David Slater, CLAS Consultant

dd-mm-yyyy

Security in G-Cloud Services at Restricted

| Identity, Security and Risk Management from Atos Consulting

Introduction

• Achieving Restricted (IL3) accreditation of service is not easy

• Presentation covers experiences gained from achieving accreditation of Restricted (IL3) services for Atos

• Not an exhaustive list – just the highlights

| Identity, Security and Risk Management from Atos Consulting

Before You Start …

• Review your solution against:

• CESG Architectural Patters• CESG Good Practice Guides• IS Standards

• Check that your ISO 27001 Certification is:

• Current• Suitably scoped• UKAS Certified (recognized)

CESG like compliancy matrices against the relevant GPG’s

Read the PSN Code

| Identity, Security and Risk Management from Atos Consulting

Key Security Controls

• Make sure applications:

• Address the OWASP Top Ten• Think about limiting concurrent logins • Think about defense in depth

• Input Validation• Parameterized Stored Procedures• Output Validation

• Manage Out-of-Bands• Separate Interface• Not via the Internet

• Lock everything down against Industry Guides (Centre for Internet Security)

• Use CPA approved or Common Criteria Approved products

| Identity, Security and Risk Management from Atos Consulting6

Support

• Keep it in the UK at Restricted (IL3)

• Use secure protocols• SSH• HTTPS

• Use dedicated support terminals

• CESG approved encryption across insecure networks• Issue with approved products

• Support from the office – not via Internet/Remote Access

• Cleared staff• Another issue

| Identity, Security and Risk Management from Atos Consulting7

Consider hosting in a pre-accredited Service

• A number of accredited ‘hosting’ environments:

• Atos• Skyscape• Lockheed Martin• SCC

• Not all the same, each has its strengths and weaknesses

• Look at what you get against your needs:• Internet Connection• PSN Connection• Support Connections• Monitoring• Patching• Disaster Recovery• Protective Monitoring

| Identity, Security and Risk Management from Atos Consulting8

Things that catch you out ….

• Staff Clearances• Cabinet Office will clear small number• SC for privileged users

• Key Material for CAPS products• No easy route to gain• No real alternative

• Penetration Tests• Recent – many month old test is no good

• Single vulnerability allowing inter-network connection

• CESG Design Review

| Identity, Security and Risk Management from Atos Consulting9

The PGA is ….

• Risk adverse

• Well briefed

• Has a lot of backup

• Aligned with CESG Guidance

| Identity, Security and Risk Management from Atos Consulting10

Thank You