Ramping Up the Federal Cloud Against the Insider Threat
Changes to the government’s cloud computing certification process promise major security improvements.
The U.S. government is adopting changes to the cloud computing certification program that will better protect against potential insider threats. The improvements include additional penetration testing, more thorough testing of mobile devices, tighter controls over systems being carried from a facility and more stringent scrutiny of systems connecting from outside the network.
During an early June industry day, General Services Administration (GSA) officials revealed changes being adopted for the Federal Risk and Authorization Management Program (FedRAMP), the governmentwide program to assess and authorize cloud computing products and services. FedRAMP relies on the National Institute of Standards and Technology (NIST) Special Publication 800-53 security controls specifically selected to protect cloud environments. Revision 3 of the document currently is in effect, but changes under Revision 4 will be implemented in the coming months. “The latest round of FedRAMP security controls places a much greater emphasis on the insider threat. Where Revision 3 was concerned with protecting everything surrounding the perimeter, Revision 4 takes security to the necessary step of asking what happens when the threat originates from within the boundary,” says Vinny Troia, chief executive officer and principal security consultant, Night Lion Security, St. Louis.
Troia cites a number of alterations, including enhanced testing for mobile devices and additional penetration testing, especially from government agencies. Additionally, FedRAMP certification now requires host intrusion detection systems, malicious user testing, auditing of privileged functions and enhanced security awareness training of insider threats.
The updated process also addresses the risk of sensitive information on laptops or other devices leaving a facility. “You hear all the time somebody walked off with a laptop that had 100,000 Social Security numbers on it,” Troia states. “People just leave the premises with these high-confidentiality laptops, and the laptop is stolen. There are more checks in place to prevent that, which is a big improvement.”
He also highlights enhancements to granting and revoking access and questions more relevant to the current threat environment. “The questions are more modernized. One of the problems I saw with the current assessment is that they were testing for things so outdated no one would even use them anymore—certain kinds of attacks. They were doing tests, if I remember correctly, for ping attacks, which don’t even apply anymore. They’ve wiped out a lot of that,” Troia reports.
Additionally, he says, Revision 4 requires compliance for “interconnected systems.” For example, some servers could be considered outside the network boundary—and therefore not scrutinized—even though they could allow access inside the network. “Now, an interconnected system must comply with all the same safeguards and regulations as systems within the boundary. This also means that servers used as maintenance or temporary gateways between businesses are also subject to the same checks,” he explains. Troia says the current process contains one fatal flaw: Companies can cheat the certification process by simply failing to disclose vulnerable systems. And some cloud service providers would have reason to keep assets secret, he posits. “Perhaps the custom application is a legacy Web app running on legacy hardware that can’t be upgraded. The company might choose to exclude it from the asset list and hope no one finds it,” he states.
A typical cloud service provider can have two main groupings of systems. The first group is the actual cloud environment, which consists of all the virtualization hardware, including routers, switches and load balancers. The second group is the company’s internal—yet critical—systems, such as the configuration management database, configuration management automation application and human resources and billing systems. Many large organizations also will have a secure password vault to store critical root passwords throughout all of their devices, Troia says.
He theorizes that a company might want to shave some costs and develop a simpler, Web-based password repository available within the network. Current FedRAMP procedures do not require these internal portals to be tested, Troia says. “So what we have here is an internal Web application that is intentionally ignored because it is inside the network boundary, but it just so happens to hold the root passwords for all assets for the company and cloud organization. Without proper testing, this machine could fall victim to something as simple as an SQL Injection attack,” Troia says, referring to a technique for attacking data-driven applications.
If that repository simply were left off the asset list, the third-party assessment organization (3PAO) certifying a company’s cloud offerings would not even know about it, Troia maintains. “Firewall logs would not show anything. A device listing would be completely meaningless if you’re talking about a large organization with thousands of other corporate systems unrelated to FedRAMP. And relying on a network diagram is not effective since the document can easily be modified,” he argues.
FedRAMP requires that a terminated employee’s account credentials be revoked within 90 days, but under Troia’s scenario, a knowledgeable employee could gain access to the password vault within that window. “After a day or two, the employee decides to retaliate. He checks his virtual private network access and cannot get in. Instead, he tries using virtual private network access for a temp admin system account that he knows about. Voila! The virtual private network system is outside the boundary and may not have the same—or any—temporary account removal policies,” Troia explains. “Once he is in, he decides to try his luck with the password vault. He tries his own user account, and bingo! Full access to all root passwords because his account was not purged.”
Even if the former employee’s account is fully purged, other paths may be available for wrongdoing. For example, access may still be gained to the local area network segment by using a temporary access account, Troia says. Knowing the technology is old, the intruder could then launch an SQL injection tester. “Sometimes it’s just that simple. The bigger the system, the easier the hack,” Troia adds. “I hope this scenario illustrates the multiple failures that can lead to a complete catastrophe. Without proper testing and verifying of internal systems, there is the potential of missing a critical system. In addition, Web apps that contain critical information should be subject to the same level of scrutiny, regardless of whether or not they exist within the system boundary.”
Not all experts agree, however, that Troia’s scenario poses a serious threat. Maria Horton, founder and CEO, EmeSec, Reston, Virginia, one of 27 certified 3PAOs, acknowledges a company could willfully fail to disclose vulnerable assets on the network but maintains that those systems will likely still be discovered. “It’s an interesting premise. I don’t think it’s a real concern,” Horton says.
She explains that multiple agencies, including NIST, the GSA, the Department of Homeland Security and the U.S. Defense Department, are all involved in the rigorous certification process. “They are very much looking at the specificity of the inventory, and they are looking at the details written in the system security plan. Our customers going through that process actually have been scrutinized pretty thoroughly,” Horton reports.
“Someone hiding a system is kind of unlikely,” she argues. “In addition to that, you would run a generalized scan on the network to identify Internet protocol addresses on that particular network or boundary for the cloud service provider. If it’s not listed on the inventory, it would probably be discovered on the scan. I believe it would be very difficult to hide that system. You would have to, in collusion, remove it and or isolate it from the boundary for the scan.”
Furthermore, scanning will occur more often, she reports. “FedRAMP had gone from quarterly scanning to monthly scanning, and they’re moving toward weekly and then every 72 hours. The window of being able to add, remove or hide equipment on the system will get smaller and smaller,” Horton states.
Cheating the process is always possible, acknowledges Ken Ammon, chief strategy officer, Xceedium, Herndon, Virginia. “There are many ways to shortchange the system. All FedRAMP certifications are not going to be equal,” he says, pointing out that it is up to the customer to scrutinize what a cloud provider has to offer. “You can look through the FedRAMP documentation with your security team and get some visibility into which cloud provider has taken an approach that you feel most comfortable with.” He adds that clients sometimes use a variety of approaches to “deal with the privileged user, insider threat issue,” and that it can be “like a game of Whack-a-Mole.”
Ammon also lauds the adoption of Revision 4. “It has come a long way from when they first rolled out the process. They are still tweaking and improving,” he says. “Cloud is about scale and reduction of costs, and if you do those things well, chances are you will have done some great things for security.”
Troia says the threat he describes will still be an issue in the coming months, but much less so as companies certify or recertify under the new criteria. “They’ve actually done a pretty solid job in modernizing the new control sets. They spend a lot more resources looking at the insider threats and some of the things that could potentially go on with the network, which is a huge improvement over what it is right now,” Troia says.
The system may be flawed, he says, but it is necessary. “The government is going down the right path not only with FedRAMP but also with cloud in general. Historically, the government hasn’t been the best at implementing their own security. Cloud computing is the best move for them in terms of honestly making sure their data is secure because it hasn’t been until now,” Troia concludes.