David Slater G-Cloud Meet Up
-
Upload
weareesynergy -
Category
Technology
-
view
76 -
download
0
description
Transcript of David Slater G-Cloud Meet Up
David Slater, CLAS Consultant
dd-mm-yyyy
Security in G-Cloud Services at Restricted
| Identity, Security and Risk Management from Atos Consulting
Introduction
• Achieving Restricted (IL3) accreditation of service is not easy
• Presentation covers experiences gained from achieving accreditation of Restricted (IL3) services for Atos
• Not an exhaustive list – just the highlights
| Identity, Security and Risk Management from Atos Consulting
Before You Start …
• Review your solution against:
• CESG Architectural Patters• CESG Good Practice Guides• IS Standards
• Check that your ISO 27001 Certification is:
• Current• Suitably scoped• UKAS Certified (recognized)
CESG like compliancy matrices against the relevant GPG’s
Read the PSN Code
| Identity, Security and Risk Management from Atos Consulting
Key Security Controls
• Make sure applications:
• Address the OWASP Top Ten• Think about limiting concurrent logins • Think about defense in depth
• Input Validation• Parameterized Stored Procedures• Output Validation
• Manage Out-of-Bands• Separate Interface• Not via the Internet
• Lock everything down against Industry Guides (Centre for Internet Security)
• Use CPA approved or Common Criteria Approved products
| Identity, Security and Risk Management from Atos Consulting6
Support
• Keep it in the UK at Restricted (IL3)
• Use secure protocols• SSH• HTTPS
• Use dedicated support terminals
• CESG approved encryption across insecure networks• Issue with approved products
• Support from the office – not via Internet/Remote Access
• Cleared staff• Another issue
| Identity, Security and Risk Management from Atos Consulting7
Consider hosting in a pre-accredited Service
• A number of accredited ‘hosting’ environments:
• Atos• Skyscape• Lockheed Martin• SCC
• Not all the same, each has its strengths and weaknesses
• Look at what you get against your needs:• Internet Connection• PSN Connection• Support Connections• Monitoring• Patching• Disaster Recovery• Protective Monitoring
| Identity, Security and Risk Management from Atos Consulting8
Things that catch you out ….
• Staff Clearances• Cabinet Office will clear small number• SC for privileged users
• Key Material for CAPS products• No easy route to gain• No real alternative
• Penetration Tests• Recent – many month old test is no good
• Single vulnerability allowing inter-network connection
• CESG Design Review
| Identity, Security and Risk Management from Atos Consulting9
The PGA is ….
• Risk adverse
• Well briefed
• Has a lot of backup
• Aligned with CESG Guidance
| Identity, Security and Risk Management from Atos Consulting10
Thank You