Securing the EVO Cyber Security Considerations

Transcription

1 A Whitepaper prepared from the EVOp Cyber Security Advisory Board Workshop 7 th November 2012

2 CONTENTS 1. Background: Securing the EVO EVO Cyber Security Advisory Board Cyber Security Advisory Board Workshop EVO Security Policy Framework Key Security Considerations for the EVO Striking the Right Balance (Confidentiality, Integrity & Availability) Cloud Security Data Protection Methods (Encryption & Other) Application Security EVO Portal Security EVO Security Resource Considerations Other Cyber Security Considerations... 8 Copyright Natural Environment Research Council (NERC). All Rights Reserved. Page 1 of 8

3 GLOSSARY OF TERMS & ABBREVIATIONS Terminology BAU BIL CSAB CSO EVO GRC Impact Assessment NERC Risk Appetite Risk Assessment Risk Profile SIRO SPF Definition Business as Usual Business Impact Level Cyber Security Advisory Board Chief Security Officer or Cyber Security Officer Environmental Virtual Observatory Governance, Risk and Compliance A process aimed at structuring and supporting the development of policies. It identifies and assesses the problem at stake and the objectives pursued. It identifies the main options for achieving the objective and analyses their likely impacts in the economic, environmental and social fields. It outlines advantages and disadvantages of each option and examines possible synergies and trade-offs. Natural Environmental Research Council The level of risk that an organisation is prepared to accept, before action is deemed necessary to reduce it. It represents a balance between the potential benefits of innovation and the threats that change inevitably brings on. The identification, evaluation, and estimation of the levels of risks involved in a situation, their comparison against benchmarks or standards, and determination of an acceptable level of risk. An evaluation of an organisation's willingness to take risks, as well as the threats to which an organisation is exposed. Senior Information Risk Owner Security Policy Framework Copyright Natural Environment Research Council (NERC). All Rights Reserved. Page 2 of 8

4 1. Background: Securing the EVO The Environmental Virtual Observatory (EVO) is a pilot project for the development of new cloud-based applications for accessing, interrogating, modelling and visualising environmental data. By developing local and national scale exemplars, the EVO is demonstrating how cloud technologies can make environmental monitoring and decision making more efficient, effective and transparent to the whole community. The role of the Cyber Security Advisory Board (CSAB) is to advise the core EVO team regarding security considerations for the commercialisation phase of the project. The secure handling of environmental data, models and tools is a major consideration in the design of the EVO; such security will be vital in meeting the expectations of international data providers and will ensure that the EVO can scale rapidly without compromising the integrity and availability of critical environmental information. The pilot project has been funded by NERC (Natural Environment Research Council) and will draw to a successful close at the end of The commercialisation of the project is now imminent. NERC has already proposed a base level of funding for this programme, commencing in 2013 and continuing for four years. In addition, a wider call for international funding is being launched via the Belmont Forum 1 and security is one of the allocated funding streams being considered. This whitepaper is intended to inform the EVO and its future investors of the key Cyber Security considerations, from which the scope for an EVO Security Policy Framework can be developed. This whitepaper is not intended to be a security architecture design document. The key objective of this document is to ensure that all possible security threats have been considered in the development of a Security Policy Framework, which will ultimately govern the implementation and delivery of the EVO service from commercialisation through to maturity and beyond. 2. EVO Cyber Security Advisory Board In order to ensure a depth and breadth of knowledge relevant to the cyber security requirements of the EVO project, considerable thought was given to the composition of the Cyber Security Advisory Board. In particular, our aim was to bring together a team of subject matter experts who could accurately represent the broad perspectives of the anticipated EVO user community, namely: Government and Defence organisations, Industry, Academia and the public. In light of this, the following individuals were appointed to the EVO Cyber Security Advisory Board: Mohan Koo Managing Director, Dtex Systems Sir Edmund Burton Chairman, Information Assurance Advisory Council Howard Schmidt Former Cyber Security Coordinator, the White House Neil Fisher VP Security, Unisys Mark Gittins Director, Lockheed Martin Oliver Hoare Former Head of Information Assurance & Cyber Security, Government Olympic Executive Matthew Dagnall Head of Technical Architecture, Information Assurance & IT Security, Met Office Rajan Koo Technical Services Director, Dtex Systems Sadie Creese Professor of Cyber Security, Oxford University Angela Sasse Head of Information Security Research, University College London 1 Copyright Natural Environment Research Council (NERC). All Rights Reserved. Page 3 of 8

5 3. Cyber Security Advisory Board Workshop With the objective of producing this whitepaper, a CSAB workshop was held to explore the key cyber security considerations for commercialisation of the EVO. The details of the workshop are as follows: EVO Cyber Security Advisory Board Workshop - 7 th November 2012 Lockheed Martin Cyber Innovation Centre: Chester House, Farnborough Aerospace Centre, Farnborough, Hampshire, GU14 6TQ Chaired by: Mohan Koo Managing Director, Dtex Systems Attendees: Neil Fisher VP Security, Unisys Mark Gittins Director, Lockheed Martin Oliver Hoare Former Head of Information Assurance & Cyber Security, Government Olympic Executive Matthew Dagnall Head of Technical Architecture, Information Assurance & IT Security, Met Office Bridget Emmett Project Director, Environmental Virtual Observatory Gordon Blair Lead Architect, Environmental Virtual Observatory Yehia El-khatib Technical Lead, Environmental Virtual Observatory Rajan Koo Technical Services Director, Dtex Systems Peer Reviewed by: Sir Edmund Burton Chairman, Information Assurance Advisory Council Howard Schmidt Former Cyber Security Coordinator, the White House Angela Sasse Head of Information Security Research, University College London Sadie Creese Professor of Cyber Security, Oxford University 4. EVO Security Policy Framework As one of the fundamental outputs from the CSAB workshop, all members agreed that the EVO will need to establish a Security Policy Framework (SPF) which will provide a foundation for security governance across all areas of the EVO project. This framework will ensure a security by design approach is undertaken throughout the plan, build and operate phases of the project. In a similar manner to the approach adopted by UK government 2, the SPF will define the standards, best practice guidelines 3 and approaches that are required to protect EVO assets (people, information and infrastructure), as well as the information assets of EVO users and suppliers of content. The SPF will focus on the outcomes that are required to achieve a proportionate and risk managed approach to security, without hampering the effectiveness of the EVO s core functionality. In order for this to be achieved, it is of vital importance that every EVO user adopts security best practices as a part of their daily routine. This will be driven by effective communication and enforcement of the SPF. While we may refer to the government SPF regarding general principles for creating such a framework, it is critical that the EVO SPF is designed specifically for the needs of the EVO and its users. This will be achieved by undertaking the appropriate Risk and Impact Assessments to gain a clear understanding of both the risk profile and risk appetite of the EVO, from which proportionate levels of security can be determined Copyright Natural Environment Research Council (NERC). All Rights Reserved. Page 4 of 8

6 5. Key Security Considerations for the EVO The CSAB has proposed six (6) key areas of security which will need to be considered in detail as part of the EVO commercialisation process. These key areas are defined in the following sub-sections, with all security considerations posed as questions which the cyber security team will need to answer during the early planning stages of commercialisation. 5.1 Striking the Right Balance (Confidentiality, Integrity & Availability) A clear understanding of the core principles and their corresponding priorities is important in the Security by Design approach. Additional core principles that should be considered include Non-repudiation, Authentication and Privacy. It is also clear that the importance of each core principal will vary based on security standards, classifications and the target audiences for each model, tool and data set. Some of the key questions for this section will include: How should these be prioritised (e.g. does Availability hold a higher priority than Data Integrity)? Confidentiality (multiple levels of access rights) How far do we rely on the cloud provider to uphold these levels of security? Where does their responsibility stop and ours start? Currently there is no agreement with data source owners as to what happens if source data becomes unavailable. What controls should be in place to mitigate these risks? What is the Availability requirement placed on EVO data? (i.e. what happens if high priority users depend on this information, e.g. emergency services?) If I am a high priority user, how does the EVO capture, retain and maintain my critical dependencies for immediate access when I need it? How should the EVO consider Non-repudiation, Authentication and Privacy, when attempting to strike the right balance? Classification of data, models and tools will be based on the Business Impact Levels (BIL) defined in the SPF and should be simple and easy to follow. How can we empower users to understand and follow EVO security standards and classifications? 5.2 Cloud Security Considerations associated with cloud security are generally separated by security concerns related to cloud providers and those related to their customers (i.e. the EVO). In the continuously evolving domain of cloud security, the Cyber Security Advisory Board will provide important guidance to ensure the right cloud providers are chosen and all cloud security issues are considered. The following questions should form part of this consideration: Proper due-diligence of chosen service provider(s) Is this an outsourced service or should the Cyber Security Advisory Board oversee an internally managed function? Negotiating the terms of the Service Level Agreement Where/how should security responsibilities be divided between the EVO and the provider? How will the EVO differentiate between user to portal and application to data communications (by acknowledging that security requirements may differ between the two)? A hybrid cloud deployment model (i.e. a combination of private and public clouds) may be a practical approach towards maintaining a balance between innovation and security. Should this be managed by a single provider and how will the security considerations be applied? Copyright Natural Environment Research Council (NERC). All Rights Reserved. Page 5 of 8

7 How will governance, risk and compliance (GRC) be managed between EVO and the cloud provider? Data Storage and Residency What are the legal and regulatory requirements to be considered, collectively and by region? Recovery What are the considerations for secure consistent backups and restoration of cloud based resources? Strong authentication, authorisation and auditing mechanisms must form part of the foundation. How should these be implemented and managed? Are Geographical Computing and Virtualisation key considerations for the EVO within a cloud based environment? Isolated Networks What security considerations must be made when segregating EVO networks from supplier and/or customer networks? What is the best method for customers to gain secure access to cloud-based resources? How should Resource Management be designed to prevent denial of service (DoS) attacks? How will anomalous activities by EVO users (e.g. highly resource intensive actions, or abnormal requests) be identified and managed to ensure that availability and general security are preserved? 5.3 Data Protection Methods (Encryption & Other) Perimeter or layer protection methods (i.e. firewalls and IDS/IPS) are common focal points in the protection of data. Whilst these methods serve their place, an additional consideration for the EVO is security of the systems that will store and process the most sensitive data. Implementation of appropriate encryption methods may be a suitable method for ensuring that data is protected within the data centre(s), not just at the perimeter. Understanding the ideal encryption methods and how and when to implement them is vital in maintaining the high performance of EVO virtual modelling and the transmission of live data (such as river levels, realtime temperatures, etc.). Some of the considerations regarding data protection methods will include: Data Classification Effective implementation of data classification can simplify encryption requirements and generate improvements in data centre performance and utilisation. Who is responsible for classifying data at the point of entry into the system and/or once a model has been created? In addition, who will be responsible and accountable for governing such classification. Data Separation/Segregation How should these be aligned to support data classification or other specific project security requirements? Key Management Systems The security that encryption offers is only as good as the systems used to store and manage the encryption keys. What key management systems are appropriate for EVO data? For what purposes will the EVO process sensitive data and what conditions need to be satisfied in order to do so? Encryption of data in transit and data at rest What methods should be considered and how might these impact performance? What other means of protection should be considered as alternative or complementary to encryption based methods? What type of Risk Assessment(s) should be undertaken during development of the SPF to determine the appropriate levels of protection? Copyright Natural Environment Research Council (NERC). All Rights Reserved. Page 6 of 8

8 5.4 Application Security Whenever an EVO application interacts with suppliers and customers (end users), both the data and the application itself must be protected. As the EVO is expected to allow end users to create data workflows to modify how data is analysed, it will be important to keep an audit trail of user activities and alert on behaviour which falls outside the norm. Just as important is the need to have an audit trail for all activities undertaken on any database which stores critical EVO information. Application security considerations should include: What key threats/attacks must be considered? What auditing mechanisms are required to detect and alert on irregular activity (i.e. Database Activity Monitoring (DAM), User Activity Monitoring (UAM) etc.)? What is the appropriate level of Protective Monitoring and how should high risk activities be defined, identified and mitigated? Outside of username/password and web-access control systems, do advanced Identity Management (IdM) systems need to be considered? What is the best approach for incorporating security into the EVO software development process? What security mechanisms will ensure malicious or faulty applications are verified before being uploaded to sensitive EVO areas? How should the EVO differentiate between user to portal and application to data communications in order to determine the appropriate security requirements for each? Flexible standards such as INSPIRE and WPS are essential to promote innovation. How do we protect end points and applications from accidental or deliberate misuse to ensure that such flexibility is not exploited? 5.5 EVO Portal Security The EVO portal will aggregate content from all of the EVO systems providing a means for users to explore a variety of data sources and execute simulations and models in the cloud. It is vital that portal security ensures that only an authorised user can generate requests to the applications server(s). The following are some of the portal security considerations: Due diligence on the portal provider Is this an outsourced service or an internal responsibility to be overseen by the Cyber Security Advisory Board? If this an outsourced service, where should the division of security responsibilities be drawn? In the event of an outsourced arrangement, negotiation of any SLAs will have a critical impact on the security of the EVO portal. What are the key considerations for such negotiations? Outside of general internet security best practises, what are the EVO specific portal security requirements? Identity Assurance will be critical for Portal Security and Integrity. How will such assurance be managed and who will be responsible? How will identities and roles be mapped, particularly where a single identity may have multiple roles and/or responsibilities? As the EVO user base and volume of content continues to grow, how will the mechanisms for portal security scale? Copyright Natural Environment Research Council (NERC). All Rights Reserved. Page 7 of 8

9 5.6 EVO Security Resource Considerations As the EVO commences commercialisation, a core team will need to be assigned with responsibility for developing the SPF and driving cyber security as a BAU function. The following are some of the key considerations in relation to the resourcing requirements: If the CSAB maintains a non-operational strategic advisory role, who will be tasked with implementing cyber security strategy and ensuring that the SPF is well communicated and enforced? Will this be a dedicated resource or will the core EVO team share this responsibility? If responsibility is shared, how will governance be enforced? Given that the EVO team currently operates under a consortium based structure, how will cyber security collaboration be encouraged and how will SPF compliance be enforced? (For example, a CSO or SIRO Council could be formed, where each consortium member appoints someone to be responsible for their compliance). How will security training and awareness be managed and implemented throughout the plan, build and operate phases of the project? 5.7 Other Cyber Security Considerations While the six (6) sub-sections above cover the key cyber security considerations for the EVO project as it enters the commercialisation phase, the following are some additional areas which should also be considered: The legal implications for commercialisation of the EVO have been considered in parallel to the cyber security considerations. What are the legal concerns which will have an impact on security and vice versa? How will the EVO ensure that the approach to interdependent legal and security issues is joined up? Should development of the project be aligned with any particular Cyber Security standards such as ISO27001/2? If so, will this standard be adequate to cover future technology requirements, including rapidly evolving mobile device security requirements? Are there any other domain specific security considerations and how should these be approached by the EVO? Copyright Natural Environment Research Council (NERC). All Rights Reserved. Page 8 of 8