Implementing the CESG Cloud Security Principles February 2015 Eduserv Public www.eduserv.org.uk
Contents Introduction... 4 The principles... 4 About our claims... 5 1 Data in transit protection... 6 2 Asset protection and resilience... 7 2.1 Physical location and legal jurisdiction... 7 2.2 Data centre security... 7 2.3 Data at rest protection... 8 2.4 Data sanitisation... 8 2.5 Equipment disposal... 8 2.6 Physical resilience & availability... 8 3 Separation between consumers... 9 4 Governance framework... 9 5 Operational security... 10 5.1 Configuration and change management... 10 5.2 Vulnerability management... 10 5.3 Protective monitoring... 11 5.4 Incident management... 11 6 Personnel security... 12 7 Secure development... 12 8 Supply chain security... 12 9 Secure consumer management... 13 9.1 Authentication of consumers to management interfaces and within support channels... 13 Eduserv Public Page 2 of 16
9.2 Separation and access control within management interfaces... 13 10 Identity and authentication... 14 11 External interface protection... 14 12 Secure service administration... 15 13 Audit information provision to consumers... 15 14 Secure use of the service by the consumer... 15 Eduserv Public Page 3 of 16
Introduction As a buyer of cloud services, you are responsible for understanding your information assurance and security requirements and for assessing how well the suppliers you choose can meet them. The CESG Cloud Security Principles are one of the key tools that help you undertake that assessment. CESG have released a document entitled Implementing the Cloud Security Principles 1 which describes a set of 14 cloud security principles 2 and how they can be implemented. This document summarises how we implement each of the principles and, where appropriate, how we can help you to implement them within your own systems. The principles The 14 cloud security principles identified by CESG are as follows: 1. Data in transit protection Consumer data transiting networks should be adequately protected against tampering and eavesdropping via a combination of network protection and encryption. 2. Asset protection and resilience Consumer data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure. 3. Separation between consumers Separation should exist between different consumers of the service to prevent one malicious or compromised consumer from affecting the service or data of another. 4. Governance framework The service provider should have a security governance framework that coordinates and directs their overall approach to the management of the service and information within it. 5. Operational security The service provider should have processes and procedures in place to ensure the operational security of the service. 6. Personnel security Service provider staff should be subject to personnel security screening and security education for their role. 1 https://www.gov.uk/government/publications/implementing-the-cloud-security-principles 2 https://www.gov.uk/government/publications/cloud-service-security-principles Eduserv Public Page 4 of 16
7. Secure development Services should be designed and developed to identify and mitigate threats to their security. 8. Supply chain security The service provider should ensure that its supply chain satisfactorily supports all of the security principles that the service claims to implement. 9. Secure consumer management Consumers should be provided with the tools required to help them securely manage their service. 10. Identity and authentication Access to all service interfaces (for consumers and providers) should be constrained to authenticated and authorised individuals. 11. External interface protection All external or less trusted interfaces of the service should be identified and have appropriate protections to defend against attacks through them. 12. Secure service administration The methods used by the service provider s administrators to manage the operational service should be designed to mitigate any risk of exploitation that could undermine the security of the service. 13. Audit information provision to consumers Consumers should be provided with the audit records they need to monitor access to their service and the data held within it. 14. Secure use of the service by the consumer Consumers have certain responsibilities when using a cloud service in order for this use to remain secure, and for their data to be adequately protected. About our claims In reading our responses to the individual principles, it should be noted that many of the claims we make about our Secure Cloud Compute services have been independently validated and tested. We also make extensive use of assured products. Independent verification and use of assured products are two of the key strategies that CESG suggest buyers use to assess claims made by suppliers. Secure Cloud Compute: Has an appropriately scoped IS027001:2005 certification by a UKAS accredited certifying body (reviewed by PGA) Eduserv Public Page 5 of 16
Has been CESG PGA certified at BIL 2-2-4 Has been CESG PGA certified at BIL 3-3-3 (where the Enhanced Segregation service option is selected) Has undergone a comprehensive and appropriately scoped ITHC by an Independent CHECK provider (validated by CESG) Makes comprehensive use of assured products (consistent with their Target of Evaluation) such as EAL4 compute, network and firewalls and CPA assured firewalls Has undergone a design review by CESG (Enhanced Segregation). We work extensively with government and third sector organisations, where information security is a primary concern. Security is therefore a key priority across all our operations, ranging from our data centre, network and cloud infrastructures to our managed services and application development capability. We have a well-established Service and Security Operations framework for managing IL2 and IL3 Infrastructure services and for supporting IL2 and IL3 RMADS accreditation. It is centred on our ITIL Service Management approaches, our ISO27001-certified Infosec Management System and our documented SyOPs, with appropriate consideration of IL3 security operations compliance. The latter includes HMG Security Policy Framework standards and recommended practice in relevant CESG Good Practice Guides (GPG-13, GPG-20 and GPG-35). The key elements of our framework include: Service support and delivery: consideration of incident management, change and release management; availability management and IT service continuity management Security Operations: vulnerability and operational risk assessment, system access controls and security incident management procedures. Protective monitoring services to DETER level, including appropriate event log and incident recording, review, analysis and action re threats. We have a Network and Security Operations Centre located within our offices, staffed by a dedicated, specialist team appropriately trained and security cleared. It utilises a broad range of tools to monitor all key Eduserv data centre LAN and WAN network connections and customer-specific network and security service solutions. 1 Data in transit protection Principle: Consumer data transiting networks should be adequately protected against tampering and eavesdropping via a combination of network protection and encryption. We offer a number of options for making secure connections to our Cloud Compute services, as follows: IPsec VPN encrypted overlay over an Internet connection CPA/PEPAS approved encrypted overlay over an Internet connection PSN Assured connection Eduserv Public Page 6 of 16
PSN Protected encrypted connectivity via the PSN IPED PSN Protected encrypted overlay over a PSN Assured IL2 connection Dedicated private link GSi connectivity We can assist customers in using TLS 1.2 to protect websites and other services and can assist with the purchase and management of appropriate certificates to support this. We also have the capability to layer encryption, e.g. TLS over IPsec VPNs. Other, bespoke, options exist to extend transit protection down to a customer s tenancy. 2 Asset protection and resilience Principle: Consumer data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure. 2.1 Physical location and legal jurisdiction Eduserv is a UK not-for-profit company and our cloud services are operated solely within UK jurisdiction. We are ISO27001 certified and use appropriate management infrastructure, network connectivity, staff security clearances and processes to deliver our cloud services in line with the Cabinet Office Security Policy Framework (SPF), the CESG Good Practice Guides, DETER protective monitoring and the DPA principles. Our cloud delivery infrastructure is hosted in our primary data centre in Swindon and our secondary (disaster recovery) site in Slough. All data is held exclusively in the UK. 2.2 Data centre security Our primary Swindon Data Centre is certified to ISO9001:2008, ISO14001:2004, OHSAS18001:2007, ISO27001:2005 and is used to host the majority of our services including both cloud services and colocation. It caters for OFFICIAL data assessed at Business Impact Levels IL0 to IL3. We operate layered physical security controls and 24/7 manned intrusion detection and monitoring. Staff are security cleared to at least Basic Check Verification. This has been audited and assessed as fully compliant by a CESG PGA accreditor and independently assessed using SAPMA as exceeding the requirements for IL3 assets at a SEVERE threat level. Our Disaster Recovery (DR) site, which is also used to store off-site backups of customer data, is based in Slough and is owned and operated by Equinix. The data centres at this site are certified to ISO9001:2008, ISO14001:2004, OHSAS18001:2007, ISO27001:2005, ISO50001:2011 and PCI-DSS and are protected by high-security fences, CCTV surveillance and biometric entrance points protected by ballistic glass, mantraps and bulletproof doors. Physical access to Eduserv servers at this site is limited to Eduserv staff. Eduserv Public Page 7 of 16
2.3 Data at rest protection Physical access to media and storage devices is restricted to Eduserv staff. Virtual access to customer data held in our cloud services is limited to the customer s tenancy, with control mechanisms set within the VM operating systems. This approach uses assured products (vcloud Director and vsphere) and has been independently validated through the ITHCs undertaken as part of our PGA IL2 and IL3 certification. We can advise customers about data encryption, including both data at rest and during onboarding and off-boarding. This can include advice about the use of encrypted filesystems on customer VMs and the use of row level/cell level DB encryption if necessary. 2.4 Data sanitisation Eduserv has a robust off-boarding process for both colocation and cloud customers, covering physical kit, virtual machines, networking configurations and all other aspects of a customer s physical or virtual estate. All customer data is securely destroyed as part of the off-boarding process. For cloud customers, the process destroys the customer's virtual tenancy in such a way that none of the customer's assets can be re-used or recovered. As part of our off-boarding process, existing backups of customer data are usually deleted in line with the agreed data-retention period, however they can be deleted earlier on customer request. 2.5 Equipment disposal Our hardware decommissioning process ensures that all decommissioned storage media is physically shredded prior to leaving our data centres in line with IS5. 2.6 Physical resilience & availability Our data centre in Swindon, which hosts our primary cloud IaaS platforms, has a power, cooling and cross connect infrastructure built to the standards of a Tier III data centre (99.982% availability over a rolling 12 month period). Our Secure Cloud Compute service has been accredited at 4 (PGA 2-2-4) for availability or 3 (PGA IL3-3-3) where the Enhanced Segregation service option is selected. These have been independently validated by a CHECK provider. For Secure Cloud Compute customers, our minimum infrastructure availability service level is 99.9% service uptime per calendar month. Customers may request service credits if they can demonstrate uptime below this level. For Managed Infrastructure customers, our minimum VM availability service level is 99.7% service uptime per calendar month (suspended during any period when the customer has administrator or root access to a VM). Services that make use of load balancing across multiple VMs will achieve significantly better uptime. Eduserv Public Page 8 of 16
Our Disaster Recovery service allows for the failover of Managed Infrastructure customer services to our secondary site in the event of a major failure at our primary data centre. This service provides an RPO of 15 minutes and an RTO of 2 hours. 3 Separation between consumers Principle: Separation should exist between different consumers of the service to prevent one malicious or compromised consumer from affecting the service or data of another. We offer both public (community) and private cloud IaaS services and associated service management options. Our Secure Cloud Compute service is a multi-tenanted community cloud offering (as defined by NIST), where the community is limited to public good organisations in the government, third, health and education sectors. Our Private Cloud Compute service delivers Managed IaaS using a single-tenanted private cloud offer (as defined by NIST). Our multi-tenanted services make use of a combination of logical and physical separation of customers using VMware vcloud Director and vsphere to segregate tenancies (in line with CESG assurance and Common criteria (EAL 4+)). Our Secure Cloud Compute service uses vshield Edge devices (virtual firewall routers), edge firewalls and VLANs to segregate traffic between different customers. When selected, our Enhanced Segregation service option provides a physically separate platform that has been subjected to a CESG design review, using PVLANs to segregate traffic between different customers. These approaches to separation were independently validated by a CHECK provider as part of our PGA IL2 and IL3 accreditation. 4 Governance framework Principle: The service provider should have a security governance framework that coordinates and directs their overall approach to the management of the service and information within it. Our cloud services and wider business operations have the appropriate management infrastructure, network connectivity, staff security clearances and processes to deliver our cloud services in line with the Cabinet Office Security Policy Framework (SPF) baseline control set at the DETER segment. Information Security is governed by a dedicated Information Security team using our formally documented Information Security Management System that has been continuously certified to IEC/ISO27001:2005 by a UKAS accredited certifying body. Eduserv s Executive has delegated direct responsibility for the overall security of Eduserv s cloud services to our Chief Information Security Officer. Risk management for our cloud services is managed through a monthly Security Working Group and RMADS are maintained for each service. Technical compliance checks and protective monitoring at DETER are in Eduserv Public Page 9 of 16
place and the services are subject to independent ITHCs by CHECK providers that are subject to external accreditation by the Pan Government Accreditor on an annual basis. 5 Operational security Principle: The service provider should have processes and procedures in place to ensure the operational security of the service. 5.1 Configuration and change management We have a robust and mature change process that is fully integrated throughout all areas of the business asset change lifecycle and that is independently validated as part of ISO27001. Our Configuration Management Database (CMDB) is the central information repository for technical data about all Eduserv configuration items. Change and configuration management activities conducted by Eduserv include: Logging and scheduling of service requests received via the customer change authority. Impact and risk analysis of proposed changes in liaison with relevant 3rd parties, including change approval, security review and regression planning. Maintenance of a log of changes; a summary of relevant changes is provided to customers in their monthly report. Our Managed Protective Monitoring service (which is based on AccelOps and is an optional component of our Managed Infrastructure service) includes an inventory management solution with the ability to cover a customer's on-premise and cloud devices and all aspects of hardware (serial numbers, licences, BIOS, processors, memory, etc.) and software (vendor, version, licence, patch levels, etc.) information. This can be used by customers to support their own configuration and change management processes. 5.2 Vulnerability management As part of our centralised patch management and monitoring process, Eduserv ensures that operating system patches and enhancements are assessed and applied to our management and customer infrastructure in a regular, timely manner with the minimum impact to service. As part of this, we apply routine patch management through automated patch schedules deployed to low impact environments at N+2 days and to high impact environments at N+9 days. This process has been independently validated as part of ISO27001. We maintain our situational awareness of new and emerging threats through engagement with vendors, CERTS and specialist groups. We have a dedicated OpSec team and dedicated technical information security specialists and adopt a proportionate and prioritised vulnerability management approach based on severity, exposure and compensating controls. Our Managed DDoS Protection service (which is optionally offered alongside our Managed Infrastructure service) includes a DDoS mitigation service, a content delivery network (CDN) Eduserv Public Page 10 of 16
and a Web Application Firewall (WAF) capability integrated into a single cloud-based service. The service protects customers against DDoS attacks, allows them to serve content to endusers with high availability and high performance and helps them to meet PCI-DSS requirements. 5.3 Protective monitoring We run protective monitoring against all our cloud platforms (covering all the management and customer infrastructure) in line with the RMADS that were independently validated as part of our IL2 and IL3 PGA. Our Managed Protective Monitoring service uses a dedicated team to provide the setup, configuration and ongoing operation of log monitoring, event analysis and automated alerting in line with CESG s Good Practice Guide no.13 (GPG-13). All relevant logs are collected, analysed, reported on and archived appropriately. Our protective monitoring activities were independently reviewed as part of the ITHCs undertaken as part of our IL3 PGA. Any issues identified through protective monitoring are fed into our incident management process. 5.4 Incident management We operate a well-defined and established ITIL incident management process to log, assign and diagnose incidents based upon urgency and impact (severity/extent) and to restore service operation as quickly as possible with the minimum disruption, in line with the agreed hours of service and target Incident recovery service level. This process has been validated as part of ISO27001. Incident management is carried out by the Eduserv Primary Support Group (supported by our Third Line Support Team and Infrastructure Engineering Group as appropriate), whose duties include: Incident detection and recording including agreement of Incident priority and logging on incident ticketing system Diagnostics, investigation and incident assignment incident assessment and referral of issues to the relevant resolution team Incident recovery VM reboot or the restoration from backup media of a VM configuration or the implementation of a fix, in line with change management procedures and in conjunction with the customer and relevant 3rd parties Call update and escalation with respect to the target incident recovery service level. Critical incident review and monthly security event reviews. In line with our Shared Security Policy, any incident that runs the risk of jeopardising the integrity of our services is investigated and reported to the Eduserv Information Security team and the appropriate authorities. The first responder principles are applied at the point an incident is detected by either Eduserv or any tenant. Eduserv Public Page 11 of 16
Incidents will be managed using Eduserv s Information Security Management process and a chain of custody maintained for all evidence collected and preserved. Eduserv will use the services of a professional forensic investigation company as necessary. Incidents will reviewed by the Security Working Group to identify trends and agree any remediation identified as necessary. 6 Personnel security Principle: Service provider staff should be subject to personnel security screening and security education for their role. All Eduserv staff who have privileged roles with respect to customers' information security are SC-vetted. This process is independently verified by Defence Business Services National Security Vetting and includes an unspent criminal conviction declaration and checks on identity, right to work, educational qualifications, career history and references. All Eduserv staff are covered by our disciplinary procedure and staff who have privileged roles with respect to customers' information security are required to sign our SyOPs and work in accordance with our System Administration Policy. Eduserv is ISO27001 certified, as part of which all staff receive training and awareness about their security responsibilities. 7 Secure development Principle: Services should be designed and developed to identify and mitigate threats to their security. Eduserv services are maintained and developed in light of evolving and emerging threats through our Product Development Board and our Security Working Group. Our development is done in-house following development guidelines. All code is developed in an IDE and is held in our version control systems. Internal testers are responsible for the routine testing of systems and robust release management practices are in place. Our development processes are within scope of our ISO27001 certification and have therefore been independently validated. 8 Supply chain security Principle: The service provider should ensure that its supply chain satisfactorily supports all of the security principles that the service claims to implement. Eduserv makes limited use of third parties and, where there is a significant information security risk, only outsources services or operations to providers who are established and reputable and who have information security systems at least equivalent to Eduserv s. Any such provision is included in our risk assessments and managed as part of our security requirements checklist. Eduserv Public Page 12 of 16
The providers of outsourced services and operations are responsible for implementing relevant information security controls and we monitor their performance. We do not allow unescorted access by providers to any of our facilities. Our use of third parties is within scope of our ISO27001 certification and has therefore been independently validated. 9 Secure consumer management Principle: Consumers should be provided with the tools required to help them securely manage their service. 9.1 Authentication of consumers to management interfaces and within support channels Depending on which services have been purchased, customers may be given access to our cloud platforms' management user interfaces, our cloud platforms' APIs and/or a service desk. Our cloud platforms' management interfaces are accessed via a web interface. Our service desk is available by a web interface, telephone and email. Customer-access to the Secure Cloud Compute management interfaces is only provided to self-managed customers, i.e. to customers who have not purchased our Managed Infrastructure service, and is protected using TLS 1.1. There is no customer access to the Secure Cloud Compute management interfaces where the Enhanced Segregation service option has been selected. Web access to our service desk is protected using TLS 1.2. Although access to our service desk is available via both telephone and email, all calls requiring privileged action must be initiated using the web interface (except out of hours when they can be raised by telephone provided a correct passphrase is quoted). Customer passwords are only shared with the customer via a telephone call (initiated by us) and therefore do not remain visible within the service desk system. Access to our cloud platforms APIs (self-managed customers only) is protected using TLS 1.1. In all cases, we enforce appropriate password complexity rules. 9.2 Separation and access control within management interfaces Our cloud platforms' management interfaces use role-based access control to limit functionality to specific user accounts. These roles can be used by customers (and by Eduserv) to tailor functionality to particular classes of user. These role-based permissions are inherited from the API. We use assured products (vsphere and vcloud Director) to deliver this functionality. As noted in section 9.1, customers who make use of our Managed Infrastructure service, i.e. who ask us to manage their infrastructure on their behalf, get no access to the cloud platform management interface (and usually get restricted access to their VM operating systems, Eduserv Public Page 13 of 16
though this can be adapted in certain circumstances). The use of our Managed Infrastructure service is mandated at IL3. 10 Identity and authentication Principle: Access to all service interfaces (for consumers and providers) should be constrained to authenticated and authorised individuals. Named user accounts are set up prior to any customer service being made live, with secure information being exchanged out of band. All access to our cloud platforms' management user interfaces, our cloud platforms' APIs and our service desk is subsequently restricted to that limited set of named accounts. Access to the cloud platforms management interfaces is protected using usernames and passwords and self-managed customers (at IL2 only) are able to choose their own passwords. User accounts are managed using Active Directory and are limited to dedicated tenancies which are not re-used. Our protective monitoring service provides alerts and reporting about logins and failed logins. We have measures in place to deter brute force attacks and the cloud platforms' management interfaces and service desk were subject to independent validation as part of the ITHCs undertaken for PGA at IL2 and IL3. Multi-factor authentication is currently available as a bespoke solution and is on our development roadmap for G-Cloud. Federated access control to our cloud platforms management interfaces, based on SAML 2, is available as an option for self-managed customers (at IL2 only). 11 External interface protection Principle: All external or less trusted interfaces of the service should be identified and have appropriate protections to defend against attacks through them. Our Secure Cloud Compute service was independently pen-tested to appropriate levels as part of the accreditation ITHC, with testing undertaken by CHECK providers and the scope validated by the PGA. Where the Enhanced Segregation service option is selected, the underlying platform has also been subjected to a CESG design review. Access to our Secure Cloud Compute management interface and API is available over the Internet, Janet and dedicated links. Access to customer VMs hosted on that platform is limited to the networks associated with their particular tenancy. Where the Enhanced Segregation service option is selected, access to our Secure Cloud Compute management interface and API is only available to Eduserv staff. Access to customer VMs hosted on that platform is limited to the PSN or an appropriately accredited link. Eduserv Public Page 14 of 16
All our cloud services are protected at the network edge by carrier-class next generation firewalls. 12 Secure service administration Principle: The methods used by the service provider s administrators to manage the operational service should be designed to mitigate any risk of exploitation that could undermine the security of the service. Our Secure Cloud Compute service is underpinned by logically separated management and customer infrastructure. This infrastructure is managed directly from devices which are also used for normal business use (with access controlled as outlined in our responses to principles 9 and 10). Bastion hosts are on the roadmap for this service. Where the Enhanced Segregation service option is selected, our Secure Cloud Compute service is underpinned by physically separated management and customer infrastructure platform. It is managed using dedicated devices on a segregated network, accessed via dedicated VPN and endpoints. Both platforms were independently pen-tested to appropriate levels as part of the accreditation ITHC, with testing undertaken by CHECK providers and the scope validated by the PGA. Our Enhanced Segregation service option has also been subjected to a CESG design review. 13 Audit information provision to consumers Principle: Consumers should be provided with the audit records they need to monitor access to their service and the data held within it. We do not currently provide audit information to customers as a standard part of our service. However, our Managed Protective Monitoring service can be used to provide customers with log monitoring, event analysis, automated alerting and monthly reports in line with CESG s Good Practice Guide no.13 (GPG-13). 14 Secure use of the service by the consumer Principle: Consumers have certain responsibilities when using a cloud service in order for this use to remain secure, and for their data to be adequately protected. Customer responsibilities were documented as part of our accreditation RMADS at IL2 and IL3. These include our Shared Security Policy and Tenant Information Assurance Conditions. Our Eduserv Terms of Business for Managed Cloud and Digital Development Services 3 make general reference to the need for customers to adhere to good security practices. 3 http://www.eduserv.org.uk/legal/internet-solutions-terms-of-business Eduserv Public Page 15 of 16
We do not currently make detailed security guidance directly available to customers as part of our cloud services Knowledge Base but it is on our documentation roadmap to do so. Eduserv Public Page 16 of 16