Cloud Security

Cloud Security

The Microsoft Cloud Services Working Group brought ND-ISAC members together with Microsoft subject matter experts to elaborate common challenges, understand features, and provide updates on Microsoft Cloud Services roadmap. The Microsoft Reference Identity Architecture for US Defense Industrial Base is a result of months of collaboration among the Microsoft Cloud Services Working Group. It provides the group’s consensus on common challenges coupled with guidance on potential ways to overcome those challenges.

The following provides frequently asked questions were developed by the DIB SCC Cloud Working Group. They are provided to assist organizations with implementing cloud solutions.

What is CDI/CUI and how do I tell if my data is considered CDI/CUI?
CDI stands for Covered Defense Information and CUI stands for Controlled Unclassified Information. The two are often used interchangably with CUI taking precedence.

Who is considered a US Person or a Non-US Person?

US Citizens and Greencard holders are considered US Persons.

How do I determine which cloud service providers are certified for which types of data?

Consult your service provider to help determine whether their compliance offerings are suitable for you.

What does the cloud shared responsibility model and what does it imply in terms of my cloud implementation?

The shared responsibility model implies that thorough security and compliance in the cloud is achieved through customers understanding where their security obligations are in the cloud and what security measures are handled by their service provider. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the service provider provided security group firewall. A service provider is responsible for protecting the infrastructure that runs all of the services offered in their cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run as a part of the service provider’s cloud services. In a nutshell, the service provider is responsible for the security of the cloud, while the customer is responsible for security in the cloud.

What is multifactor authentication and why is it important?

Multifactor authentication (MFA) is a security system that requires more than one method of authentication from a set of credentials to verify the user’s identity for a login or other transaction. These credentials are: What the user knows (password), what the user has (security token) and what the user is (biometric verification). In short, it’s something you know, something you have and something you are.

Importance: MFA is important because it creates layers of defense and makes it more difficult for an unauthorized person to access a target such as a physical location, computing device, network or database. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target.

Examples of MFA: Security tokens, soft tokens, mobile authentication, GPS smartphones, biometric authentication methods such as retina scans, iris scans fingerprint scans, finger vein scans, facial recognition, voice recognition, hand geometry and even earlobe geometry.

Use cases: MFA is used to protect Covered Defense Information called out by DFARS clause 252.204-7012 which requires compliance with NIST SP 800-171 (MFA controls: 3.5.3 & 3.7.5)

What are some best practice approaches for implementing multifactor authentication (MFA)?

Multifactor authentication (MFA) needs can change depending on the size and scope of the implementation. However, the points below should be considered.

Combining MFA with Single-Sign-On (SSO)
1. Harden your security posture by combining MFA with other solutions such as single sign-on (SSO) and least privilege access.
Implementing MFA across the enterprise
2. MFA should be implemented across all privileged users, cloud and on-prem applications, VPN, server login and privilege elevation. This helps protect against unauthorized access, data breaches and password-based cyber-attacks.
Ensure MFA Consistency
3. Enterprises must maintain consistency by following industry standard protocols when implementing security across cloud components.
4. Don’t stick to 2 Factor authentication. Depending on the situation, it may be worth considering having three, or even four factor authentication. The more factors you require, the difficult it becomes for malicious users to gain unauthorized access. However, more factors may result in a great inconvienience for your end users.

What is the FedRAMP Program?

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
For more information on the authorization process and when authorization is need, refer to the FedRAMP website’s FAQ page.

Where can I find FedRAMP authorized vendors?

Refer to the FedRAMP Marketplace webpage to determine which vendors and products are FedRAMP authorized.

How do I determine if my vendor is certified to DoD IL4 for processing “special” CUI?

The Defense Information System Agency (DISA) issues Authorizations under the DISA Impact Levels. DISA maintains a catalog of Cloud services offered at available impact levels. The list is visible by expanding the “Standard Offering” box.

What are the specific controls that are required for DoD IL4?

DISA defines Impact Levels as well as security compliance necessary to meet the corresponding Impact Level in the DoD Cloud Computing Security Requirements Guide (SRG) available publicly from the DoD Cyber Exchange.

Am I secure as long as I use FedRAMP authorized vendors?

No, systems and services you build on top of the CSO must be secured at minimum to the requirents of the data types stored, proocessed or transfmitted in the environment.

How do I tell what services meet FedRAMP?

Consult the FedRAMP Marketplace to help identify which service providers have received their authorization. Furthermore, a detailed discussion with the service provider is needed to determine which specific services are covered under their authorization.

What should I include in my contract with cloud vendors to best address cloud security?

There is no one size fits all cloud pro forma for every organization. However, when developing and signing agreements with cloud vendors the folowing items should be considered:

1. What cybersecurity framework(s) the vendor utilizes
2. Background checks of vendor personnel are in place
3. Regular vendor personnel cybersecurity training
4. Regular review of cybersecurity artifacts provided by vendor (audits, 3rd party penetration test reports)
5. Vendor disclosure of open source software used
6. Establish vendor cybersecurity POCs and processes ahead of incidents
7. Limitation of vendor access to systems and data to only those neccessary for performance of the scope of work
8. Limitation of vendor data collection to scope of work
9. Review service limitations with enterprise user base

Where can I find clauses in my contract on breaches, data spills and notifications?
What is a cyber breach?

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or that constitutes a violation or imminent threat of violating security policies, security procedures, or acceptable use policies.

How should a breach be handled?
What is a data spill?

Data Spillage
Security incident that results in the transfer of classified information onto an information system not authorized to store or process that information.

Classified Information Spillage
Security incident that occurs whenever classified data is spilled either onto an unclassified information system or to an information system with a lower level of classification or different security category.

What measures should be implemented to reduce the likely hood of data spills?
Where can I find foundational information specific to cloud security?

Vendor Agnostic:

Cloud Service Provider (CSP) Specific Guidance:

NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) references a shared security model. How can I find out what a CSP is responsible for securing and what customers are responsible for securing?

The shared security model concept includes responsibilities for both CSPs and customers in maintaining security compliance. Generally, CSPs are responsible for the security of the cloud infrastructure while customers are for ensuring consumed resources securely configured and maintained securely. Responsibilities are CSP specific and customers will need to review CSP specific guidance for standards compliance and service specific documentation to understand their responsibilities.

I am only using my cloud environment for development and proof of concept activities. I am still responsible for securing non-production resources to the same standard as production environments?

Regulatory compliance for computing environments depends on the data stored, processed, or transmitted in the environment. If your environment is in support of a DoD contract, and is considered CDI or Controlled Technical Information (CTI)–a subcategory of Controlled Unclassified Information (CUI)–then all applicable controls apply, no matter which environment (sandbox, dev, test, QA, prod).

If you are unsure about the data stored, processed or transmitted through your environment you should seek written clarification from the contracting officer.

My IT group has been tasked with moving our on-premises datacenter to the cloud. Where can I find foundational information on cloud migration strategies?

There a various paths to facilitate a migration to a CSP. Specific guidance will depend on the specific CSP selected. There are a number of high level planning and strategy documents available from commercial sources.

One example from MITRE is available at:

When am I required to use a government specific cloud or cloud region like AWS GovCloud or Azure Government?

The DISA Cloud Computing SRG describes Impact Levels and protection requirements. According to the SRG, IL4 data, which includes CUI, requires FedRAMP Moderate PA + additional controls/enhancements (or FedRAMP High) and limiting system access to US Citizens, US Nationals, or US Persons (ADP-1). AWS GovCloud and Azure Government meet these ADP-1 requirements and many of the same commercial CSP services are available on the government clouds/regions at the FedRAMP high level. A list of FedRAMP approved services is available at the link below.

Please note that classified information is not approved for processing in standard government regions. Please consult your CSP account manager for additional information regarding options for processing classified information.

What data types can be processed in non-government commercial clouds?

The DISA Cloud Computing SRG describes Impact Levels and protection requirements. According to the SRG, IL2 data includes public data and data NOT designated as CUI and may be processed on FedRAMP Moderate clouds like AWS and Azure commercial offerings.