Secure by Standards
The DevSecOps Backbone
DevSecOps is changing the the culture of security and risk. Rather than attempting to bolt-on security only at the end of the development process in response to a failed assessment, security is architected into the design phase before the first line of code is written. Organizations can now create predictable, repeatable outcomes that meet or exceed their risk management framework. So what security standards should be the core foundation of your DevSecOps process?
In today’s mobile-first society, the aspects of identity, mobile, and cloud are the fundamental building blocks for modern IT systems. DevSecOps for projects providing information that is already in the public domain to anonymous or self-registering users require a reasonable level of security. For scenarios involving more sensitive content, the identity of the user(s) must be validated, the digital identity appropriately challenged; the mobile device, mobile operating system, and mobile app must secure the sensitive content in a disconnected offline state on the device and protect the data while it transit; and the cloud system must provide the necessary controls for accessing, processing, transmitting, and storing the data commensurate to the sensitivity of the content or its use.
Perhaps the most challenging aspect of mobile computing moving forward is centered around the trust organizations must, or are willing to, accept that the digital identity of the mobile user truly is the physical persona of whom they claim to be. Sophisticated cyber attacks have resulted in the exposure of hundreds of millions of people’s personal data. At the very basic level, all organizations need a method to:
Challenge and Verify Users’ assertion of identity
Authorize and Federate trusted, validated users appropriately
The best current foundational guidance for determining the gradual levels of identity assurance are described in NIST Special Publication (SP) 800-63-3.
Modern mobile computing is comprised of four main components: the hardware phone or tablet device, the mobile Operating System (OS), the mobile app, and in most enterprise environments a Mobile Device Management (MDM/UEM) tool. Although there are many differing standards to evaluate security and risk, Government organizations around the world have defined a set of standards and minimum security controls known as Common Criteria that are intended for the Defense and Intelligence Communities to develop, verify, and trust that “CLASSIFIED” level data and content can be safely stored, accessed, and shared with vetted trusted employees or partner Nation State Coalition Members, as required.
The National Information Assurance Partnership (NIAP) is responsible for U.S. implementation of the Common Criteria. Assessed and validated mobile solutions are listed on NSA’s Commercial Solutions for Classified (CSfC) approved components list. In October 2017, DoD mandated that all managed mobile apps that support mission use or store, process, access, or transmit Controlled Unclassified Information (CUI) must be compliant with the NIAP Application Software Protection Profile.
Mission Mobility Vendors have been independently verified and validated against Common Criteria/NIAP.
In 2010, President Obama signed the “Cloud First” Policy, requiring Government organizations to make every possible effort to move new (or existing) systems to the Cloud. Shortly there after the White House released its Cloud strategy and the creation of a new program known as the Federal Risk and Authorization Management Program (FedRAMP) to help assess the security controls present and potential vulnerabilities from commercial Cloud Service Providers (CSP) across the categories of Confidentiality, Integrity, and Availability.
At its core, the FedRAMP program presents a published security baseline that CSPs can elect to adhere to in order to receive a positive assessment. Fortunately FedRAMP is not binary…it is not a singular pass/fail scenario. FedRAMP is structured with differing security levels. CSPs may elect to be assessed against whichever level is best aligned with their capabilities and corporate objectives. In addition to the FedRAMP levels of Low, Moderate and High, the Department of Defense further assesses Impact Levels that align with potential DoD network and data access, as defined in the DoD Cloud Computing Security Reference Guide (SRG).