source IP addressvCenter and all hosts Resource reconfigured Operation requested Previous resource state Operation denied Single, uniform format for New resource state Target resource name,combined vCenter and host Label (Production) IP address, port, andlog data Required privilegesprotocol Evaluated rules/ Required privileges Logs sent to centralconstraints Missing privileges repository or SIEM via Evaluated rules/ syslog constraints 2012, HyTrust, Inc. www.hytrust.com 11


THE SOCIAL SECURITY ADMINISTRATION’S COMPLIANCE WITH … · 7 to test the compliance and effectiveness of agencies’ security policies, procedures and practices. For the 11 FISMA

THE SOCIAL SECURITY ADMINISTRATION’S COMPLIANCE WITH … · 7 to test the compliance and effectiveness of agencies’ security policies, procedures and practices. For the 11 FISMA

Documents
FISMA Charisma: Keeping Compliance in Control (236679777)

FISMA Charisma: Keeping Compliance in Control (236679777)

Documents
NASA Cybersecurity Program...Federal compliance metrics (e.g. FISMA) IT Security Training compliance data AITRM Implementation Plan submitted to BSA Team for approval by April 2016

NASA Cybersecurity Program...Federal compliance metrics (e.g. FISMA) IT Security Training compliance data AITRM Implementation Plan submitted to BSA Team for approval by April 2016

Documents
Hytrust vForum 2017 資料

Hytrust vForum 2017 資料

Technology
HyTrust and McKesson Present at VMworld 2014

HyTrust and McKesson Present at VMworld 2014

Technology
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA

Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA

Documents
Achieving FISMA Compliance with Acquia Cloud

Achieving FISMA Compliance with Acquia Cloud

Technology
Nine Steps to FISMA Compliance

Nine Steps to FISMA Compliance

Documents
HyTrust CloudControl Installation Guide · HyTrust CloudControl Installation Guide 3 ... Cisco Nexus 1000V Virtual Supervisor Module (VSM), Cisco ... and Cisco Nexus 5000 and 7000

HyTrust CloudControl Installation Guide · HyTrust CloudControl Installation Guide 3 ... Cisco Nexus 1000V Virtual Supervisor Module (VSM), Cisco ... and Cisco Nexus 5000 and 7000

Documents
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies

Implementing ID Governance in Complex Environments-HyTrust & CA Technologies

Technology
LogLogic FISMA Compliance Suite Quick Start Guide v3.3

LogLogic FISMA Compliance Suite Quick Start Guide v3.3

Documents
GDPR Compliance with HyTrust - CYBERS · Affects a range of technology systems including data storage and collection, data encryption, and frameworks for privacy processes (through

GDPR Compliance with HyTrust - CYBERS · Affects a range of technology systems including data storage and collection, data encryption, and frameworks for privacy processes (through

Documents
FISMA report

FISMA report

Documents
FISMA COMPLIANCE—FIRMWARE SECURITY BEST ...1 2019 Eclypsium, Inc FISMA COMPLIANCE—FIRMWARE SECURITY BEST PRACTICES FISMA, and the NIST documents supporting it, repeatedly underscore

FISMA COMPLIANCE—FIRMWARE SECURITY BEST ...1 2019 Eclypsium, Inc FISMA COMPLIANCE—FIRMWARE SECURITY BEST PRACTICES FISMA, and the NIST documents supporting it, repeatedly underscore

Documents
FISMA Compliance Handbook - UAB

FISMA Compliance Handbook - UAB

Documents
Using Cisco’s Vmdc to Facilitate FISMA Compliance

Using Cisco’s Vmdc to Facilitate FISMA Compliance

Technology
HyTrust Appliance Administration Guide · HyTrust Appliance Administration Guide 11 The HyTrust Appliance (HTA) provides a centralized point of control for hypervisor configuration,

HyTrust Appliance Administration Guide · HyTrust Appliance Administration Guide 11 The HyTrust Appliance (HTA) provides a centralized point of control for hypervisor configuration,

Documents
HyTrust CloudControl Compliance Operations Guide · CloningaTemplate CloningaTemplate 1.SelectCompliance> Templates. 2.OntheSystemtab,selectthetemplateortemplatesthatyouwanttoclone,andclickClone

HyTrust CloudControl Compliance Operations Guide · CloningaTemplate CloningaTemplate 1.SelectCompliance> Templates. 2.OntheSystemtab,selectthetemplateortemplatesthatyouwanttoclone,andclickClone

Documents
CYBERSECURITY REGULATORY COMPLIANCE FISMA - Federal

CYBERSECURITY REGULATORY COMPLIANCE FISMA - Federal

Documents
HyTrust DataControl Administration Guide v 5

HyTrust DataControl Administration Guide v 5

Documents
NIH Contract Compliance: FISMA Requirementsncuraregioni.org/uploads/3/3/6/2/3362892/fisma.pdfNIH Contract Compliance: FISMA Requirements NCURA Region 1 Conference May 3, 2016 Christine

NIH Contract Compliance: FISMA Requirementsncuraregioni.org/uploads/3/3/6/2/3362892/fisma.pdfNIH Contract Compliance: FISMA Requirements NCURA Region 1 Conference May 3, 2016 Christine

Documents
FISMA Compliance Handbook - UAB€¦ · FISMA Compliance Handbook 6 Figure 2: The FISMA process, as defined by the National Institute of Standards and Technology (NIST), is a six-step

FISMA Compliance Handbook - UAB€¦ · FISMA Compliance Handbook 6 Figure 2: The FISMA process, as defined by the National Institute of Standards and Technology (NIST), is a six-step

Documents
FedRAMP Product Applicability Guide for VMware, Coalfire ...€¦ · VMware Compliance Reference Architecture Framework HyTrust Addendum to the VMware Product Applicability Guide

FedRAMP Product Applicability Guide for VMware, Coalfire ...€¦ · VMware Compliance Reference Architecture Framework HyTrust Addendum to the VMware Product Applicability Guide

Documents
GDPR Compliance with HyTrust - cybers.eu · Geo-Tagging Processor level attestation with Intel TXT Boundary aware decryption Multi-cloud Policy based Encryption Dynamic & Zero Touch

GDPR Compliance with HyTrust - cybers.eu · Geo-Tagging Processor level attestation with Intel TXT Boundary aware decryption Multi-cloud Policy based Encryption Dynamic & Zero Touch

Documents
HyTrust and VMware-Providing a Secure Virtual Infrastructure

HyTrust and VMware-Providing a Secure Virtual Infrastructure

Technology
FortiSIEM Overview Presentation - Enterprise Group · 2018-02-08 · Compliance Reporting FortiSIEM 100s of Compliance Reports »PCI – HIPAA – FERPA - FISMA »SOX, NERC, COBIT,

FortiSIEM Overview Presentation - Enterprise Group · 2018-02-08 · Compliance Reporting FortiSIEM 100s of Compliance Reports »PCI – HIPAA – FERPA - FISMA »SOX, NERC, COBIT,

Documents
FISMA, NIST Style

FISMA, NIST Style

Documents
Compliance Overview: FISMA / NIST SP800–53€¦ · With Huntsman® SIEM. The US Federal Information Security Management Act (FISMA) is now a key element of the US Government’s

Compliance Overview: FISMA / NIST SP800–53€¦ · With Huntsman® SIEM. The US Federal Information Security Management Act (FISMA) is now a key element of the US Government’s

Documents
DojoSec FISMA Presentation

DojoSec FISMA Presentation

Technology
Nine Steps to FISMA Compliance - Bob · PDF fileNine Steps to FISMA Compliance ... 9. Monitor the security controls on a continuous basis. ... control costs, and enhance the

Nine Steps to FISMA Compliance - Bob · PDF fileNine Steps to FISMA Compliance ... 9. Monitor the security controls on a continuous basis. ... control costs, and enhance the

Documents